With data breaches now a daily occurrence for businesses large and small, there’s a good chance that at least some of your information has been compromised by cybercriminals at some point. But should you be able to sue a company for failing to keep your data safe when the stolen information hasn’t (yet) been misused?
Back in 2015, health insurance provider CareFirst revealed that more than 1 million customer accounts had been accessed by hackers for nearly a year. While the attack compromised a range of customer info — including names, dates of birth, email addresses and member identification numbers — it did not give the attackers access to the most sensitive data like payment account information or medical records.
Even though their purloined data had apparently not yet been exploited, several CareFirst customers sued the insurer in 2015 [PDF], alleging breach of contract, negligence, fraud, unjust enrichment, and multiple violations of specific Virginia and D.C. consumer protection statutes.
But in Aug. 2016, a federal judge in D.C. dismissed the lawsuit [PDF], ruling that the CareFirst customers had not shown there was a substantial risk that their stolen data would be exploited.
“[M]erely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken,” explained D.C. District Court Judge Christoper Cooper.
Today, the Court of Appeals for the D.C. Circuit overturned that ruling, saying that Judge Cooper had given “an unduly narrow reading” to the CareFirst customers’ complaint, and that he incorrectly dismissed the case at a stage when the plaintiffs only needed to demonstrate that their allegations are plausible.
The lower court had concluded that the plaintiffs had not shown sufficient “injury in fact” resulting from the CareFirst data breach. Two of the plaintiffs have claimed that their tax return went missing, but Judge Cooper felt that it was too far of a logical leap to connect that incident with the stolen data. If the CareFirst breach did not include Social Security numbers, how could data thieves have obtained tax refunds that require the use of a Social Security number, asked the judge.
However, the three-judge appeals panel found that Cooper based his conclusion on the incorrect premise that the plaintiffs had not alleged the theft of Social Security or credit card numbers in the data breach.
The appeals court notes that the plaintiffs alleged that the stolen data exposed “all of the information wrongdoers need” to “open new financial accounts… “incur charges in another person’s name,” and commit other financial misdeeds. Additionally, the plaintiffs had explicitly included “patient credit card… and social security numbers,” in its description of the sensitive information stored on the CareFirst servers. That doesn’t necessarily mean this info was stolen; just that the plaintiffs did indeed allege it had been compromised, contrary to Judge Cooper’s conclusion.
Separately, the plaintiffs allege that while birth dates, email addresses, names, and CareFirst account numbers might each be of little use to an ID thief on their own, the combination of these pieces of data “creates a material risk of identity theft.”
The appeals panel found that this allegation was also plausible, agreeing that there is the possibility this data could open the door to “medical identity theft.” That’s when someone uses your insurance account info to illegally obtain medical care.
But wouldn’t the only one harmed in that case be the insurance company that pays for a doctor’s visit for an impersonator? Not necessarily, says the appeals court, which said the plaintiffs had plausibly alleged that medical ID theft could harm the genuine account holder by injecting inaccuracies into their health records that could possibly make them ineligible for life insurance, or even disqualify them from certain types of employment.
This sort of possible harm does not rely, in any way, on the ID thieves stealing Social Security or credit card numbers, notes the panel.
In response to the plaintiffs’ appeal, CareFirst had argued that if anything bad happened as a result of the data breach, the thieves, and not the insurance company, would be the cause of that misuse. The appeals panel was not bowled over by this claim.
“It is of course true that the thief would be the most immediate cause of plaintiffs’ injuries, should they occur, and that CareFirst’s failure to secure its customers’ data would be one step removed in the causal chain,” explains the ruling, which goes on to clarify that the law doesn’t require that CareFirst is the “most immediate cause, or even a proximate cause, of the plaintiffs’ injuries; it requires only that those injuries be ‘fairly traceable’” to CareFirst.
This question of liability for potential harm is still a matter for some debate. In 2013, the Supreme Court ruled in Clapper v. Amnesty International [PDF] that the human rights organization lacked legal standing to challenge the federal government’s surveillance authority because the potential harm done to Amnesty International was purely speculative, or in the words of Justice Samuel Alito, “based on their fears of hypothetical future harm that is not certainly impending.”
The D.C. appeals panel in the insurance data breach cash found that the risk posed by the CareFirst breach is “much more substantial” than that theorized in Clapper, since “an unauthorized party has already accessed personally identifying data on CareFirst’s servers.”
Why, asks the court, would someone break into CareFirst’s servers and steal account information for more than a million customers? It answers, that a “substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
And so the lawsuit has been remanded to the District Court for further consideration. As the case moves forward, the plaintiffs’ allegations will face increasing scrutiny from the court, so it’s entirely possible that the matter will be dismissed again before ever coming to trial or settlement.
A similar lawsuit filed against CareFirst in federal court in Maryland was also dismissed at the District Court level for lack of standing. That decision was appealed to the Fourth Circuit Court of Appeals, but quickly dropped by both parties.
When reached by Consumerist, a rep for CareFirst declined to comment on today’s ruling.
(Updated to include CareFirst statement, or lack thereof.)