Skip to content

November 2017 Legal Report

​Judicial Decisions

DATA BREACHES. The heightened risk of future identity theft is sufficient to show standing to sue at the pleading stage in a lawsuit, a U.S. court of appeals ruled—becoming the second appellate court to reach this conclusion.

Health insurance company CareFirst experienced a cyberattack in 2014 and its customers’ personal information was allegedly stolen. Several CareFirst customers attributed the breach to the company’s “carelessness” and brought a punitive class action lawsuit against it, according to the suit.

The plaintiffs raised 11 state-law causes of action, including breach of contract, negligence, and violation of state consumer-protection statutes. They also argued that they suffered “an increased risk of identity theft as a result of the data breach,” court documents said.

A district court dismissed their case, however, because it said the risk of future injury was too speculative to establish injury—which would give them standing to sue CareFirst. 

The plaintiffs appealed the decision, which reached the U.S. Court of Appeals for the D.C. Circuit, to determine whether they had standing to sue.

“To demonstrate standing, a plaintiff must show that she has suffered an ‘injury in fact’ that is ‘fairly traceable’ to the defendant’s actions and that is ‘likely to be redressed’ by the relief she seeks,” the appellate court wrote.

Based on its assessment, the appellate court found that the plaintiffs had “plausibly alleged a risk of future injury that is substantial enough to create…standing.” 

The plaintiffs claimed that the sensitive data that CareFirst stored on them that was compromised placed them at high risk of financial fraud.

“CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their Social Security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree,” the appellate court said.

“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken,” the appellate court added. “That risk…satisfies the requirement of an injury in fact.”

The appellate court reversed the district court’s dismissal and remanded the case for further proceedings. (Attias v. CareFirst, Inc., U.S. Court of Appeals for the D.C. Circuit, No. 16-7108, 2017)


CONTRACT SECURITY. A U.S. court of appeals remanded a lower court ruling and granted a new trial for a former Blackwater Worldwide Security guard convicted of killing Iraqi civilians in Baghdad in 2007. 

The U.S. Court of Appeals for the D.C. Circuit ruled that lower court judge Royce Lamberth should not have barred a statement by a codefendant during Nicholas Slatten’s original trial that said Slatten did not fire the first shot in what came to be known as the Nisur Square massacre.

The statement, the court of appeals said, should have been allowed and Slatten should have been tried separately from his three codefendants—Paul Slough, Evan Liberty, and Dustin Heard, also former Blackwater security personnel stationed in Iraq.

Instead, they were tried together and Slough, Liberty, and Heard were convicted of voluntary manslaughter, attempted manslaughter, and using and discharging a firearm in relation to a crime of violence. Slatten was convicted of first-degree murder.

Slatten was sentenced to life in prison, and Slough, Liberty, and Heard were sentenced to a mandatory minimum of 30 years in prison. 

Slatten appealed the ruling, and through the court process his case reached the appellate court where he challenged the lower court’s decision not to sever his trial from that of a codefendant and try him alone.

“Slatten argued for severance because he sought to introduce exculpatory evidence—the codefendant’s admission that he, not Slatten, initiated the Nisur Square attack by firing on [a vehicle]—evidence inadmissible in a joint trial with a codefendant,” the appellate court wrote in its opinion.

The district court denied Slatten’s request, which the appellate court said was wrong because the codefendant’s admissions were “vital to Slatten’s defense and possessed sufficient circumstantial guarantees of trustworthiness,” the appellate court explained. “Accordingly, because the district court erroneously denied severance, we reverse Slatten’s first-degree murder conviction…and remand his case for a new trial.”

The appellate court also ruled that Slough, Liberty, and Heard’s 30-year mandatory minimum sentence violated the Eighth Amendment prohibition against cruel and unusual punishment. It remanded their cases for resentencing. 

The four men were contracted through Blackwater in 2007 to provide security for the U.S. Department of State in Baghdad. While out on patrol in response to a car bombing, prosecutors said the defendants went on a shooting spree that killed 14 people and injured 17. The defense, however, argued that the guards feared they were under attack and fired in self-defense. (U.S. v. Slatten, U.S. Court of Appeals for the D.C. Circuit, #15-3078, 2017)​


United States

MEDICAL TESTING. The Federal Motor Carrier Safety Administration and Federal Railroad Administration withdrew a proposed rule to require truck drivers and train operators be tested for obstructive sleep apnea (OSA).

The agencies initially published the rule in March 2016 because OSA “can cause unintended sleep episodes and resulting deficits in attention, concentration, situational awareness, and memory, thus reducing the capacity to safely respond to hazards when performing safety sensitive duties.”

Instead of requiring tests, the agencies said the issue can be addressed through existing safety programs and rules, and that private companies can decide whether to test employees. 

The National Transportation Safety Board, however, criticized the decision to withdraw the proposed rule because OSA has been linked to 10 highway and rail accidents in the last 17 years, according to National Public Radio.​



ANONYMITY. Russian President Vladimir Putin signed into law amendments that prohibit the use of Internet proxy services and cut down the use of anonymous instant messaging services.

The amendment to the Federal Law on Information requires that Internet providers block websites that offer virtual private networks (VPNs) and other proxy services. The measure goes into effect on November 1, 2017.

Another amendment requires that instant messaging services create methods to identify users by their phone numbers. It also requires service providers to restrict access to their services, at the request of authorities, if users are sharing content considered illegal in Russia. The amendment goes into effect on January 1, 2018.​

United Kingdom.

DATA PROTECTION. U.K. Digital Minister Matt Hancock announced that the government will introduce new legislation aligning U.K. law more closely with the EU General Data Protection Regulation.

The Data Protection Bill is designed to give individuals greater control over their data by making it easier to withdraw consent for the use of personal data, allowing people to ask that their personal data held by companies be erased, and enable parents and guardians to give consent for their child’s data to be used.

The bill also expands the definition of personal data to include IP addresses, Internet cookies, and DNA; makes it easier and free for individuals to require an organization to disclose the personal data it holds on them; and makes it easier for customers to move data between service providers.

The bill will also phase out the use of “opt-out” boxes, which many organizations rely on their users to select should they not want their personal information collected. Instead, organizations will have to have “explicit” consent to process sensitive personal data.

The U.K. Information Commissioner’s Office (its data protection regulator) will also be given more power to defend consumer interests and issue fines of up to £17 million (about $22 million) or 4 percent of global turnover for the most serious data breaches.

“Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account,” Hancock said in a statement.​

United States.

RECOVERY. U.S. President Trump signed into law legislation that authorizes the U.S. Capitol Police Board to make payments to the U.S. Capitol Police Memorial Fund.

The Wounded Officers Recovery Act of 2017 (P.L. 115-45) allows these payments to then be given to families of U.S. Capitol Police employees who were killed in the line of duty or sustained serious line-of-duty injuries.

The legislation was passed and enacted in response to a shooting in Alexandria, Virginia, that targeted members of Congress who were practicing for the annual Congressional Baseball Game. 

“In light of the attack on the Congressional Republicans’ baseball practice last month, in which two Capitol Police officers were wounded while bravely working to stop the gunman, we believe that the law should be amended to allow the fund to provide similar support to U.S. Capitol Police officers seriously injured in the line of duty,” said U.S. Representative Mike Doyle (R-PA), who cosponsored the bill.​

Elsewhere in the Courts

TERRORISM. The EU Court of Justice overturned a General Court ruling, allowing Hamas to remain on the EU bloc’s terrorism blacklist. The lower court had ruled in 2014 that there was not sufficient evidence to keep travel bans and asset freezes on Hamas in place. The Court of Justice, however, found that the General Court had not relied on “national decisions by competent authorities” to remove Hamas from the blacklist. The Court of Justice referred the case back to the General Court so it could “examine the facts and arguments on which it did not rule” in its previous judgment, according to a press release. (Council v. LTTE and Council v. Hamas, EU Court of Justice, Nos. C-599/14 P and C-79/15 P, 2017)

DISCRIMINATION. A U.S. federal judge rejected a $22.8 million settlement between Lockheed Martin Corp., and a group of 5,500 black workers to resolve a proposed class race discrimination lawsuit. Judge Ketanji Brown Jackson wrote that the settlement raised “fairness-related red flags” for the workers because it would force them to give up all race bias claims against Lockheed, not just those that were the focus of the lawsuit. The lawsuit claimed that Lockheed’s performance review system had a disparate impact in the pay, promotion, and retention of salaried black workers below the level of vice president during a three-year period. (Ross v. Lockheed Martin Corp, U.S. District Court for the District of Columbia, No. 1:16-cv-02508-KBJ, 2017)

HARASSMENT. Ford Motor Company agreed to pay up to $10.1 million to settle a sex and race harassment investigation by the U.S. Equal Employment Opportunity Commission (EEOC). In an investigation, the EEOC “found reasonable cause to believe that personnel at two Ford facilities in the Chicago area…had subjected female and African American employees to sexual and racial harassment,” the EEOC said in a press release. It also found that Ford retaliated against employees who spoke out about the treatment. In addition to monetary relief, Ford will conduct regular training at the two facilities, disseminate anti-harassment and anti-discrimination policies and procedures, report to the EEOC harassment and discrimination complaints, and monitor its workforce for issues of alleged sexual or racial harassment and discrimination.​