Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Supreme Court Won't Review CareFirst Data Breach CaseCase Now Heads Back to Lower Court for Potential Trial
The U.S. Supreme Court has declined to review a data breach case that would have been the first of its kind to be reviewed by the high court.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The class action lawsuit against CareFirst Blue Cross Blue Shield is now headed back to a Washington federal trial court.
On Tuesday, the Supreme Court "denied certiorari" in the CareFirst vs. Attitas case. This means the case goes back to court that dismissed CareFirst's request that the case against the insurer be thrown out, says Troy Giatras of Giatras Law Firm PLLC, one of the attorneys representing plaintiffs in the case. That clears the way for the case, filed on behalf of individuals whose data was breached, to potentially go to trial.
Attorney Jonathan Nace of the law firm Nadel and Nace, which also represents plaintiffs in the case, tells Information Security Media Group: "We don't believe that the Supreme Court needs to spend its time developing unique standing jurisprudence in the data breach field. The fact is that data breaches are happening all the time. The D.C. Circuit's opinion and the Supreme Court's decision to deny cert simply indicate that our courts will permit citizens to hold corporations accountable when they fail to take reasonable precautions to protect our data. When you consider all of the Americans who have had their data exposed, it is important that corporate America understands that if they do not take reasonable steps to protect data, they will be held responsible. "
As far as where the case goes from here, "we are prepared to immediately proceed to discovery and move the case forward," he says.
In October, CareFirst BlueCross BlueShield filed a petition asking the Supreme Court to review the case filed against the health insurer in the wake of a 2014 cyberattack, which involved the hacking of a database that impacted 1.1 million individuals.
CareFirst's petition to the Supreme Court came after the U.S. Court of Appeals for the District of Columbia on Sept. 6 granted CareFirst's request for a "stay" or pause on that court's Aug. 1 ruling allowing plaintiffs in the CareFirst case to proceed with their punitive class action lawsuit against the insurer (see Could CareFirst Data Breach Care Be Headed to Supreme Court?).
That August decision by the appeals court overturned a lower court's dismissal of the case against CareFirst. In its ruling, the appellate court noted that a group of CareFirst health plan members "attributed the breach to the company's carelessness."
The lower district court had dismissed the case for lack of standing, finding the risk of future injury to the plaintiffs too speculative to establish injury in fact.
The appellate court disagreed with the lower court's reasoning: "We conclude that the district court gave the complaint an unduly narrow reading. Plaintiffs have cleared the low bar to establish their standing at the pleading stage. We accordingly reverse."
In its ruling, the appellate court noted that the plaintiffs in the CareFirst lawsuit alleged that the data breach exposed them to a heightened risk of identity theft.
CareFirst asked the high court to examine "whether a plaintiff has Article III standing based on a substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court."
"Article III standing" means a plaintiff has the legal right to initiate a lawsuit if three requirements are met, including the plaintiff has suffered a concrete injury; the injury is fairly traceable to actions of the defendant; and it must be likely - not merely speculative - that the injury will be redressed by a favorable decision.
Interpreting Court Action
Steven Teppler, an attorney at Abbott Law Group, who is not involved in the case, says it appears that by declining to hear the case, the Supreme Court "found it premature to say that there was no injury-in-fact, or imminent injury" to those impacted by the data breach, allowing the appeals court ruling reversing the dismissal by the lower court to stand.
"This is a precedent for other circuit courts," Teppler says.
What's the lesson so far for other organizations that suffer breaches? "Businesses and organizations that hold people's private, sensitive data have the responsibility to take necessary steps to protect it. And there are consequences if that's not done," Giatras says.
CareFirst declined to comment on the Supreme Court's decision.