A recent decision from the Supreme Court of New York confirms that to survive dismissal, plaintiffs in data breach actions must establish injury-in-fact through a showing of actual or imminent harm.  In evaluating whether an alleged harm arising from a data breach is actual or imminent, New York courts apply a five-factor balancing test.  Under this test, even if a plaintiff’s personal information is exfiltrated during a hack, mere speculation about the prospect of future harm is insufficient to confer standing.

In Keach v. BST & Co. CPAs, LLP, 2021 N.Y. Slip Op 50273(U) (Sup. Ct., Albany County 2021), plaintiffs brought suit against BST & Co. CPAs, LLP (“BST”), an accounting and consulting firm, and Community Care Physicians, P.C. (“CCP”), a large medical practice, following a data breach, in which hackers obtained access to BST’s client data, which included the personal information of 170,000 current and former patients of CCP.  Plaintiffs asserted nine causes of action, alleging that theft of their names, dates of birth, and medical billing and health insurance information exposed them to a “heightened and imminent risk of fraud and identity theft.”

In response, defendants argued that plaintiffs did not establish injury-in-fact, as they “rely exclusively on the speculative possibility of harm that could occur in the future.”  Like Article III standing, the Court held that to establish injury-in-fact, the claimed injury must be “actual or imminent” and cannot be “tenuous;” “ephemeral;” or based on mere conjecture or speculation.  “In evaluating whether plaintiffs in a data breach case have alleged an actual injury or the imminent prospect thereof, the New York courts have looked to five principal factors: (1) the type of personal information that was compromised; (2) whether hackers were involved in the data breach or personal information otherwise was targeted; (3) whether personal information was exfiltrated, published and/or otherwise disseminated; (4) whether there have been any incidents of, or attempts at, identity theft or fraud using the compromised personal information; and (5) the length of time that has passed since the data breach without incidents of identity theft or fraud.”

With regard to the first factor, the Court held that while the personal information at issue can be misused, the risk is not as high as in situations involving theft of social security numbers; financial account information; or of data associated with classes of persons at higher risk of identity theft, such as police officers.  Next, the Court held that in ransomware attacks such as this, the information itself is not ordinarily the object of the hackers’ attack.  Third, plaintiffs do not allege any particulars demonstrating that the information was published or otherwise disseminated.  Fourth, plaintiffs failed to allege any incidents of identity theft or fraud using the compromised data and Defendants offered free credit monitoring services to those impacted to mitigate such risk.  Lastly, the Court held that 16 months since the hacking without incident of identity theft “counsels against finding injuries that are imminent or substantially likely to occur.

Thus, while recognizing that some federal and state courts in other jurisdiction have found standing on similar facts, the Court concluded that under NY law, the named plaintiffs failed to allege particularized and concrete injuries that are impending, imminent or substantially likely to occur.  The Court further concluded by advocating a cautious approach to standing, citing to a quote from a federal judge from six years ago: “There are only two types of companies left in the United States, according to data security experts: those that have been hacked and those that don’t know they’ve been hacked.”  Storm v. Paytime, Inc., 90 F. Supp 3d 359, 360 (M.D. PA 2015).

For more on this developing area, stay tuned.  CPW will be there.