Incident & Breach Response , Legislation & Litigation , Managed Detection & Response (MDR)

What Comes Next in the CareFirst Data Breach Case?

Attorney Patricia Carreiro Analyzes What Will Happen After Supreme Court's Latest Move
What Comes Next in the CareFirst Data Breach Case?
Attorney Patricia "Trish" Carreiro of law firm Axinn, Veltrop & Harkrider

Now that the Supreme Court has declined to review a case stemming from a 2014 cyberattack on CareFirst Blue Cross Blue Shield, what comes next? Litigation attorney Patricia "Trish" Carreiro analyzes the potential implications for the class-action lawsuit filed after a breach that affected 1.1 million individuals.

On Feb. 20, the Supreme Court "denied certiorari" in CareFirst's petition for the high court to review an August 2017 decision by the U.S. Court of Appeals, which overturned a lower court's dismissal of the case against CareFirst that sought damages on behalf of victims of the breach. In its ruling, the appellate court noted that a group of CareFirst health plan members "attributed the breach to the company's carelessness."

The lower district court had dismissed the case for lack of standing, finding the risk of future injury to the plaintiffs too speculative to establish injury in fact.

"The Supreme Court denying cert [in the CareFirst case] was more of a 'pass' - there wasn't any sort of discussion about why they decided to deny the petition for cert," says Carreiro, an attorney at the law firm Axinn Veltrop & Harkrider LLP, which is not involved in the CareFirst case.

What's Next?

Had the Supreme Court agreed to review the CareFirst lawsuit, it would've been the first data breach case taken up by the high court.

But instead, the case is headed back to the lower court for a potential trial. Carreiro, however, says the case may not get that far.

"I wouldn't be surprised to see a settlement. That is very normal at this point in a case. A court's ruling on the motion to dismiss is often a watershed moment in cybersecurity litigation," she says in an interview with Information Security Media Group.

"Once you survive the motion to dismiss, there's a big jump in settlement value because a defendant knows that even if it has these great defenses, it's going to incur substantial litigation costs. So defendants are more willing to pay to make the case go away. The nuisance value is up."

In the interview (see audio link below photo), Carreiro also discusses:

  • How the Supreme Court's decision to forgo a review of the CareFirst breach case can be potentially interpreted when it comes to the future of other data breach cases;
  • Whether plaintiffs' attorneys could potentially ask to review details of CareFirst's security practices if the case proceeds to the discovery phase now that the lawsuit is back in the lower court;
  • Other pending breach-related cases potentially headed for Supreme Court review.

Carreiro practices in the litigation group of law firm Axinn, Veltrop & Harkrider LLP's Hartford, Connecticut office. She has experience in a broad range of civil litigation, including cybersecurity, commercial litigation and insurance disputes. She has appeared before courts and administrative agencies and frequently publishes on cybersecurity issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.