Data breaches: How to determine plaintiff's standing

Issue November/December 2016 By Deborah W. Hemdal

Your doctor and your medical insurer are supposed to keep your health information private. But sometimes they don't. Sometimes a company like Anthem, Excellus, or Premera gets hacked and the patients' personal health information goes … well, no one really know where it goes, or who is using it. And that's the problem.

If someone stole your identity, and the theft could be traced to a specific data breach, and you lost money as a result, then you'd have an easy claim. But what compensable damages have you suffered if some Russian hacker learns you have a prescription for Lipitor?

Presumably, when legislators enacted HIPAA and other data privacy laws, they were trying to protect the public from some particular kind of harm. When they used the phrase, "protected health information," we can assume they intended that health information should be protected. We assume that they realized the release of the data itself is harmful. Yet HIPAA provides no remedy to a patient whose protected information was actually not protected.

Or what if your credit card data was exposed from a data breach at a large retailer such as Target, Home Depot, Neiman-Marcus, or TJX. Have you been harmed in a legally-compensable way if your credit card issuer refunded any fraudulent charges and replaced your card?

The question is whether there is any way to address the harm caused by the release of personal data - the disclosure itself - if you can't prove concrete harm.

Standing

A plaintiff does not have to suffer actual tangible harm to have standing in a data breach case. But standing requires "concrete" harm. The harm can be intangible, and "the risk of real harm" may be enough. But that does not mean that a plaintiff automatically gets standing whenever a statute grants a person a statutory right and authorizes that person to sue to vindicate that right. Spokeo v. Robins, 136 S.Ct. 1540 (2016). The risk of harm has to be imminent. However, while "… imminence is … a somewhat elastic concept, it cannot be stretched beyond its purpose. … " Clapper v. Amnesty International USA, 133 S.Ct. 1138, 1147 (2013)

How elastic is the definition of "imminent harm." Unfortunately, not elastic enough to admit a claim in the usual data breach case - where there is no proof of identity theft but a real risk exists due to the carelessness of the defendant. In the case of Attias v. CareFirst Inc., 2016 WL 4250232 (D.D.C. 2016), the court said that the "increased risk of future identity theft or fraud is too speculative to confer standing." The court went on say that a plaintiff "cannot create standing by inflicting harm on themselves … by purchasing credit-monitoring services … to ward off an otherwise speculative injury."

This is a remarkable opinion. The custodian of the data puts the plaintiff at risk of identity theft. The plaintiff cannot mitigate its potential damages and avoid the type of harm that might justify a lawsuit by taking the inexpensive and sensible step of signing up for a credit monitoring service. Taking steps to avoid harm would be "self-inflicted" harm.

We value our privacy. We don't want people to know what drugs we take, what surgeries we need, or how much we owe Visa. But the risk of embarrassment isn't enough to confer standing under these cases.

Apart from the fear of disclosure, what we mainly fear from a data breach is that someone will steal our identity. Is identity theft a sufficient basis for standing?

Maybe yes, maybe no. In a case of first impression, the Eleventh Circuit Court found that a victim of actual identity theft from a data breach had standing to assert a claim. Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012). The Court however fudged and did not clarify whether or not merely suffering an identity theft was enough to convey standing or whether actual monetary damages were needed.

Traditional Remedies

Given the uncertainty about how harm can be both "concrete" and "elastic," plaintiffs must find a way to show harm or imminent harm traceable to the data breach. Plaintiffs' attorneys must find traditional causes of action that work to confer standing. Several different causes of action are pleaded in data breach cases. These include breach of contract, breach of fiduciary duty, invasion of privacy, negligence, and causes allowed under various consumer protection laws. Some of the counts in these cases are now surviving motions to dismiss.

In Smith v. Triad, 2015 WL 5793318 (M.D. Ala., 2015) the Court allowed the contract claims, negligence claims, and claims under the Fair Credit Reporting Act to continue in a data breach case.

In an ongoing suit against Boston Medical Center, the plaintiffs pleaded invasion of privacy, breach of confidentiality, breach of fiduciary duty, negligence, negligent supervision, breach of implied contract and breach of contract against a third party transcription service. The suit survived an initial motion to dismiss. The court allowed the suit to continue to the discovery stage. "Where, as here, plaintiffs allege facts that, if true, suggest a real risk of harm from the data breach at BMC, I conclude that the standing question should await a fuller record and be decided upon a motion for summary judgment." Walker v. Boston Medical Center Corp., 33 Mass.L.Rptr. 179 *2 (2015).

In another case, plaintiffs to were permitted to assert contract claims arising from a data breach affecting up to 80 million customers of the nation's second largest health insurer. The claims were based on notices incorporated into the health insurance policies, promising to keep information private. Using precedents from cases against Adobe, Facebook, and Google, the court ruled that it is possible to sue for damages based on loss of value in personally identifiable information (PII). In re Anthem, 2016 WL 3029783 (N.D. Cal. 2016). While this finding rests on California cases, other courts have held that the theft of PII is actionable only if stolen for fraudulent and improper purposes. (See Remijas v. Neiman Marcus Gp., LLC, 794 F.3d 688, 693 (7th Cir. 2015))

Recovery for the theft of PII depends on state law. State laws vary in whether or not plaintiffs are allowed to recover for economic losses based on theft of PII. One of the Plaintiffs in Anthem resided in New Jersey. The Court found no equivalent case law or statutes that would allow this Plaintiff to recover for damages based on loss of PII. In a more recent case, Longenecker-Wells v. Benecard Services Inc.), the U.S. Court of Appeals for the Third Circuit ruled the Pennsylvania's economic loss doctrine barred the Plaintiff's negligence claim. This decision is noted as not being available for precedent. However, it does illustrate how judges are thinking about cases involving data breaches.

The D.C. District Court reached a similar conclusion in Attias v. CareFirst, 2016 WL 4250232 (D.D.C. 2016). The Court considered the finding in Clapper that impending harm was enough to confer standing. The Court said that merely having one's personal information stolen in a data breach is insufficient to establish standing.

Since these cases are still working their way through the courts, it is too early to tell how many of these cases will survive the discovery phase in which specific damages must be found.

Innovative Use of HIPAA Standards

In Acosta v. Byrum, 638 S.E.2d 246 (2006), the North Carolina Court of Appeals allowed the plaintiffs to argue that the privacy provisions in HIPAA created a standard of care for that physicians must follow in safeguarding patient information. This case involved the release of information for only one person in the physician's practice for the sole purpose of harming that person. However, the idea that HIPAA could create a standard of care for protecting patient information was enough for others to try using it. While this argument has not gained popularity, it was used successfully in Emily Byrne v. Avery Center for Obstetrics and Gynecology, 314 Conn. 433 (2013). Again, this was an individual suing a health care provider for negligence and using HIPAA as the standard of care for protecting private information. This may provide another avenue for individuals suing their health care provider.

Conclusion

There are several lessons to be learned from these cases. To be successful, plaintiffs should bring contract claims based on state law and relating to privacy statements. Plaintiffs cannot rely solely on federal claims. The federal courts hold that the threat of harm from a data breach is too uncertain to confer standing. However, state claims based on breach of contract and other causes of action have survived 12(b) Motions to Dismiss.

Some courts are realizing that they have to stretch the definition of "imminent harm" in data breach cases. As courts have noted, harm in a data breach case is often not immediate or even traceable to one event. The data collected may not be used at once or ever. However, the threat is always present that the PII will be used.

The real harm in these cases is not always concrete or imminent. It is the disclosure of what is private and the likelihood - not easy to quantify - that the information will be used in the future for nefarious purposes. The definition of harm must be expanded to include this possibility. Legislatures should design and enact laws that create a cause of action against companies for data breaches and include mandatory minimum damages.

Until this happens, attorneys should continue to use current laws and common law contract breaches in creative ways to sue for damages in data breach cases.

Other Articles in this Issue: