A national business lobbying group has urged a District of Columbia appeals court to dismiss a class action lawsuit against CareFirst BlueCross BlueShield following a 2015 data breach that compromised 1.1 million patient records.
In August, a district court judge dismissed the claims against the insurer, ruling that the plaintiffs had not suffered any actual injury or harm. In January, the plaintiffs filed an appeal, arguing that the ruling “places no value on a citizen’s right to maintain the privacy of her digital data and held that the privacy of one’s digital profile is of no value.”
In an amicus brief filed this week, the the U.S. Chamber of Commerce argued that if plaintiffs are permitted to pursue legal action in which a data breach has not caused injury, businesses will be "mired in lawsuits over breaches that have not caused any actual or imminent harm to the plaintiffs” and could lead to “massive settlements.”
The Chamber of Commerce repeatedly referenced Spokeo, Inc. v. Robins, in which the Supreme Court overturned a circuit court decision because the plaintiff failed to allege any “actual or imminent harm.” The government agency also pointed to the “already potentially staggering costs of data breaches, along with the enormous reputation damage they can cause” to support its argument that “the mere occurrence of a data breach” should not warrant a class-action lawsuit.
The issue of data breach harm has also emerged in another case against Horizon Blue Cross Blue Shield, following a 2013 breach that exposed more than 800,000 patient records.
Last month, an appeals court revived the lawsuit by vacating a 2015 dismissal. The judges for the United States Court of Appeals for the Third Circuit said that under the Fair Credit Reporting Act, plaintiffs should not have to wait for a tangible injury to occur before filing a claim.