Your doctor and your medical insurer are supposed to keep your
health information private. But sometimes they don't. Sometimes a
company like Anthem, Excellus, or Premera gets hacked and the
patients' personal health information goes … well, no one really
know where it goes, or who is using it. And that's the problem.
If someone stole your identity, and the theft could be traced to
a specific data breach, and you lost money as a result, then you'd
have an easy claim. But what compensable damages have you suffered
if some Russian hacker learns you have a prescription for
Lipitor?
Presumably, when legislators enacted HIPAA and other data
privacy laws, they were trying to protect the public from some
particular kind of harm. When they used the phrase, "protected
health information," we can assume they intended that health
information should be protected. We assume that they realized the
release of the data itself is harmful. Yet HIPAA provides no remedy
to a patient whose protected information was actually not
protected.
Or what if your credit card data was exposed from a data breach
at a large retailer such as Target, Home Depot, Neiman-Marcus, or
TJX. Have you been harmed in a legally-compensable way if your
credit card issuer refunded any fraudulent charges and replaced
your card?
The question is whether there is any way to address the harm
caused by the release of personal data - the disclosure itself - if
you can't prove concrete harm.
Standing
A plaintiff does not have to suffer actual tangible harm to have
standing in a data breach case. But standing requires "concrete"
harm. The harm can be intangible, and "the risk of real harm" may
be enough. But that does not mean that a plaintiff automatically
gets standing whenever a statute grants a person a statutory right
and authorizes that person to sue to vindicate that right.
Spokeo v. Robins, 136 S.Ct. 1540 (2016). The risk of harm
has to be imminent. However, while "… imminence is … a somewhat
elastic concept, it cannot be stretched beyond its purpose. … "
Clapper v. Amnesty International USA, 133 S.Ct. 1138, 1147
(2013)
How elastic is the definition of "imminent harm." Unfortunately,
not elastic enough to admit a claim in the usual data breach case -
where there is no proof of identity theft but a real risk exists
due to the carelessness of the defendant. In the case of Attias
v. CareFirst Inc., 2016 WL 4250232 (D.D.C. 2016), the court
said that the "increased risk of future identity theft or fraud is
too speculative to confer standing." The court went on say that a
plaintiff "cannot create standing by inflicting harm on themselves
… by purchasing credit-monitoring services … to ward off an
otherwise speculative injury."
This is a remarkable opinion. The custodian of the data puts the
plaintiff at risk of identity theft. The plaintiff cannot mitigate
its potential damages and avoid the type of harm that might justify
a lawsuit by taking the inexpensive and sensible step of signing up
for a credit monitoring service. Taking steps to avoid harm would
be "self-inflicted" harm.
We value our privacy. We don't want people to know what drugs we
take, what surgeries we need, or how much we owe Visa. But the risk
of embarrassment isn't enough to confer standing under these
cases.
Apart from the fear of disclosure, what we mainly fear from a
data breach is that someone will steal our identity. Is identity
theft a sufficient basis for standing?
Maybe yes, maybe no. In a case of first impression, the Eleventh
Circuit Court found that a victim of actual identity theft from a
data breach had standing to assert a claim. Resnick v. AvMed,
Inc., 693 F.3d 1317 (11th Cir. 2012). The Court however fudged
and did not clarify whether or not merely suffering an identity
theft was enough to convey standing or whether actual monetary
damages were needed.
Traditional Remedies
Given the uncertainty about how harm can be both "concrete" and
"elastic," plaintiffs must find a way to show harm or imminent harm
traceable to the data breach. Plaintiffs' attorneys must find
traditional causes of action that work to confer standing. Several
different causes of action are pleaded in data breach cases. These
include breach of contract, breach of fiduciary duty, invasion of
privacy, negligence, and causes allowed under various consumer
protection laws. Some of the counts in these cases are now
surviving motions to dismiss.
In Smith v. Triad, 2015 WL 5793318 (M.D. Ala., 2015)
the Court allowed the contract claims, negligence claims, and
claims under the Fair Credit Reporting Act to continue in a data
breach case.
In an ongoing suit against Boston Medical Center, the plaintiffs
pleaded invasion of privacy, breach of confidentiality, breach of
fiduciary duty, negligence, negligent supervision, breach of
implied contract and breach of contract against a third party
transcription service. The suit survived an initial motion to
dismiss. The court allowed the suit to continue to the discovery
stage. "Where, as here, plaintiffs allege facts that, if true,
suggest a real risk of harm from the data breach at BMC, I conclude
that the standing question should await a fuller record and be
decided upon a motion for summary judgment." Walker v. Boston
Medical Center Corp., 33 Mass.L.Rptr. 179 *2 (2015).
In another case, plaintiffs to were permitted to assert contract
claims arising from a data breach affecting up to 80 million
customers of the nation's second largest health insurer. The claims
were based on notices incorporated into the health insurance
policies, promising to keep information private. Using precedents
from cases against Adobe, Facebook, and Google, the court ruled
that it is possible to sue for damages based on loss of value in
personally identifiable information (PII). In re Anthem,
2016 WL 3029783 (N.D. Cal. 2016). While this finding rests on
California cases, other courts have held that the theft of PII is
actionable only if stolen for fraudulent and improper purposes.
(See Remijas v. Neiman Marcus Gp., LLC, 794 F.3d 688, 693
(7th Cir. 2015))
Recovery for the theft of PII depends on state law. State laws
vary in whether or not plaintiffs are allowed to recover for
economic losses based on theft of PII. One of the Plaintiffs in
Anthem resided in New Jersey. The Court found no
equivalent case law or statutes that would allow this Plaintiff to
recover for damages based on loss of PII. In a more recent case,
Longenecker-Wells v. Benecard Services Inc.), the U.S.
Court of Appeals for the Third Circuit ruled the Pennsylvania's
economic loss doctrine barred the Plaintiff's negligence claim.
This decision is noted as not being available for precedent.
However, it does illustrate how judges are thinking about cases
involving data breaches.
The D.C. District Court reached a similar conclusion in
Attias v. CareFirst, 2016 WL 4250232 (D.D.C. 2016). The
Court considered the finding in Clapper that impending harm was
enough to confer standing. The Court said that merely having one's
personal information stolen in a data breach is insufficient to
establish standing.
Since these cases are still working their way through the
courts, it is too early to tell how many of these cases will
survive the discovery phase in which specific damages must be
found.
Innovative Use of HIPAA Standards
In Acosta v. Byrum, 638 S.E.2d 246 (2006), the North
Carolina Court of Appeals allowed the plaintiffs to argue that the
privacy provisions in HIPAA created a standard of care for that
physicians must follow in safeguarding patient information. This
case involved the release of information for only one person in the
physician's practice for the sole purpose of harming that person.
However, the idea that HIPAA could create a standard of care for
protecting patient information was enough for others to try using
it. While this argument has not gained popularity, it was used
successfully in Emily Byrne v. Avery Center for Obstetrics and
Gynecology, 314 Conn. 433 (2013). Again, this was an
individual suing a health care provider for negligence and using
HIPAA as the standard of care for protecting private information.
This may provide another avenue for individuals suing their health
care provider.
Conclusion
There are several lessons to be learned from these cases. To be
successful, plaintiffs should bring contract claims based on state
law and relating to privacy statements. Plaintiffs cannot rely
solely on federal claims. The federal courts hold that the threat
of harm from a data breach is too uncertain to confer standing.
However, state claims based on breach of contract and other causes
of action have survived 12(b) Motions to Dismiss.
Some courts are realizing that they have to stretch the
definition of "imminent harm" in data breach cases. As courts have
noted, harm in a data breach case is often not immediate or even
traceable to one event. The data collected may not be used at once
or ever. However, the threat is always present that the PII will be
used.
The real harm in these cases is not always concrete or imminent.
It is the disclosure of what is private and the likelihood - not
easy to quantify - that the information will be used in the future
for nefarious purposes. The definition of harm must be expanded to
include this possibility. Legislatures should design and enact laws
that create a cause of action against companies for data breaches
and include mandatory minimum damages.
Until this happens, attorneys should continue to use current
laws and common law contract breaches in creative ways to sue for
damages in data breach cases.