Neiman Marcus

Will I Get Sued After a Data Breach? D.C. Circuit Broadens Scope of Data That Gives Rise to Identity Theft in CareFirst

In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised member names, dates of birth, email addresses, and subscriber identification numbers of approximately 1.1 million individuals.  The decision aligns the second most powerful federal appellate court in the nation with pre-Spokeo decisions in Neiman Marcus and P.F. Chang and post-Spokeo decisions in other circuits (Third, Seventh, and Eleventh).  In short, an increased risk of identity theft constitutes an imminent injury-in-fact, and the risk of future injury is substantial enough to support Article III standing.

The D.C. Circuit’s holding is an important development.  First, the D.C. Circuit went beyond credit card numbers and social security numbers to expand the scope of data types that create a risk to individuals (i.e., names, birthdates, emails, and health insurance subscriber ID numbers).  Second, the decision makes clear that organizations should carefully consider the interplay between encryption (plus other technical data protection measures) and “risk of harm” exceptions to notification, including exceptions that may be available under HIPAA and GLBA statutory regimes. READ MORE

Keep Reading: Standing Affirmed, but Barnes & Noble Data Breach Class Action Halted

It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.

READ MORE