In a win for third-party victims of a cyber security attack, the United States Court of Appeals, District of Columbia reversed a lower court’s decision dismissing a class-action suit against their health insurer for breach of contract, negligence, and violation of various state consumer-protection statutes, after their personal information was stolen during a data breach.1

In June of 2014, health insurer CareFirst’s network was hit with a cyber attack, resulting in the unauthorized disclosure of thousands of customers’ names, addresses, subscriber ID numbers, credit card numbers, social security numbers, birthdates, and email addresses. Plaintiffs whose information was disclosed filed a class action lawsuit against CareFirst. The district court dismissed the case for lack of Article III standing because plaintiffs did not allege a present injury or a high enough likelihood of future injury, stating that the increased risk of future identity theft was too speculative.2

The district court found missing the requirement that the plaintiffs’ injury be “actual or imminent.” The appellate court stated that the principal question is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. In agreeing the plaintiffs had met that burden, the court noted (via footnote) that two of the plaintiffs alleged they had already suffered identity theft as a result of the breach when their anticipated tax refund had gone missing.

The court went on to say that the Class Action Complaint was sufficient at the pleading stage because CareFirst stored sensitive information like credit card numbers and social security numbers, which were disclosed in the breach, and CareFirst customers were placed at a high risk of financial fraud. The appellate court concluded that use of stolen data was not too speculative because the hacker had already accessed the data and is likely “to use that data for ill.”3

Do you have adequate cyber insurance for your business? If not, you could incur devastating costs trying to clean up your business after an attack.

I leave you with a quote from former General Douglas MacArthur which may be the moto for every hacker: “[t]here is no security on this earth, only opportunity.”
1 Attias, et al. v. CareFirst Inc., No 16-7108 (D.C. Cir. Aug. 1, 2017).
2 Attias, et al. v. CareFirst Inc., No. 15-cv-0882 (D.D.C. Aug. 10, 2016).
3 The Court of Appeals has stayed its decision while CareFirst petitions the United States Supreme Court to review the D.C. Circuit’s decision. We will keep you advised as this case proceeds.