Attias v. Carefirst, Inc
This case concerns a proposed class action filed against health insurer Carefirst after policyholder data was breached, including names, birthdates, email addresses, and subscriber identification numbers. At issue is whether plaintiffs must demonstrate actual damages to satisfy the “injury-in-fact” requirement of Article III standing. The trial court dismissed the complaint, finding the plaintiffs failed to demonstrate they suffered an “injury-in-fact” because the risk of future damages was not "certainly impending", any fraud they suffered was not "fairly traceable" to the data breach, and because they haven't alleged "concrete harm." The appeal is pending before the U.S. Court of Appeals for the D.C. Circuit:
- D.C. Circuit Hears Arguments in Data Breach Case: A federal appeals court in Washington, D.C. heard arguments today in a major data breach suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly files briefs defending the privacy rights of consumers. (Mar. 31, 2017)
- Yahoo Responds to Senators About Data Breach: Yahoo has responded to a letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in 2013 and 2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in 2009 and 2011, launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information. (Feb. 24, 2017) More top news »
In June 2014, the health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders, including the seven named Plaintiffs. The purloined information included the policyholders’ names, birth dates, email addresses, and subscriber identification numbers. According to CareFirst, more-sensitive data, such as social security and credit card numbers, was not stolen. After CareFirst publicly acknowledged the breach in May 2015, Plaintiffs sued the company and various of its affiliates on behalf of themselves and other policyholders, alleging that CareFirst violated a host of state laws and legal duties by failing to safeguard their personal information. Another set of plaintiffs filed a similar federal class action in Maryland.
Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.
EPIC has a long history of advocating for consumers against the risks of identity theft and financial fraud.
In July 2016, EPIC filed an amicus brief in the Eighth Circuit in In re Supervalu Consumer Data Security Breach Litigation, which involved a very similar question as Carefirst. EPIC argued that while courts have routinely conflated injury-in-fact and consequential harm in their analysis of standing, proof of harm is not required under Article III. EPIC also subsequently filed other post-Spokeo amicus briefs addressing Article III standing in privacy cases in the 9th Circuit (Cahen v. Toyota) and the 7th Circuit (Gubala v. Time Warner Cable).
In April 2016, EPIC filed an amicus brief in the Third Circuit case Storm v. Paytime, Inc., which involved a very similar question as Carefirst. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.
In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.
In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court.
In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.
EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.
U.S. Court of Appeals for the D.C. Circuit, No. 16-7108
U.S. District Court for the District of Columbia, No. 15-cv-882
- Suevon Lee, CareFirst Beats Another Data Breach Class Action, Law360 (Aug. 10, 2016)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,