A federal appeals court in Washington, D.C. heard arguments today in a major data breach suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly files briefs defending the privacy rights of consumers.