Recently, a federal court in Kansas joined a number of other courts in finding that allegations of future, speculative harm unadorned with actual theft or misuse of personal information are insufficient to establish Article III standing.
In Ex rel Situated v. Med-Data Inc., Case No. 21-2301-DDC-GEB, 2022 U.S. Dist. LEXIS 60555 (D. Kan. Mar. 31, 2022), Plaintiff C.C. (“Plaintiff”) filed a class action lawsuit against Defendant Med-Data (“Med-Data”), a health care provider, arising out of a data event in which Plaintiff’s and tens of thousands of others’ patient protected health information (“PHI”) and personally identifiable information (“PII”) was disclosed. Plaintiff was a patient of one of Med-Data’s “business associates” and provided her PII and PHI to Med-Data as a result. On or around March 31, 2021, Plaintiff received a notice of the data event, notifying her that her PII and PHI were “uploaded to a public facing website” and the data “was stolen, compromised, and wrongfully disseminated without authorization.” The impacted information included names, social security numbers, physical addresses, dates of birth, telephone numbers, medical conditions, and diagnoses.
Based on the data event, Plaintiff asserted seven claims against Med-Data: outrageous conduct, breach of implied contract, negligence, invasion of privacy by public disclosure of private facts, breach of fiduciary duty, negligent training and supervision, and negligence per se. Plaintiff filed suit in a district court in Kansas, but Med-Data removed the case to federal court under the Class Action Fairness Act (CAFA). Med-Data filed a motion to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6), but the court held that it was required to address Plaintiff’s Article III standing before resolving the motion to dismiss. The court ultimately dismissed the case for lack of standing.
Article III standing is required to establish a federal court’s subject matter jurisdiction over a particular dispute. This requires three things: “(1) an ‘injury in fact—an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical[;]’ (2) ‘a causal connection between the injury and the conduct complained of—the injury has to be fairly . . . trace[able] to the challenged action of the defendant, and not . . . th[e] result [of] the independent action of some third party not before the court[;]’ and (3) that it is ‘likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.'” At the pleadings stage, a plaintiff need only generally allege facts demonstrating each element of Article III standing.
In addressing whether the Plaintiff had standing, the court noted that “[d]ata breach cases present unique standing issues,” surveying the circuit split on the issue. Whereas the Fourth, Sixth, Seventh, Ninth, and D.C. Circuits found that plaintiffs suffer an injury in fact for purposes of Article III standing by virtue of having been a victim of a data breach that resulted in an increased likelihood that their data would actually be misused, the Second, Third, Eighth, and Eleventh Circuits require plaintiffs to allege that their data was actually misused or intentionally taken by an unauthorized third party.
Ultimately, the court found that Plaintiff’s allegations had failed to establish Article III standing. In so holding, it noted that the Tenth Circuit has yet to address the issue, and thus, the court “predict[ed] that the Tenth Circuit, if presented with the facts alleged in [the] case, would follow the line of cases where outcome depends on whether plaintiffs have alleged misuse of their data.” The court relied upon the Supreme Court’s precedents in Clapper and TransUnion, concluding that a risk of future harm is insufficient to confer standing. Notably, however, the court emphasized that “a data breach plaintiff may establish standing on the basis of an increased risk of identity theft or identity fraud,” but that a plaintiff must nevertheless allege sufficient facts to show that the risk is “concrete, particularized, and imminent.”
Here, Plaintiff alleged six forms of damages, all of which the court found to be insufficient:
- The “imminent, immediate and continuing risk of identity theft, identity fraud and/or medical fraud[;]”
- “[O]ut-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance, and/or other Breach risk mitigation products[;]”
- “[O]ut-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud pressed upon them by the Breach, including the costs of placing a credit freeze and subsequently removing a credit freeze[;]”
- The “value of their time spent mitigating the increased risk of identity theft, identity fraud and/or medical fraud pressed upon them by the Breach[;]”
- The “lost benefit of their bargain when they paid for their privacy to be protected and it was not[;]” and
- Loss of privacy
As an initial matter, the court held that HIPAA cannot be the basis for standing, as it does not create a private right of action. The court then noted that the risk of identity theft or fraud was insufficient, as a “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of identity theft” and, at best, alleged a risk of future harm.
The court likewise held that the mitigation costs were insufficient, as “plaintiff cannot ‘manufacture standing merely by inflicting harm on [herself] based on [her] fears of hypothetical future harm that is not certainly impending.'” Critically, the court explained that “while it may have been reasonable to take some steps to mitigate the risks associated with the data breach, those actions cannot create a concrete injury where there is no imminent threat of harm.”
Plaintiff’s benefit-of-the-bargain theory was also rejected on the grounds that she failed to allege what part of her payment to Med-Data’s business associates were for data security purposes, and thus, “[s]uch a claim is too flimsy to support standing.'”
Finally, the court held that Plaintiff’s loss-of-privacy allegations in support of her invasion of privacy tort were insufficient to establish standing because “plaintiff hasn’t alleged a concrete harm resulted from this publicity [of her PII and PHI]” and “[s]he hasn’t alleged any harm to her reputation from the alleged breach.” “In sum, Plaintiff’s standing problem here is a familiar one: she hasn’t alleged any concrete or particularized harm from her alleged loss of privacy. Her loss of privacy, in and of itself, is not a concrete harm that can provide the basis for Article III standing.” Finding that Plaintiffs lacked standing, the court remanded the case to the state court rather than dismissing it outright.
This case is yet another example where courts have held that allegations of harm based on generalized, speculative injury and speculative harm will not suffice for purposes of Article III. Federal courts have, and continue to, show their willingness to dismiss (or, for cases removed from state court, remand) data privacy cases at the pleadings stage for lack of standing. This most recent ruling is another example of this trend.
For more developments, stay tuned. CPW will be there to keep you in the loop.