Last week the United States Supreme Court denied certiorari in CareFirst, Inc. v. Attias, No: 17-241. The denial of certiorari leaves in place the D.C. Circuit’s August 1, 2017 decision which found that victims of the 2014 CareFirst Data Breach had standing to sue the company for the increased risk of harm associated with the disclosure of their private information.
The D.C. Circuit separately analyzed two types of information which Plaintiffs alleged that CareFirst collected, and failed to adequately secure: (1) financial information, which included social security numbers and credit card numbers; and (2) other Private information which included the combination of members’ names, birth dates, email addresses and subscriber identification numbers. The Circuit Court found that the disclosure of both types of information independently created a substantial risk of future harm sufficient to satisfy Article III standing.
With regard to the financial information the court noted “The complaint…plausibly alleges that the CareFirst data breach exposed customers’ social security and credit card numbers. CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their social security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree.”
With regard to whether the disclosure of a combination of members’ names, birth dates, email addresses and subscriber identification numbers created a material risk of identity theft, the court also found that Article III was satisfied. The Circuit Court noted: “This allegation of risk based solely on theft of health insurance subscriber ID numbers is plausible when taken in conjunction with the complaint’s description of a form of ‘medical identity theft’ in which a fraudster impersonates the victim and obtains medical services in her name. That sort of fraud leads to ‘inaccurate entries in [victims’] medical records’ and ‘can potentially cause victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs.’ These portions of the complaint would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.”
The D.C. Circuit’s ruling is important as it recognizes that companies which fail to secure customer’s information and which subsequently suffer a data breach have created a significant risk of future harm for their customers. Those customers must therefore be permitted to present claims for compensation arising out of the increased risk of future harm caused by the company’s negligence.