Data Breach Plaintiffs Continue to Face Article III Standing Challenges

Standing remains a high hurdle for individuals whose personal information is compromised as a result of a data breach but who cannot establish that the stolen information was actually used improperly. Class action claims against CareFirst Blue Cross Blue Shield related to a 2014 breach were dismissed by D.C. District Court Judge Christopher R. Cooper last week after finding that they failed to meet Article III’s standing requirement. This ruling comes two months after a similar ruling by a Maryland district court judge in class actions claims related to the same CareFirst breach.

Judge Cooper’s decision does underscore the need to show harmful misuse of data to establish standing, but his opinion also raises the possibility that the type of information stolen may be important to determining the plausibility of alleged harm.

In the CareFirst breach, customers’ names, birthdates, email addresses, and subscriber numbers were compromised, but no social security numbers or credit card information. In his rejection of plaintiffs’ claims of injury, Judge Cooper specifically referenced the type of information that had been stolen in several instances. It is fair to ask: had either the social security numbers or credit card information of this plaintiff group been implicated, might the judge have seen a more plausible imminent harm?

Broadly speaking, Article III standing requires a plaintiff to show injury-in-fact, causation and redressability, and the alleged injury must be particularized, concrete or imminent. In the context of a class action, each named plaintiff must establish that he or she was personally injured.

The CareFirst plaintiffs’ class action complaint alleged various violations of state laws and breach of legal duties associated with protecting personal information. The claimed injuries included, inter alia, (1) an increased risk of identity theft; (2) identity theft in the form of a tax fraud; (3) economic harm through having to purchase credit-monitoring services; (4) economic harm through overpayment for insurance coverage; and (5) loss of intrinsic value of their personal information.

The district court found each claim without merit. Plaintiffs could not show how a hacker could steal their identities without their social security numbers or credit card numbers; could not claim the purchase of credit card monitoring services as an injury since that constitutes a “self-inflicted” harm; could not substantiate their claim that some portion of their insurance premiums are now allocated to paying for security measures; and could not show their personal information had been “devalued.”

With respect to the tax fraud claim, two named plaintiffs alleged that they suffered injury-in-fact because they had not yet received an expected tax refund. The court, however, found that the plaintiffs failed to show that their alleged injury was “fairly traceable” to the breach or how such tax refund fraud could have been carried out without their social security numbers and credit card information.

About The Authors

Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.

Tagged with: , , , , ,
Posted in Data Breach, Litigation

Leave a Reply

Your email address will not be published. Required fields are marked *


About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs