Standing remains a high hurdle for individuals whose personal information is compromised as a result of a data breach but who cannot establish that the stolen information was actually used improperly. Class action claims against CareFirst Blue Cross Blue Shield related to a 2014 breach were dismissed by D.C. District Court Judge Christopher R. Cooper last week after finding that they failed to meet Article III’s standing requirement. This ruling comes two months after a similar ruling by a Maryland district court judge in class actions claims related to the same CareFirst breach.
Judge Cooper’s decision does underscore the need to show harmful misuse of data to establish standing, but his opinion also raises the possibility that the type of information stolen may be important to determining the plausibility of alleged harm.
In the CareFirst breach, customers’ names, birthdates, email addresses, and subscriber numbers were compromised, but no social security numbers or credit card information. In his rejection of plaintiffs’ claims of injury, Judge Cooper specifically referenced the type of information that had been stolen in several instances. It is fair to ask: had either the social security numbers or credit card information of this plaintiff group been implicated, might the judge have seen a more plausible imminent harm?
Broadly speaking, Article III standing requires a plaintiff to show injury-in-fact, causation and redressability, and the alleged injury must be particularized, concrete or imminent. In the context of a class action, each named plaintiff must establish that he or she was personally injured.
The CareFirst plaintiffs’ class action complaint alleged various violations of state laws and breach of legal duties associated with protecting personal information. The claimed injuries included, inter alia, (1) an increased risk of identity theft; (2) identity theft in the form of a tax fraud; (3) economic harm through having to purchase credit-monitoring services; (4) economic harm through overpayment for insurance coverage; and (5) loss of intrinsic value of their personal information.
The district court found each claim without merit. Plaintiffs could not show how a hacker could steal their identities without their social security numbers or credit card numbers; could not claim the purchase of credit card monitoring services as an injury since that constitutes a “self-inflicted” harm; could not substantiate their claim that some portion of their insurance premiums are now allocated to paying for security measures; and could not show their personal information had been “devalued.”
With respect to the tax fraud claim, two named plaintiffs alleged that they suffered injury-in-fact because they had not yet received an expected tax refund. The court, however, found that the plaintiffs failed to show that their alleged injury was “fairly traceable” to the breach or how such tax refund fraud could have been carried out without their social security numbers and credit card information.