[BreachExchange] If Data is Exposed But No One is Around to Steal It, Can a Data-Breach Plaintiff Still Sue?

[Destry Winant]

https://www.lexology.com/library/detail.aspx?g=fcef0595-ffcb-4b54-b91c-d60fb3873335

We talk a lot on this blog about data-breach lawsuits that arise from
breaches in which a hacker targeted and stole personal information
from a business.

Also common, though, are situations in which a business fails to
secure data, but then discovers and corrects the issue before hackers
steal anything. As we’ve noted before, these “exposure without
disclosure” cases can lead to enforcement actions by privacy and
data-security regulators like the FTC—despite a seeming absence of
harm to individual consumers.

But can they also form the basis for a private lawsuit?

A recent decision from a federal court in Ohio explores that question.
This post examines that decision, called Williams-Diggins v. Mercy
Health.

Showing no mercy

Mercy Health is a large health system that operates across Ohio and
Kentucky. Like many healthcare providers, Mercy operates and maintains
online portals through which patients can access their medical
information.

In 2016, Lindsey Williams-Diggins, a Mercy patient, filed a federal
lawsuit against Mercy that alleged Mercy’s patient portal suffered
from critical security vulnerabilities. Computer security experts, the
complaint alleged, had identified those vulnerabilities years earlier,
and they were well known in the industry. Williams-Diggins alleged
that because of Mercy’s failure to identify and correct the
vulnerabilities, “sensitive medical information . . . has been exposed
and is a great risk of further unauthorized disclosure (if it hasn’t
already been disclosed).”

Three days after the complaint was filed, Mercy had fixed the vulnerability.

Williams-Diggins then filed an amended complaint that acknowledged
Mercy fixed the vulnerabilities after he filed the lawsuit. But he
still asserted claims for breach of contract, unjust enrichment,
breach of confidence, and violation of Ohio’s Consumer Sales
Protection Act. Those claims centered on two theories:

An “increased risk of future harm” theory, under which Mercy’s lax
data security measures and the corresponding “exposure” of its
patients’ sensitive health information before the vulnerability was
fixed put them at greater risk of risk of identity theft; and
An overpayment theory, under which patients who paid for Mercy’s
healthcare services received “diminished value” for those services
when Mercy failed to protect their health information.

No harm no foul?

Mercy moved to dismiss under Rules 12(b)(1) and 12(b)(6). Its
arguments centered on two themes.

First, argued Mercy, Williams-Diggins could not establish an
injury-in-fact sufficient to establish Article III standing.
Williams-Diggins had not alleged that his or anyone else’s data was
accessed or stolen, and thus any risk of future identity theft was too
speculative.

Second, Mercy argued that Williams-Diggins’ overpayment theory failed
because he had alleged no facts to show that the parties bargained for
data security measures as part of Mercy’s delivery of healthcare
services. And even if they had, Williams-Diggins’ failure to allege
that his data was accessed or stolen left him “in the very same
position . . . that he would have been even if the alleged failure he
[was] complaining about never existed.”

The court’s decision.

The court agreed with Mercy and dismissed the action for lack of standing.

To reach that result, the court first looked to the Supreme Court’s
decision in Clapper v. Amnesty International. Williams-Diggins,
observed the court, had only alleged that his information “might” have
been accessed improperly. And that allegation, concluded the court,
reflected only a “possible future injury” that relied a “speculative
chain of possibilities.” Clapper held that such an injury is not an
injury-in-fact under Article III.

The court then turned to Williams-Diggins’ overpayment theory. Even
taking his allegations as true, reasoned the court, Williams-Diggins
paid only for the expectation that Mercy would not disclose his
information to unauthorized third parties. And this, explained the
court, “was what he received.” Although Mercy’s approach to data
security may have been “clumsy,” it was also harmless. As a result,
there was no “overpayment” for services that could confer standing.

An important limit on overpayment theories?

As we’ve discussed before, overpayment theories have become popular
with data-breach plaintiffs seeking to clear Article III’s standing
hurdle. Those theories may have legs when there’s been an actual data
breach. But when it comes to “exposure without disclosure” cases,
Mercy Health gives defendants a strong argument that plaintiffs got
what they paid for.