EPIC has filed a "friend-of-the-court" brief urging a federal appeals court to protect consumers' ability to sue companies that fail to safeguard personal information. A group of consumers sued health insurer Carefirst after the company's faulty security practices allowed hackers to obtain the personal information of 1,100,000 customers. A lower court wrongly dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations. In the amicus brief, EPIC explained that the court misunderstood the relevant law, and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. EPIC regularly files briefs defending consumer privacy.