U.S. Supreme Court Denies Petition to Review Case that May Impact Data Breach Lawsuits

Written By ESR News Blog Editor Thomas Ahearn

On February 20, 2018, the Supreme Court of the United States denied a petition for a writ of certiorari to review the case of CareFirst Inc. v. Attias and possibly provide some clarification of the Court’s May 2016 ruling in the related case of Spokeo Inc. v. Robins to show whether the fear of identity theft caused by a data breach is an “injury in fact” sufficient enough for standing under Article III of the U.S. Constitution.

In June 2014, health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders and included names, birth dates, email addresses, and subscriber identification numbers. According to CareFirst, more-sensitive data such as social security and credit card numbers, was not stolen. A group of CareFirst customers brought a putative class action.

CareFirst moved to dismiss the complaint, arguing that “because Plaintiffs have not alleged that their personal information has actually been misused, or explained how the stolen information could readily be used to assume their identities, they lack standing to sue in federal court.” In August 2016, citing the Spokeo ruling, the U.S. District Court of the District of Columbia granted CareFirst’s motion to dismiss.

U.S. District Judge Christopher R. Cooper ruled the plaintiffs had failed to allege an “injury in fact” as required under Spokeo v. Robins: “Absent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”

However, the district court’s finding for CareFirst in dismissing for lack of standing was reversed and remanded by the U.S. Court of Appeals for the District of Columbia Circuit, also citing Spokeo, in August 2017: “We conclude that the district court gave the complaint an unduly narrow reading. Plaintiffs have cleared the low bar to establish their standing at the pleading stage. We accordingly reverse.”

This case is similar to Spokeo, Inc. v. Robins. In January 2018, ESR News reported the Supreme Court denied a petition for a writ of certiorari that sought a review of the Court’s ruling on May 16, 2016, in the case that found a mere “technical” violation of a federal statute such as the Fair Credit Reporting Act (FCRA) does not constitute a “concrete injury” or “injury-in-fact” as required under Article III.

Spokeo’s petition followed an August 2017 ruling by the Ninth U.S. Circuit Appeals Court on remand from the Supreme Court that found the claim by Robins that Spokeo violated the FCRA with inaccurate information about him had sufficient concrete injury to meet the Article III standing: “Ensuring the accuracy of this sort of information thus seems directly and substantially related to FCRA’s goals.”

In July 2010, Thomas Robins filed a class action lawsuit against Spokeo – an online “people search engine” that compiles and sells public data about individuals – claiming violations of the FCRA after Spokeo compiled a consumer report about him that contained inaccurate information about his age, education, marital status, and employment. The FCRA regulates the accuracy of such information.

The focus on data breach litigation follows the announcement in September 2017 by nationwide credit reporting agency Equifax that a massive data breach had impacted approximately 143 million Americans – almost half of the country. The need for screening firms to ensure data breach protection is one of the “ESR Top Ten Background Check Trends” for 2018 selected by Employment Screening Resources (ESR).

ESR Knows Data Breach Protection Is Mission Critical

Employment Screening Resources (ESR) – a leading global background provider – knows data breach protection is a mission critical issue in the modern Information Age. ESR undergoes an annual SOC 2 audits to ensure the privacy, security, and confidentiality of consumer information used for background checks. More information about the ESR SOC 2 report is at www.esrcheck.com/Why-ESR/SOC-2/.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.