Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Could CareFirst Data Breach Case Be Headed to Supreme Court?Federal Court Grants Health Plan's Petition to Appeal to High Court
Could the class action lawsuit filed against CareFirst Blue Cross Blue Shield after a 2014 cyberattack impacting 1.1 million individuals be the first data breach case headed to the Supreme Court? A recent ruling by a federal court makes that a possibility.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The U.S. Court of Appeals for the District of Columbia on Sept. 6 granted CareFirst's request for a "stay" in the same court's ruling last month that revived a class action suit against the health insurer. The "stay" allows CareFirst to file an appeal, asking the Supreme Court to review the case.
In its petition seeking the stay, ClearFirst argued that its case being heard by the Supreme Court is also important for other data breach litigation cases.
"The Supreme Court should ... guide courts in sorting out the claims of truly injured victims of data breaches from those who file class actions without being able to allege that any harm is real or immediate," the CareFirst petition notes.
"The Supreme Court needs to address this area of the law to provide more guidance to federal district and appellate courts, especially given that federal courts have struggled to reach consensus as to when the prospect of future injury resulting from stolen information truly presents a 'substantial risk' of actual harm."
CareFirst did not immediately respond to an Information Security Media Group request for comment on when it plans to file an appeal to the Supreme Court.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine is among the legal experts who are skeptical that the Supreme Court will agree to hear the case.
"This case definitely has the potential to make it to the Supreme Court, since there is not consensus on this issue among the circuit courts," says Greene, who is not involved in the case. "But it still may be a longshot because of the limited number of cases that the Supreme Court can accept."
Last year, the Spokeo case addressed standing to bring a claim based on whether potential harm is "concrete and particularized," Greene notes. "It did not involve an information security breach, but was closely watched for its impact on information security breach litigation. But the court did not definitively resolve the issue of what constitutes sufficient harm to have standing to sue, so the question in CareFirst and other security breach cases remains."
The stay puts on hold an Aug.1 ruling by the appellate court that allows plaintiffs in the CareFirst case to proceed with their punitive class action lawsuit against the insurer, which had been dismissed in 2016 by the U.S. District Court for the District of Columbia (see Appeals Court Allow CareFirst Breach Class Action Lawsuit to Proceed).
Attorney Steven Teppler of the Abbott Law Group, who is not involved in the case, says CareFirst's effort to file an appeal to the Supreme Court "is a procedural tactic to try and get this issue resolved as soon as possible."
Breaking the Log Jam
The recent Equifax data breach, which affected as many as 143 million individuals, will likely end up in class action litigation, some legal experts predict.
So sooner or later, Supreme Court justices will decide to review a major data breach case "and the log jam will break," Teppler says. Companies experiencing data breaches "can't keep dodging bullets and ruining people's digital image."
The August decision by the appeals court to overturn the lower court's dismissal of the CareFirst case was in itself a significant development in breach cases, legal experts say.
That's because the lower court's dismissal of the lawsuit had followed a common trend in data breach litigation where most courts do not find standing to proceed without concrete, identifiable injury to plaintiffs.
The reversal was noteworthy because it could set precedent for other pending and future data breach cases.