The tides may be turning in favor of data breach victims after an appeals court Tuesday ruled a health insurance company's customers could sue the provider after a data breach.
The case stems from a 2014 cyberattack in which personal information was stolen. A lower court initially ruled that customers lacked standing because they failed to show a present injury or likelihood of being injured in the future. The new ruling comes shortly after Anthem was once again breached shortly after being ordered to pay $115 million for a previous incident.
A three-judge panel on the U.S. Court of Appeals in Washington, D.C., reversed a district court's decision to dismiss a class action lawsuit brought against the provider CareFirst after finding the district court gave the complaint an unduly narrow reading.
“The District Court concluded that the plaintiffs had ‘not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing,' in part because they had ‘not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers,'” Judge Thomas Griffith said while delivering the opinion of the appeals court
“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach," when in fact the complaint did, added.
Although it may seem as a step in the right direction, Tom Conklin, Vera's head of security and compliance, told SC Media that ultimately the courts still must decide if the plaintiffs will win the lawsuit.
“The ruling is interesting, it allows the lawsuit brought by the victims of the breach to move forward,” Conklin said. “The major impact is that it now gives anyone that is a victim of a breach standing to file a lawsuit.”
He went on to say the ruling has much broader implications than just health insurance providers, and that he expects to see more class action lawsuits with major breaches like the Yahoo breach.
“Regardless of the outcome this highlights the importance of all companies to demonstrate they have strong security protections in place,” he said. “Companies that lack strong information security face greater threat of lawsuits if they suffer a breach.”
Experts agree. Bill Evans, director at One Identity, told SC Media he believes that if the case is ruled in favor of the plaintiff other corporations will begin to understand what we have been espousing for years; that is, “if you think being secure is expensive, try being unsecure!"
“This is just another step towards ensuring consumer and customer information be treated with the highest level of security,” Evans said. “One need only look at the upcoming GDPR regulation from the EU (that actually affects any company that handles EU citizen data regardless as to its location) where the penalties can be massive – up 4% of revenue."