The latest development in how American courts will handle the standing question for data breach class actions came last week when the U.S. District Court for the District of Columbia dismissed for lack of standing a putative class action related to the CareFirst BlueCross BlueShield data breach.

The court's reasoning in dismissing the claims is yet another step in defining which data breaches are actionable—a significant question in an environment where every major breach seems to give rise to a class action lawsuit. In keeping with the current trend among federal courts, the court in CareFirst found that data breach plaintiffs cannot bring lawsuits without evidence that sensitive data has been—or will be—misused in a harmful manner.

Simply having your personal information stolen in a data breach isn’t enough.

The case arose out of a June 2014 data breach in which hackers compromised the personal information of more than a million policyholders of the health insurer CareFirst. The information included policyholders' names, birth dates, email addresses, and subscriber identification numbers. But what’s notable is the data the breach did not include: more sensitive information such as Social Security and credit card numbers.

Seven people brought a class action alleging that CareFirst violated various state laws and common law duties by failing to safeguard the information. Two of the plaintiffs claimed to be victims of identity theft. The other five did not. CareFirst moved to dismiss for lack of standing on the grounds that the complaint did not adequately allege injury.

The court granted CareFirst's motion and dismissed the complaint without prejudice.

In deciding whether the validity of the case brought by the five people who did not claim identity theft, the court applied the standard articulated by the U.S. Supreme Court in Clapper v. Amnesty Int'l USA, under which a threatened injury must be "certainly impending" for a suit to have merit. It rejected the plaintiffs’ argument that the "certainly impending" standard had been met simply because the hackers breached CareFirst's server in order to access data and misuse it. It also held that the argument was too speculative to satisfy Clapper because it required the court to assume that the hackers had the ability to read and understand plaintiffs' personal information, the intent to commit future crimes by misusing it, and the ability to do so. Most important, the alleged injury was particularly speculative because the plaintiffs had not suggested—let alone demonstrated—how the hackers could steal their identities without access to their Social Security or credit card numbers.

In dismissing the cases of the two plaintiffs who did claim identity theft, the court held that their alleged injury was not "fairly traceable" to the CareFirst breach. The two plaintiffs claimed to be victims of tax-refund fraud because they had not yet received their expected tax refunds. The court found that it was unlikely that the tax-refund fraud could have been conducted without the plaintiffs' Social Security numbers and was therefore not "fairly traceable." The court also rejected the plaintiffs' arguments that they had suffered economic harm because they had to purchase credit-monitoring services and overpay for insurance coverage.

Finally, the court rejected plaintiffs' argument that the D.C. Consumer Protection Procedures Act could confer standing on its own. In doing so, the court relied on the recent Supreme Court decision in Spokeo, Inc. v. Robins, which held that Congress cannot erase Article III's standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing. In applying this holding, the court held that—even if plaintiffs' rights under the D.C. Consumer Protection Procedures Acts had been violated—they did not have standing to press their claims because they had not adequately alleged a concrete harm.

Cases like CareFirst help define the landscape for data breach lawsuits. The requirement that plaintiffs must show that actual harm could have arisen from the theft of information is a significant development—and one that should bring some measure of relief to companies tasked with storing vast quantities of consumer data.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate, and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk.

Ballard Spahr's Health Care Group provides counsel on regulatory, compliance, transactional, financing, benefits and compensation, and labor and employment matters. Our HIPAA/HITECH team represents health care providers, health plans, and business associates in implementing HIPAA/HITECH compliance programs, undertaking data security assessments, preparing breach response plans, conducting breach assessments and notifications, and advising on the use of data for research, marketing, and other purposes.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.