Exclusive Premium functionality. Find contact details for more competitors condueng Conduent. Information Technology And Services. To use individual functions e. Business Services Research revenue of GfK worldwide
Several years later, the Fourth Circuit joined the Third in Beck v. McDonald , F. The first related to the loss or theft of a laptop containing patient records, while the second related to the loss or theft of four boxes of hard copy pathology reports. Distinguishing Galaria , Remijas , and Krottner , the Fourth Circuit dismissed both cases, finding that there was no evidence any of the information had ever been used to commit fraud, that any of the information had been stolen, or, in the case of the laptop, that the data opposed to the laptop itself would have been the target of any theft.
Several months later, the Eighth Circuit addressed the theft of credit card information by hackers from a chain of grocery stores in I n re Supervalu, Inc. Sixteen customers sued based on the risk of future identity theft.
One of these customers was also able to allege that he had already suffered fraudulent charges on his credit card. It did, however, allow the final plaintiff to proceed on claims related to past harm as a result of the data breach. Given these contrasting approaches, other courts outside those circuits have had to navigate a thicket of facts and justifications in reaching their own conclusions.
Three decisions from the Second Circuit in New York are instructive. Michaels Stores, Inc. In Whalen , a breach resulted in the disclosure of credit card information, but the plaintiff promptly cancelled the card so was not liable for fraudulent charges. While Whalen rejected standing on those facts, the citation to Galaria suggested that the Second Circuit might be open to finding that other allegations could plausibly plead standing for the risk of future identity theft, and two district courts have cited Whalen for just such a conclusion.
In a recent decision in Fero v. Excellus Health Plan , No. Excellus Health Plan Inc. Certain plaintiffs solely alleged injury due to the increased risk of future identity theft. Last month, on a motion for reconsideration, the court reversed its prior decision dismissing those claims and found Whalen suggested that the Second Circuit would find the risk of future identify theft sufficient to confer standing where information beyond credit card numbers was disclosed.
The court in Sackin v. Transperfect Global, Inc. Sackin also involved a breach in which hackers accessed an array of consumer information. The Sackin court, as in Excellus , noted that this disclosure could lead to a variety of fraudulent acts by the hackers or third parties who subsequently purchased the information and read Whalen to suggest the Second Circuit would recognize this as an injury-in-fact sufficient to establish standing.
Although the leading case in any given circuit will ultimately control in that circuit, there are important factual distinctions among all these cases that may have an impact on any motion to dismiss claims for risk of future identity theft following a data breach. Among other issues that courts have focused on in deciding the issue are the following:.
These factors are not hard and fast; each has at least one exception. To contact the editor responsible for this story: Donald Aplin at daplin bloomberglaw.
To read more articles log in. Learn more about a Bloomberg Law subscription. Free Newsletter Sign Up. Log in to access all of your BLAW products. Single Sign-On. Remember Password Log In. US Law Week. Common Threads Although the leading case in any given circuit will ultimately control in that circuit, there are important factual distinctions among all these cases that may have an impact on any motion to dismiss claims for risk of future identity theft following a data breach. Among other issues that courts have focused on in deciding the issue are the following: The type of data disclosed.
Courts pay attention to the nature of the data stolen in determining whether future harm is imminent. Numbers for existing credit cards that can be cancelled are less likely to support injury-in-fact related to future identity theft than Social Security numbers or other personally identifying information that can be used more easily to open additional accounts unknown to the affected consumers or commit identity theft.
Evidence of prior consequences from the breach. In Krottner , Remijas , and Galaria , where plaintiffs pleaded that third parties have attempted to make use of the stolen data—even if unsuccessful—the courts found standing. In cases like Reilly , and Beck , where no such facts were alleged, the cases denied standing. Motivations behind the breach. In cases such as Galaria and CareFirst , courts have adopted the commonsense view that hackers engage in data breaches for the purpose of stealing information and engaging in identity theft or other forms of fraud, and therefore are willing to find imminent risks where plaintiffs plead deliberate hacking.
Where, by contrast, the reason for the initial breach is unclear—such as the loss of the laptop in Beck —courts are more reluctant to presume that the mere disclosure of data will inevitably lead to fraud. Free credit monitoring or other remedial services. When announcing a data breach, a number of companies have offered free credit monitoring or similar services. CareFirst BlueCross BlueShield on Wednesday said it had been hit with a data breach that compromised the personal information on approximately 1.
There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera , incidents that collectively involved data on more than 90 million Americans. According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers.
The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years. Nobody is officially pointing fingers at the parties thought to be responsible for this latest health industry breach, but there are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks. As I noted in this Feb.
Prior to its official name change at the end of , Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. ThreatConnect also found that the domains were registered in April approximately the time that the Anthem breach began , and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.
On Feb. Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue. So they managed to only steal insurance ID info but not SSNs, medical information and credit card info?
Sorry, that just does not sound true. Certificates distributed en mass by browser software makers should be accorded only marginal trust. What we need is a better system. A better system would probably be going back to paper. But even then, people are mind-boggling stupid when it comes to challenging people trying to sneak in a building.
Once upon a time, when I showed up at a building for a job interview, I did not know it I was even at the correct campus, let alone building as my directions in the invite mail paper days were poor. When I arrived, they not only buzzed me in but all but pulled me in by the arm through the lobby and into the inner-sanctum.
When we found out that I was in the wrong building, they did not bother to escort me back out but to point through the window to the building I was supposed to go to. Please, folks, check me out before pulling me in by the arm into the wrong building and please do not leave me standing there, but escort me to the correct place.
I have a friend who was a teacher at a school. She even had a chat with him for a while. Turned out he was just some guy off the street dressed like a IT professional. Also, the attacks are basically social engineering. Keep in mind that it is difficult to change an environment where there are several layers, or more, of staff below the CEO.
For various reasons, they may have been deficient in providing adequate security, and now these people will feel defensive and threatened. This situation acts as a coagulant to the change that needs to occur. That being said, I also see the financial aspect as a valid culprit, as often times the basics get neglected in favor of landing a working product.
For anyone out there looking to avoid falling for this sort of trap: Get a password manager. Computers are impossible to trick with such character substitutions.
Creating a significant and obvious target for hackers. LastPass, without any hesitation. Been using it for years premium version. There are several to choose from, but I landed on SafeInCloud. Except now you are giving the exact tools to hackers. What happens when malware running on your endpoint harvests your password locker?
I use LastPass premium across all my devices in addition to enabling two-factor auth on every service that offers it. Any time you use the cloud, you risk everything.
Lastpass is by far the best in terms of ease of use and methods they use to protect your security. For sensitive sites it should not auto-log in but force you to re-enter the pass phase. For your sensitive sites, it should be set to prompt for the password to review the clear text version of it. The best part is I as an attacker now have a list of all the sites your on. So password repositories can be a two-edged sword.
Some sites like your bank, brokerage or other sensitive accounts should have a solid pass phase in your human storage unit only.
Password safety is a little bit difficult, and requires discipline to stay ahead of the curve, but consider the information your password safeguards card s, address, retirement info, etc.
Fred Schlip is right, and keep in mind coffee shop landing pages can be configured to grab all of your passwords without you even knowing it. A password manager, however, is basically a prerequisite for safer online commerce. I use KeePass without any plugins, copy and paste works just fine KeePass clears your clipboard after a user-configurable delay. Consider healthcare in the US. It is the most heavily regulated industry in the country by far.
For example, federal laws are requiring the open sharing of patient information between various electronic health Record EHR software vendors. On the surface, the reasons are pure. Not to mention, how do you protect those sensitive communications from breaches…. This is a very real problem for healthcare IT departments to deal with.
What does this mean to a fraudster? Opportunity, my friends, opportunity. It is entirely possible that they WERE taking those steps. The Anthem breach without question exposed certain vulnerabilities. The logistics of having to identify the issue throughout hosts of servers and endpoints, identifying the best remedy, identifying the vendor from which to purchase it or developing it on your own, installing it, getting it to mesh with existing software, rolling it out to thousands of endpoints, etc.
Believe me, hackers know this. Stealing medical access credentials makes sense for a private enterprise criminal group for resale to those without US medical insurance uninsured citizens, illegal aliens, etc. Millions of potential sales there.
In regard to the non-Tringler claims, the court stated that it is unclear whether the district court would have certified these claims for immediate appeal had it properly declined to certify the claims of the Tringlers. Therefore, the court cannot determine whether the district court would have certified only the non-Tringler claims, much less whether it could have come up with a permissible justification for doing so.
Disclaimer: Justia Annotations is a forum for attorneys to summarize, comment on, and analyze case law published on our site. Justia makes no guarantees or warranties that the annotations are accurate or reflect the current state of law, and no annotation is intended to be, nor should it be construed as, legal advice.
Contacting Justia or any attorney through this site, via web form, email, or otherwise, does not create an attorney-client relationship. Get free summaries of new D. Circuit US Court of Appeals opinions delivered to your inbox!
CareFirst, Inc. Attias v. Justia Opinion Summary Plaintiffs filed suit against CareFirst after hackers allegedly stole sensitive customer information from the health insurer's data system, alleging tort, contract, and statutory claims. Opinion Annotation. Download PDF. Primary Holding The DC Circuit held that it lacked appellate jurisdiction over the certified claims of the Tringler Plaintiffs and of the other plaintiffs in an action brought against CareFirst after hackers allegedly stole sensitive customer information from the health insurer's data system.
Account Takeover. API Security. Insider Threat. Risk Assessments. Vendor Risk Management. Remote Workforce. Operational Technology. Security Operations. DDOS Protection. Cloud Security. Privileged Access Management. Breach Notification. Digital Forensics. Attack Surface Management. Endpoint Security. Device Identification. Internet of Things Security. Next-Gen Security Technologies. Big Data Security Analytics. Application Security. Threat Modeling.
Threat Hunting. Threat Intelligence. Infrastructure as Code. Threat Detection. Open XDR. CISO Training. Information Sharing. Email Threat Protection. Access Management. Resource Centers. All News. Organizationwide Passwordless Orchestration. Course Library. Encryption is on the Rise! James Heary. Jeffrey Shaffer. David Pommerehn.
Liz Votaw. All Resources. White Papers. SaaS Protection Buyer's Guide. Combatting Cybercrime. Top Canadian Cyber Threats Expected in Leveraging New Technologies in Fraud Investigations.
Cybersecurity Skills and Education Survey. Geo-Targeted Events. Industry-Focused Events. RSA Conference. Infosecurity Europe. See More ».
Around 1. A second data breach took place in , when almost 7, customers had information compromised as part of an email phishing attack. Washington, D. Cyberattacks against health care groups have multiplied over the past year in particular during the COVID pandemic, with many groups seen as vulnerable targets by malicious cyber criminals.
The FBI and the Cybersecurity and Infrastructure Security Agency put out an alert in October warning that hackers were stepping up attacks on hospitals and health care providers. Another set of plaintiffs filed a similar federal class action in Maryland.
Article III of the U. An injury-in-fact is an invasion of a legally protected interest that is 1 concrete, 2 particularized, and 3 actual or imminent, not conjectural or hypothetical. EPIC has a long history of advocating for consumers in data breach cases. EPIC has consistently highlighted the need to combat identity theft and ensure that businesses are properly incentivized to protect the data that they collect.
EPIC argued that while courts have routinely conflated injury-in-fact and consequential harm in their analysis of standing, proof of harm is not required under Article III. Toyota and the 7th Circuit Gubala v. Time Warner Cable. Paytime, Inc. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue.
The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data. Robins , an Article III standing case concerning statutory consumer privacy claims. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him.
In May , the Supreme Court concluded that the U. EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information.
Aug 11, · Plaintiffs filed suit against CareFirst after hackers allegedly stole sensitive customer information from the health insurer's data system, alleging tort, contract, and . May 20, · CareFirst reported the attack to the FBI and is cooperating with the investigation, the company says. In addition to the hacking attacks this year on Anthem and Premera Blue . [Maryland and WDC] Offers healthcare insurance to residents of Maryland and Washington, DC. Information for Brokers, employers, and providers, as well as links to consumer health and Missing: breach factor.