In one last effort to convince the Supreme Court to hear its data breach case, attorneys with CareFirst warned that without the high court’s review, companies in any industry would be inundated with class-action lawsuits.
CareFirst is asking the Supreme Court to review an August decision by the U.S. Court of Appeals in the District of Columbia, which ruled the risk of injury from a 2014 data breach was substantial enough for CareFirst members to move forward with their lawsuit. In a final reply brief (PDF), attorneys for the insurer argued that if that decision stands, any individual whose information was exposed in a data breach could sue the company “even if the plaintiff suffered no harm whatsoever.”
“The circuit court’s holding, if left undisturbed, will eviscerate any workable standard for evaluating when a threat of a future harm is sufficiently imminent to satisfy Article III standing, and will open the door to a flood of no-injury class actions arising from virtually every data breach,” CareFirst attorneys wrote.
The insurer also disagreed with the plaintiffs that brought the class-action suit in 2015, who argued in a brief (PDF) earlier this month that CareFirst overstated the uncertainty among the circuit courts.
But CareFirst highlighted several circuit court decisions that differed from the D.C. appellate court, backing its assertion that determining harm from a data breach “now depends more on the venue of an action than on established standards.”
If the Supreme Court were to accept the petition, it could impact data breach litigation across multiple industries. Although chances the high court agrees to review the case are slim, CareFirst raises important data breach litigation issues that have emerged in courts across the country, according to Rahul Mukhi, a cybersecurity and privacy attorney with Cleary Gottlieb Steen & Hamilton LLP who previously served as the assistant U.S. attorney in the Southern District of New York.