Last month, the D.C. Court of Appeals lowered the standing threshold established by Spokeo, holding that the mere allegation of an increased risk of identity theft as a result of a data breach was sufficient to prove standing to claim injury, regardless of whether sensitive information had been compromised.
In Attiass et al. v. CareFirst, plaintiffs claimed injury as a result of a 2014 hack by an unknown intruder of the defendant insurer’s servers, which compromised the names, birth dates, email addresses and subscriber identification numbers of roughly one million policyholders. The District Court granted CareFirst’ motion to dismiss, holding that without allegations that the personal information was actually misused or could be misused, plaintiffs could not establish a concrete, particularized, and/or “actual or imminent” injury, as required by Spokeo.
On August 1, the District of Columbia Court of Appeals reversed the District Court’s decision, looking to Clapper and Neiman Marcus for guidance. The Court found that since the hack was conducted by an unknown person, the risk that it would be used for “ill” was sufficient to establish an “injury in fact.” Additionally, the Court assumed for the standing analysis that plaintiffs could prove CareFirst failed to properly secure its network, and thus their injuries would be “fairly traceable” to CareFirst.
CareFirst adds to the growing number of recent Federal Court decisions holding in favor of data breach plaintiffs alleging risk of future harm as sufficient to establish standing, deepening the circuit split on the issue and increasing the likelihood of review by the US Supreme Court. A link to the full opinion can be found here.
As courts continue to expand consumer rights by lowering the bar to claim cyber injury, costs associated with the typical data breach will see exponential growth. In addition to implementing pre-claim cyber risk mitigation strategies, a robust cyber insurance program with adequate limits and broad protection for network security third-party liability should be a top priority for clients across all industries, especially in the healthcare, retail, and hospitality sectors.
Learn more about comprehensive cybersecurity from Willis Towers Watson.
Gina Macari is an Assistant Vice President and Claims Advocate, providing counsel and claims support to clients for the various Management Liability and Cyber policies placed by the FINEX Practice Group of Willis Towers Watson. She is based in our Chicago office.