There are no good outcomes of an electronic data system breach. At best, companies dealing with e-commerce technologies face the formidable task and the resulting cost of repairs.
In addition having to fix information technology systems, companies suffering breaches may be increasingly vulnerable to legal action taken by customers whose personal data was affected. A federal appeals court decision handed down earlier this month underscores the potential legal leverage available to consumers whose electronic records are hacked.
Taken together, the recent decision and similar rulings by other courts “significantly expand the circumstances under which consumers may pursue class actions against companies victimized by hackers who access highly sensitive personal information,” commented Edward McAndrew, a partner at Ballard Spahr.
The case involves the hacking of nearly 1 million customer records maintained by health insurance company CareFirst. The company suffered the attack in July 2014 but only detected the breach in April 2015. The company notified customers in May of 2015. Shortly thereafter, several customers filed a class action suit against CareFirst, attributing the breach to the company’s carelessness, and alleging that customers suffered an increased risk of identity theft as a result of the hack.
Appeal Decision Favors Consumers
CareFirst won the first round. A federal district court dismissed the complaint by ruling that the class action plaintiffs failed to provide adequate support for their claim that the breach caused any substantial harm to customers. The court characterized the assertion of harm as speculative.
However, the U.S. Court of Appeals for the District of Columbia earlier this month reversed the district court’s decision. The customers’ allegation of harm was correct, the appeals court said, because the district court had misread the complaint as to the nature of the data involved in the case, and that the plaintiffs had established that personally identifiable information (PII), protected health information (PHI) and “sensitive information” had been hacked.
These categories include Social Security and credit card data, the Chantal Attias v. CareFirst appellate ruling notes.
The appeals court then connected the dots between the type of data involved in the hack and the subsequent potential for identity theft, and determined that the customers had established “plausible” grounds for suffering harm as a result of the breach.
“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury,” appeals court judge Thomas Griffith wrote.
The plaintiffs had established that any harm resulting from the breach would be “fairly traceable” to CareFirst, according to the ruling.
In its submission to the appeals court, CareFirst contended that the customers had failed to show that the “risk of harm is certainly impending or has a substantial risk of occurring.”
CareFirst, through spokesperson Sarah Wolf, declined to comment for this story.
Companies Face Massive Settlements
The impact on e-commerce could be substantial if customers are allowed to file suit against companies that have experienced breaches without sufficiently establishing harm, according to the U.S. Chamber of Commerce. The organization supported CareFirst in the appeals court litigation.
If plaintiffs are permitted to pursue cases like the one against CareFirst, “the Chamber’s members will be mired in lawsuits over breaches that have not caused any actual or imminent harm to the plaintiffs — and yet those cases threaten to extract massive settlements from businesses that were victimized by hackers or thieves,” the Chamber of Commerce argued in an amicus brief.
“We have nothing to add here, so we’ll let the brief speak for itself,” spokesperson Lindsay Bembenek told the E-Commerce Times in response to our query about the decision.
Companies experiencing hacks likely will be unhappy with the results of two other recent cases that reinforce consumers’ rights in situations similar to the CareFirst incident.
The Third Circuit U.S. Court of Appeals earlier this year ruled in favor of the plaintiffs in a suit filed against Horizon Healthcare Services regarding a breach of records, in which the court upheld the assertion of harm. The Seventh Circuit U.S. Court of Appeals in a 2015 case decided in favor of the plaintiffs in a suit against Neiman Marcus, citing grounds similar to those in the CareFirst and Horizon cases.
However, in contrast to the CareFirst and Horizon decisions, the Second Circuit U.S. Court of Appeals this spring ruled against the plaintiff in Whalen v. Michaels Stores, finding that the plaintiff had failed to establish a concrete injury sufficient to bring a suit related to a breach of private data.
Establishing the element of harm or injury is essential for affected customers to achieve legal “standing” for filing suits.
“Ultimately, whether data breach plaintiffs can survive a motion to dismiss for lack of standing will continue to be a key issue. The split in the circuit courts will heighten the cost of litigation for all and increases the potential risk of liability for companies facing class action suits based on allegations of increased risk of identity theft after a data breach,” wrote Sidley Austin attorneys Edward McNicholas and Grady Nye.
The differences among appeals court decisions in such data breach cases could bring the issue before the U.S. Supreme Court.
“I think there is a strong possibility that the Supreme Court will eventually weigh in on how standing doctrine should apply where individuals sue companies that suffer data breaches involving sensitive personal information,” Ballard Spahr’s McAndrews told the E-Commerce Times.
However, the Supreme Court may wait until a variety of associated legal issues play out in lower courts, he said.
In the meantime, commercial companies must be more vigilant than ever — not only regarding technical issues, but also concerning the legal implications associated with data breaches.
Companies Must Up Their Cybersecurity Game
“The D.C. Circuit decision and others like it are likely to lead to an increase in the types and numbers of civil cases filed against organizations that suffer data breaches of personal information. First, and foremost, organizations must develop a track record — provable in a courtroom — of reasonable actions to protect sensitive data from unauthorized access,” McAndrew noted.
Companies need to create and implement a sound cybersecurity program — including appropriate administrative, technical and physical controls and documentation. Then they “must actually follow that program and the policies and procedures that govern it,” he said.
In addition, organizations “must conduct cyberincident response and internal investigations while anticipating litigation,” McAndrew advised.
Litigation invariably involves not only why a breach occurred but also on how an organization responded to the incident.
“Not understanding and managing the legal risk related to a cyberincident during the response and investigation phases is one of the biggest mistakes I see organizations of all types make. Too often, incident response activity remains at the information technology and security or compliance levels of organizations, being conducted by individuals with no expertise or experience in how the developing evidence is likely to be used in litigation that follows,” McAndrew pointed out.
“Bringing the lawyers in later does not work,” he said. “Unless lawyers are helping to lead cyberincident responses, the die of liability will likely be cast well before the incident response process ends.”