[BreachExchange] Federal Court Dismisses Data Breach Litigation

[Matthew Wheeler]

https://www.natlawreview.com/article/federal-court-dismisses-data-breach-litigation

Federal Court Dismisses Data Breach Litigation

Thursday, April 7, 2022

Recently, a federal court in Kansas joined a number of other courts in
finding that allegations of future, speculative harm unadorned with actual
theft or misuse of personal information are insufficient to establish
Article III standing.

In Ex rel Situated v. Med-Data Inc., Case No. 21-2301-DDC-GEB, 2022 U.S.
Dist. LEXIS 60555 (D. Kan. Mar. 31, 2022), Plaintiff C.C. (“Plaintiff”)
filed a class action lawsuit against Defendant Med-Data (“Med-Data”), a
health care provider, arising out of a data event in which Plaintiff’s and
tens of thousands of others’ patient protected health information (“PHI”)
and personally identifiable information (“PII”) was disclosed. Plaintiff
was a patient of one of Med-Data’s “business associates” and provided her
PII and PHI to Med-Data as a result. On or around March 31, 2021, Plaintiff
received a notice of the data event, notifying her that her PII and PHI
were “uploaded to a public facing website” and the data “was stolen,
compromised, and wrongfully disseminated without authorization.” The
impacted information included names, social security numbers, physical
addresses, dates of birth, telephone numbers, medical conditions, and
diagnoses.

Based on the data event, Plaintiff asserted seven claims against Med-Data:
outrageous conduct, breach of implied contract, negligence, invasion of
privacy by public disclosure of private facts, breach of fiduciary duty,
negligent training and supervision, and negligence per se. Plaintiff filed
suit in a district court in Kansas, but Med-Data removed the case to
federal court under the Class Action Fairness Act (CAFA). Med-Data filed a
motion to dismiss for failure to state a claim under Federal Rule of Civil
Procedure 12(b)(6), but the court held that it was required to address
Plaintiff’s Article III standing before resolving the motion to dismiss.
The court ultimately dismissed the case for lack of standing.

Article III standing is required to establish a federal court’s subject
matter jurisdiction over a particular dispute. This requires three things:
“(1) an ‘injury in fact—an invasion of a legally protected interest which
is (a) concrete and particularized, and (b) actual or imminent, not
conjectural or hypothetical[;]’ (2) ‘a causal connection between the injury
and the conduct complained of—the injury has to be fairly . . . trace[able]
to the challenged action of the defendant, and not . . . th[e] result [of]
the independent action of some third party not before the court[;]’ and (3)
that it is ‘likely, as opposed to merely speculative, that the injury will
be redressed by a favorable decision.'” At the pleadings stage, a plaintiff
need only generally allege facts demonstrating each element of Article III
standing.

In addressing whether the Plaintiff had standing, the court noted that
“[d]ata breach cases present unique standing issues,” surveying the circuit
split on the issue. Whereas the Fourth, Sixth, Seventh, Ninth, and D.C.
Circuits found that plaintiffs suffer an injury in fact for purposes of
Article III standing by virtue of having been a victim of a data breach
that resulted in an increased likelihood that their data would actually be
misused, the Second, Third, Eighth, and Eleventh Circuits require
plaintiffs to allege that their data was actually misused or intentionally
taken by an unauthorized third party.

Ultimately, the court found that Plaintiff’s allegations had failed to
establish Article III standing. In so holding, it noted that the Tenth
Circuit has yet to address the issue, and thus, the court “predict[ed] that
the Tenth Circuit, if presented with the facts alleged in [the] case, would
follow the line of cases where outcome depends on whether plaintiffs have
alleged misuse of their data.” The court relied upon the Supreme Court’s
precedents in Clapper and TransUnion, concluding that a risk of future harm
is insufficient to confer standing. Notably, however, the court emphasized
that “a data breach plaintiff may establish standing on the basis of an
increased risk of identity theft or identity fraud,” but that a plaintiff
must nevertheless allege sufficient facts to show that the risk is
“concrete, particularized, and imminent.”

Here, Plaintiff alleged six forms of damages, all of which the court found
to be insufficient:

The “imminent, immediate and continuing risk of identity theft, identity
fraud and/or medical fraud[;]”

“[O]ut-of-pocket expenses to purchase credit monitoring, internet
monitoring, identity theft insurance, and/or other Breach risk mitigation
products[;]”

“[O]ut-of-pocket expenses incurred to mitigate the increased risk of
identity theft, identity fraud and/or medical fraud pressed upon them by
the Breach, including the costs of placing a credit freeze and subsequently
removing a credit freeze[;]”

The “value of their time spent mitigating the increased risk of identity
theft, identity fraud and/or medical fraud pressed upon them by the
Breach[;]”

The “lost benefit of their bargain when they paid for their privacy to be
protected and it was not[;]” and

Loss of privacy

As an initial matter, the court held that HIPAA cannot be the basis for
standing, as it does not create a private right of action. The court then
noted that the risk of identity theft or fraud was insufficient, as a “mere
compromise of personal information, without more, fails to satisfy the
injury-in-fact element in the absence of identity theft” and, at best,
alleged a risk of future harm.

The court likewise held that the mitigation costs were insufficient, as
“plaintiff cannot ‘manufacture standing merely by inflicting harm on
[herself] based on [her] fears of hypothetical future harm that is not
certainly impending.'” Critically, the court explained that “while it may
have been reasonable to take some steps to mitigate the risks associated
with the data breach, those actions cannot create a concrete injury where
there is no imminent threat of harm.”

Plaintiff’s benefit-of-the-bargain theory was also rejected on the grounds
that she failed to allege what part of her payment to Med-Data’s business
associates were for data security purposes, and thus, “[s]uch a claim is
too flimsy to support standing.'”

Finally, the court held that Plaintiff’s loss-of-privacy allegations in
support of her invasion of privacy tort were insufficient to establish
standing because “plaintiff hasn’t alleged a concrete harm resulted from
this publicity [of her PII and PHI]” and “[s]he hasn’t alleged any harm to
her reputation from the alleged breach.” “In sum, Plaintiff’s standing
problem here is a familiar one: she hasn’t alleged any concrete or
particularized harm from her alleged loss of privacy. Her loss of privacy,
in and of itself, is not a concrete harm that can provide the basis for
Article III standing.” Finding that Plaintiffs lacked standing, the court
remanded the case to the state court rather than dismissing it outright.

This case is yet another example where courts have held that allegations of
harm based on generalized, speculative injury and speculative harm will not
suffice for purposes of Article III. Federal courts have, and continue to,
show their willingness to dismiss (or, for cases removed from state court,
remand) data privacy cases at the pleadings stage for lack of standing.
This most recent ruling is another example of this trend.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220411/2b38ec91/attachment.html>