Federal Appeals Court Reinstates Data Breach Lawsuit

In a case that substantially lowered the evidentiary bar in these situations, the D.C. Circuit Court of Appeals reversed a district judge and revived a lawsuit against health insurance giant CareFirst, Inc.

In June 2014, an intruder apparently broke into the insurance company’s Baltimore office, hacked into twenty-two different computers, and stole personal information from about one million current and former members. CareFirst did not acknowledge the breach, and may not have even known about the breach, until June 2015. Shortly thereafter, these individuals filed a class action suit, alleging that the data theft exposed them to possible cyber fraud. A district judge dismissed the action, ruling that the plaintiffs did not allege a past injury or a likely future injury.

A three-judge panel threw out that decision, because not only had the plaintiffs alleged sufficient likelihood of future economic injury under the “light burden of proof the plaintiffs bear at the pleading stage,” they also established that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege were taken.”

How to Reduce Data Breach Liability

Strict federal and state rules apply to customer data, especially including any personal health information. This category is very broad and includes such items as:

• Prior health conditions,
• Current diagnosis and treatment,
• Insurance claims history, and
• Personal information (e.g. driver’s license number and Social Security number).

The Health Insurance Privacy and Accountability Act (HIPAA) applies not only to clinics, hospitals, and other medical providers, but also any other entities that possess such information, including lawyers and accountants.

Before a breach happens, make sure that your company has a very clear information security policy that’s very strictly enforced. This step is particularly important if your company has a BYOD (“bring your own device”) policy and allows employees to work remotely, possibly at places that have unsecured Wi-Fi hotspots.

If you have any legitimate reason to suspect that there has been a data breach, report it immediately to any appropriate federal or state authorities. Then, conduct an internal investigation that’s both thorough and transparent.

Under the standard announced in Attias v. CareFirst, a negligence lawsuit will probably still make it past the initial stage. However, a plaintiff will be hard-pressed to establish facts that point to negligence, greatly increasing your chances of success at the Rule 56 summary judgment phase.

Partner with Experienced North Carolina Attorneys

A federal court just made it harder, but not impossible, to defend against a data breach negligence suit. For a confidential consultation with an experienced personal injury lawyer in High Point, contact McAllister, Aldridge & Kreinbrink PLLC at (336) 882-4300. Convenient payment plans are available.