[BreachExchange] Mortgage Provider Obtains Dismissal of Data Privacy Class Action Litigation Concerning Two Data Breaches

[Destry Winant]

natlawreview.com/article/mortgage-provider-obtains-dismissal-data-privacy-class-action-litigation-concerning

While the number of data breach litigations is on the rise, CPW has
been tracking another trend—dismissal of inadequate data breach
complaints.  For the latest and greatest in this area of the law, read
on below.  Darnell v. Order Wyndham Capital Mortg., 2021 U.S. Dist.
LEXIS 55490 (W.D.N.C. Mar. 24, 2021).

Defendant Wyndham is a nationwide mortgage provider incorporated in
North Carolina.  Plaintiff allegedly applied for and received a home
loan from Defendant in January of 2020.  Shortly thereafter Defendant
allegedly “sold” Plaintiff’s mortgage loan to another company.
Several months later, in October 2020, Defendant sent multiple “Notice
of Data Incident” disclosures to regulators.  The first notice
provided:

This correspondence is to notify you of [a] potential security issue
caused by a recent single occurrence of user error.  On September 18,
2020, an email containing personal information was sent in error to an
email account not belonging to [Defendant].  [Defendant] has no
evidence that this email was opened or that the information has been
used. . . ..

A second notice was one week later, which additionally disclosed a
phishing scam “which allowed access to [the email account of one of
Defendant’s employees] for a limited period of time.”  The second
notice additionally provided that “[Defendant] has put additional
protections in place to keep this from happening again, has provided
additional training to employees, and continues to strengthen system
controls and monitoring.”

In the wake of these disclosures, Plaintiff filed a putative class
action lawsuit against defendant, asserting claims for (1) negligence;
(2) violating Florida’s Unfair and Deceptive Trade Practices Act; (3)
unjust enrichment; (4) breach of implied contract; (5) breach of
confidence; and (6), seeks a declaratory judgment that Defendant’s
data security protocols are insufficient as a matter of law.

Plaintiff alleged that, once he was made aware of the data incidents,
he began to monitor his financial accounts and suffered from “great
anxiety.”  Plaintiff alleged the following injuries: “(a) damages to
and diminution in the value of his [personally identifiable
information]—a form of intangible property that the Plaintiff
entrusted to [Defendant] as a condition of his employment; (b) loss of
his privacy; and (c) imminent and impending injury arising from the
increased risk of fraud and identity theft.”

Defendant moved to dismiss both for lack of standing and for failure
to state a claim.  The Court agreed with Defendant that Plaintiff
lacked Article III standing, which meant the Court lacked subject
matter jurisdiction to hear the case.

In regards to Plaintiff’s first “injury”—in the form of “damages to
and diminution in the value of his PII”—the Court observed “[i]t is
not clear from the Complaint exactly how the exposure of Plaintiff’s
PII has damaged or diminished its value.”  However, the Court assumed
“Plaintiff is prevented from realizing the full extent of his PII’s
value if it has been potentially exposed to cyber criminals.”  Even
with this assumption, however, this purported harm was inadequate for
purposes of establishing Plaintiff’s standing.  This was because, the
Court explained, “the exposure of PII, without more, is sufficient to
confer Article III standing.”

Plaintiff’s alleged loss of privacy fared no better.  The Court held
that “the factual allegations related to this asserted injury suffer
from the same deficiencies . . . Plaintiff alleges nothing more than
the ‘mere compromise’ of his PII and a resulting loss of privacy,
which is too abstract of an injury to satisfy standing requirements.”

Plaintiff’s remaining allegations of injury were also insufficient.
The Plaintiff asserted that “he has been injured because the exposure
of his PII has left him with the ‘imminent and impending [risk] of
fraud and identity theft.’”  As a result of this speculative risk of
future harm, Plaintiff also alleged that he “spent time routinely
reviewing his credit monitoring service results and reports.”
However, Plaintiff neither alleged actual misuse of his PII, nor
alleged his PII was intentionally targeted.  This omission was
significant to the Court as “to the extent any injury or allegation is
based on the accidental data breach, Plaintiff has not sufficiently
alleged injury-in-fact.”

Insofar as the phishing data incident was concerned, Plaintiff’s
allegations fared no better.  The Court found that they were based on
the same “attenuated chain of possibilities” that other courts had
rejected as establishing standing.  In order for Plaintiff’s
allegations to pass muster, the Court would be required to assume
that: “(1) the phishing attempt intentionally targeted the PII
belonging to Defendant’s clients rather than other information
potentially stored on Defendant’s servers; (2) the reactionary steps
taken by Defendant in an effort to protect against the phishing
attempt failed, and clients’ PII was taken by hackers; (3) Plaintiff’s
PII was among the PII taken by the hackers; and (4), hackers have
attempted or will attempt to use Plaintiff’s, as opposed to anyone
else’s, PII to steal his identity.”  This was several steps too far
for the Court (as it probably is for many CPW readers).

Another day, another data breach litigation dismissed at the pleading
stage.  Whether Plaintiff will refile the litigation in state court
(where satisfaction of Article III is not required) remains to be
seen.  Regardless of what happens, not to worry-CPW will be there.