Data Breach Class Action Reinstated

Tedrick Housh, III
Lathrop GPM
Contact
LinkedIn
Facebook
X
Send
Embed

Must plaintiffs allege actual identity theft from a data breach to avoid dismissal of their class action lawsuit? No, according to yesterday’s opinion from a three-judge panel of the United States Court of Appeals for the District of Columbia Circuit. 
 
In Attias v. CareFirst, Inc., Case No. 16-7108 (DC Cir. Aug. 1, 2017), the DC Circuit reinstated a dismissed class action against a health insurer for its alleged negligence in permitting a 2014 data breach that exposed the personal information of approximately 1.1 million customers. The district court had found the alleged damages too speculative because the customers had not suffered actual identity theft, but merely faced an increased risk. The DC Circuit reversed, holding that the complaint plausibly alleged a substantial risk of “imminent” identity theft that was “fairly traceable” to defendant.
 
The Attias Court was willing to infer damages to support the class action for plaintiffs whose identities remained intact: “Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Id. (quoting Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015)). The Court rejected a narrower reading of two recent Supreme Court decisions on the “injury in fact” standing requirement, Spokeo v. Robins (2016) and Clapper v. Amnesty International USA (2013).   
 
The net effect of this opinion is more risk for business. In its amicus brief, the US Chamber of Commerce argued that such no-injury lawsuits based on anxiety about speculative future harm impose significant and unjustified costs on businesses. Rather than obtain a dismissal at the outset of expensive class action litigation, companies will be forced to engage in discovery and seek summary judgment on the facts established.
 
In the end, this opinion is another reminder to companies that they must inventory and take reasonable measures to protect personally identifiable information (PII) and protected health information (PHI) that they own or maintain. For example, the Attias complaint alleged that CareFirst failed to properly encrypt some of the data entrusted to its care. Encrypted data is not only less susceptible to a breach, it does not count as PII so as to trigger breach notification under many state statutes. A working Information Security Plan helps a company determine how to best identify and prioritize its data, prevent improper access to its systems and mitigate the risks of a breach.

The opinion may be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Lathrop GPM | Attorney Advertising

Written by:

Lathrop GPM
Lathrop GPM
Contact
more
less

Lathrop GPM on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide