The U.S. Supreme Court has denied an appeal filed by CareFirst to review a case stemming from a 2014 data breach.
The Supreme Court issued its decision on Tuesday, eliminating the possibility, for now, that the court will weigh in on questions about whether the possibility of harm from a data breach is enough for victims to bring legal action. It would have been the first data breach case to reach the high court.
The Maryland insurer filed the petition in November following a ruling by the U.S. Court of Appeals in the District of Columbia last year that allowed CareFirst members to move forward with claims that they were harmed by a 2014 data breach that exposed more than 1.1 million records. A three-judge panel said the risk of potential harm associated with identity theft was substantial enough for the class-action complaint to proceed.
In their appeal to the Supreme Court, CareFirst attorneys argued that the appellate court’s decision set a dangerous precedent and pointed to “growing uncertainty” among circuit courts about the level of harm for those affected by a data breach. The insurer later warned companies across multiple industries would face a growing number of data breach cases if the Supreme Court did not resolve discrepancies among the lower courts.
Despite "lots of hand-wringing over what sort of injury is enough to sustain a data breach claim," the Supreme Court's ruling came as no surprise to Craig A. Newman, a partner with Patterson Belknap Webb & Tyler LLP in New York who chairs the firm’s data security practice. Just last month, he noted, the Supreme Court denied another data breach case, Spokeo v. Robbins, involving similar questions over harm.
Christopher Nace, an attorney with Paulson and Nace in Washington, D.C., who represents the plaintiffs in the CareFirst case, told FierceHealthcare the D.C. appeals court decision and the Supreme Court’s denial “simply indicates that our courts will provide citizens a venue to hold corporations accountable when they fail to take reasonable precautions to protect our data.”
“When you consider all of the Americans who have had their data exposed, it is important that corporate America understands that if they do not take reasonable steps to protect citizens’ data, they will be held responsible in our courts,” he said in an email, adding that he is prepared to proceed to the discovery portion of the CareFirst case.
But nuanced breach litigation will continue to work its way through the lower courts and may eventually force the Supreme Court to address some of the questions laid out in CareFirst’s petition.
“Data breach cases are not going away,” Alan Butler, the senior counsel for the Electronic Privacy Information Center told FierceHealthcare prior to the Tuesday’s decision. “Identity theft remains one of the most significant threats facing Americans every day, and the constant stream of data breaches continues to make the problem worse.”
For now, lower courts will be left to wrestle with the questions surrounding harm.
“While in many cases it comes down the particular issues in a breach, the federal circuit courts have taken decidedly different perspectives on the question,” Newman says. “Without guidance from the Supreme Court, we’ll continue to see much of the same.”