New Precedent for Data Breach Class Action Suits

In a decision that could set a precedent for other data breach cases, the U.S. Court of Appeals for District of Columbia Circuit ruled in August that a class action lawsuit filed against health insurer CareFirst Blue Cross Blue Shield can be resuscitated. This action overturns a lower court’s decision last year to dismiss the case resulting from a 2014 cyber attack that impacted the personal data of over one million individuals.

The court held that the theft of personally identifiable information, if true, creates enough of a risk of identity theft that could be traced back to CareFirst’s negligence in not securing its data.

Most courts have adopted a standard that individuals must show that they have suffered actual harm in order to bring a case to trial. But there may be a shift in how courts view data breaches caused by corporate carelessness in handling sensitive data, especially when the “harm” may not manifest itself until far in the future when the source of the harm becomes more difficult to trace.

Instead of a finding of damage that is “actual or imminent”, the Appeals Court broke new legal ground by allowing the CareFirst lawsuit to continue based on a finding that the data breach exposed plaintiffs to a “heightened risk” of future injury in the form of identity theft.

If cases like this are successful, the costs of a data breach may become much higher. This is because the award from successful class action lawsuits can be far greater than the cost of regulatory fines. There is also the significantly higher costs of defending or settling such cases, plus higher cyber security insurance premiums.

The most important step in protecting your business is putting in place reasonable safeguards to prevent a data breach. If a breach does occur in the future, having reasonable safeguards in place can go a long way toward protecting your business from the charge of negligence.

DataLink can help your business put everything in place – systems, tools and policies – to substantially shrink your cyber security risk. Contact us today: 410.729.0440 or