December 5, 2022

Volume XII, Number 339


December 05, 2022

Subscribe to Latest Legal News and Analysis

Can't This Just Be Over? Standing In Cybersecurity Claims

In August, the United States Court of Appeals for the DC Circuit revived a class action lawsuit, holding that the threat of harm from a data breach is enough to satisfy the "injury in fact" standing requirement. Attias v. Carefirst, Inc., 865 F.3d 620 (DC Cir. 2017). The defendant, a group of health care insurers, filed a Petition for Writ of Certiorari to the United States Supreme Court on October 30 of last year. While the Supreme Court is deciding whether to grant the pending Petition, it is worthwhile to briefly review the standing question in the context of protecting your business from liability.

The standing requirement serves to ensure that courts only address actual controversies brought by parties with a personal stake in the outcome by requiring that a plaintiff show that it has suffered an injury in fact which is concrete and particular, was fairly traceable to the actions at issue and can be redressed by the courts. Increasingly, the plaintiffs bar has responded to incidents of data breach by bringing class action lawsuits based on a number of state law claims and claiming that an increased threat of identity theft constitutes an injury-in-fact.

Courts have split on the issue of whether the threat of harm from a data breach is sufficient to impart standing. The question turns on whether the allegations support a claim that the threatened future harm is "certainly impending" or poses a "substantial risk" of occurring. When the reviewing court finds that the risk is not substantial, then it follows that the claim is speculative and should be dismissed.

In fact, this is what the District Court in Attias did, finding that the plaintiffs had not suggested or shown how the hackers could steal their identities without access to social security or credit card numbers. However, the DC Circuit Court of Appeals reversed the District Court’s decision, finding that the complaint had actually alleged that social security numbers and credit card information had been compromised. Moreover, the DC Circuit also found that the breach had exposed the plaintiffs to a risk of medical identity fraud whereby someone impersonates a victim and obtains medical services in their name. Such actions could potentially lead to the depletion of the victim’s insurance or the receipt of improper medical care as a result of inaccurate medical records.

The Court of Appeals also addressed the causation requirement. CareFirst had argued that because the hackers were unaffiliated with the company, that the claimed injuries would therefore not be fairly traceable to it. The court disagreed, remarking that the causation requirement does not require that the defendant be the most immediate cause of the claimed injuries. The court found that, at the preliminary stages of the case, a claim that CareFirst had failed to properly secure the data is sufficient.

If the Supreme Court exercises its discretion and grants CareFirst’s Petition for Writ of Certiorari, it will likely create a clearer blueprint for analyzing standing issues related to incidents of data breach. However, in the meantime, the practical effect of the caselaw on standing is that any business that suffers a breach where medical, social security, or credit card information is involved, may be faced with a class action lawsuit that likely will survive early legal challenges. Although the plaintiffs must prove the extent of their injuries in order to establish damages at some later point in the suit, the mere fact that there has been a theft of the information is enough to permit plaintiffs to get into court and create expensive litigation for businesses.

(1) Collect only the information that is necessary to operate your business;

(2) Consider outsourcing payment functions to a vendor so that no payment information is maintained;

(3) Provide adequate security protections based on a risk assessment; and

(4) Obtain cyber risk coverage that will cover litigation costs.

© Copyright 2022 Murtha CullinaNational Law Review, Volume VIII, Number 22

About this Author

Michael J. Donnelly, attorney, Murtha Cullina, Connecticut

Michael Donnelly represents both public and private parties in connection with drafting of contracts, bid issues and dispute resolution in a wide variety of construction matters. He recently assisted a successful bidder in defending a challenge to a public bid for the purchase of municipal property, ultimately obtaining a written apology and a six-figure settlement on a vexatious litigation claim arising from the challenge. Michael has represented the owner with respect to contract negotiations for the construction of a 14.6 MW gas powered generator project. His dispute...