In an announcement expected today, the U.S. Supreme Court will decide whether to accept a case that could narrow how “harm” is defined in data-breach cases.
Health insurer CareFirst Inc. wants consumers to have to prove actual harm rather than bringing lawsuits on the potential for damage.
Previously, the Supreme Court ruled that plaintiffs must allege “actual or imminent” harm to bring a federal case. But last summer, the U.S. Court of Appeals for the District of Columbia Circuit issued its own decision, saying data breaches create a substantial risk of identity theft because hackers could later use a consumer’s identity for purchases or other fraudulent activities.
Experts said last week that a Supreme Court review could clear up the issue for business, consumers and attorneys.
“CareFirst is as good as a vehicle as any for the Supreme Court to address injury requirements in the data breach context,” Rahul Mukhi, cybersecurity and privacy counsel at Cleary Gottlieb Steen & Hamilton LLP in New York, told Bloomberg Law.
Taking the case, Mukhi said, would be “a good sign for defendants because the Court has generally trended in the direction of imposing higher standing and pleading standards on plaintiffs.”
The CareFirst case involves a 2015 data breach that compromised the information of 1.1 million CareFirst customers.
The D.C. Circuit Court’s ruling “if left undisturbed, will eviscerate any workable standard for evaluating when a threat of a future harm is sufficiently imminent … and will open the door to a flood of no-injury class actions arising from virtually every data breach,” attorneys for the insurer told the Court in asking for a hearing.
The Court was closed for Presidents’ Day Monday. Orders from a conference held Feb. 16, during which the justices were expected to discuss CareFirst, Inc. v. Attias, are to be posted today at https://www.supremecourt.gov/orders/ordersofthecourt/17.