Amicus Briefs
Attias v. CareFirst, Inc
US Court of Appeals for the DC Circuit
Summary
This case concerns a proposed class action filed against health insurer CareFirst after policyholder data was breached, including names, birthdates, email addresses, and subscriber identification numbers. The trial court initially dismissed the complaint for lack of Article III standing, but the D.C. Circuit found on appeal that the Plaintiffs had standing based on the substantial risk of future injury caused by the data breach. On remand, the trial court concluded that the Plaintiffs failed to adequately allege damages and dismissed all but two of their claims. The court held that the risk of future misuse of personal information, the loss of the “benefit of the bargain” through receipt of insurance services devoid of privacy, reasonable mitigation expenditures incurred to prevent future identity theft, and emotional distress did not constitute “actual damages” as required for the plaintiffs’ tort, contract, and state law claims. The Plaintiffs then filed an appeal and the case is now pending in the D.C. Circuit.
Background
Factual History
In June 2014, the health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders, including the seven named Plaintiffs. The purloined information included the policyholders’ names, birth dates, email addresses, and subscriber identification numbers. According to CareFirst, more-sensitive data, such as social security and credit card numbers, was not stolen. After CareFirst publicly acknowledged the breach in May 2015, Plaintiffs sued the company and various of its affiliates on behalf of themselves and other policyholders, alleging that CareFirst violated a host of state laws and legal duties by failing to safeguard their personal information. Another set of plaintiffs filed a similar federal class action in Maryland.
Legal Background – Article III Standing
Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. An injury-in-fact is an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.
Legal Background – Failure to State a Claim
In order to survive a 12(b)(6) motion to dismiss for failure to state a claim, a complaint must contain “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” The majority of Plaintiffs’ claims in this case require a pleading of actual damages. Courts continue to struggle with how to calculate damages in data breach cases, but major theories of data breach damages include the increased risk of identity theft, loss of the value of under contract (the “benefit of the bargain”), expenses reasonably incurred to mitigate future identity theft (e.g. fraud monitoring, credit freezes, and credit repair services), emotional distress, loss of the value of personal information, and compensatory damages for identity theft or financial fraud.
Also at issue in this case is whether or not an insurer owes its customers a duty to reasonably safeguard private information beyond the parties’ contractual relationship. This duty has been recognized in courts under theories including the affirmative duty to refrain from causing others harm, the foreseeability of harm, and the nature of the parties’ relationship.
EPIC’s Interest
EPIC has a long history of advocating for consumers in data breach cases. EPIC has consistently highlighted the need to combat identity theft and ensure that businesses are properly incentivized to protect the data that they collect.
In July 2016, EPIC filed an amicus brief in the Eighth Circuit in In re Supervalu Consumer Data Security Breach Litigation, an early data breach case similar to CareFirst. EPIC argued that while courts have routinely conflated injury-in-fact and consequential harm in their analysis of standing, proof of harm is not required under Article III. EPIC also subsequently filed other post-Spokeo amicus briefs addressing Article III standing in privacy cases in the 9th Circuit (Cahen v. Toyota) and the 7th Circuit (Gubala v. Time Warner Cable).
In April 2016, EPIC filed an amicus brief in the Third Circuit case Storm v. Paytime, Inc., which also involved a similar issue. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. EPIC argued that courts should not consumers’ access to legal recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue.
In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.
In September 2015, EPIC filed an amicus brief in the Supreme Court in Spokeo v. Robins, an Article III standing case concerning statutory consumer privacy claims. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins’s allegations were “concrete,” and remanded the case to the lower court.
In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.
EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.
Legal Documents
Carefirst II
U.S. Court of Appeals for the D.C. Circuit, No. 19-7020
- Brief of Appellants (June 24, 2019)
- Amicus Brief of EPIC (July 1, 2019)
- Brief of Appellee (July 24, 2019)
- Appellant’s Reply Brief (Aug. 14, 2019)
- Oral Argument (Dec. 6, 2019)
- Opinion (Aug. 11, 2020)
U.S. District Court for the District of Columbia, No. 15-cv-882
- Defendant’s Motion to Dismiss (June 13, 2018)
- Plaintiffs’ Opposition to Motion to Dismiss (July 9, 2018)
- Opinion (January 30, 2019)
- Sur-Reply in Support of Plaintiffs’ Opposition to Defendant’s Motion to Dismiss (January 30, 2019)
- Plaintiffs’ Rule 59 Motion (February 11, 2019)
Carefirst I
U.S. Court of Appeals for the D.C. Circuit, No. 16-7108
- Appellants’ Opening Brief
- EPIC Amicus Brief (Jan. 17, 2017)
- Brief of Appellees (Feb. 8, 2017)
- Appellants’ Reply Brief (Feb. 22, 2017)
- Oral Argument Recording (Mar. 31, 2017)
- Opinion (Aug. 1, 2017)
U.S. District Court for the District of Columbia, No. 15-cv-882
- Opinion (August 10, 2016)
- Second Amended Complaint (July 16, 2015)
News
- Alison Frankel, D.C. judge: No actual damages, no claims for data breach victims, Reuters (February 4, 2019)
- Elizabeth Snell, What the CareFirst Data Breach Decision Means for Healthcare, HealthITSecurity.com (March 14, 2018)
- Evan Sweeney, Supreme Court denies CareFirst’s petition to review data breach case, Fierce Healthcare (February 20, 2018)
- Kristen L. Burge, Your Data Was Stolen, But Not Your Identity (Yet), American Bar Association (January 11, 2018)
- Jennifer Williams-Alvarez, Inside Track: Next Year’s Must Watch Data Breach Case, Yahoo! Finance (December 13, 2017)
- Alison Frankel, New cert petition: SCOTUS must decide when data breach victims can sue, Reuters (October 31, 2017)
- Catherine Pahdi, Standing in Data-Breach Actions: Injury in Fact?, Lawfare (December 18, 2017)
- Evan Sweeney, Appellate court ruling sets the stage for CareFirst to take its data breach case to the Supreme Court, Fierce Healthcare (September 7, 2017)
- Tina Reed, Appeals Court Allows Lawsuit Against CareFirst to Advance, Washington Business Journal (August 1, 2017)
- Suevon Lee, CareFirst Beats Another Data Breach Class Action, Law360 (Aug. 10, 2016)
- Andrea Peterson, Cyberattack on CareFirst exposes data on 1.1 million customers in D.C., Md. and Va., The Washington Post (May 20, 2015)
- Matthew Goldstein and Reed Abelson, Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst (May 20, 2015)
- Kate Vinton, Data Belong To 1.1 Million CareFirst Customers Stolen In Cyber Attack, Forbes (May 20, 2015)
Resources
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate