As we have discussed here at CPW, one of the biggest challenges facing a plaintiff in a data breach class action is to establish an injury from the alleged data breach. Earlier this week, in David De Midicis v. Ally Bank & Ally Fin., Inc., 2022 U.S. Dist. LEXIS 137337 (S.D.N.Y. Aug. 2, 2022), the Southern District of New York dismissed the case for lack of Article III standing because plaintiffs had failed to allege an injury in fact from the data breach.
As alleged in the complaint, the plaintiff maintained checking, savings and securities accounts with the defendants. In April 2021, the defendants discovered a coding error which resulted in usernames and passwords for certain customers being sent to a limited group of entities with which the defendants had ongoing contractual and business relationships. When the coding error was discovered, the defendants immediately fixed the coding error, required a change of password, and worked with the entities receiving the usernames and passwords to delete the information. With respect to the impacted customers, the defendants began fraud-monitoring efforts. In addition, the defendants notified the impacted customers and also offered free credit monitoring and identity theft insurance coverage for two years. Through these efforts, the defendants represent that they have identified no instances of account takeovers, identity theft, or similar occurrences attributable to the coding error.
Plaintiff filed a class action lawsuit against the defendants in August 2021. Defendants moved to dismiss for lack of standing and failure to state a claim. As to standing, the defendants argued that the plaintiff failed to allege: (1) a concrete, particularized present injury; or (2) substantial risk of future injury and thus could not establish Article III standing.
The Court found that none of the three “injuries” identified by the plaintiff satisfied the requirements of a concrete, particularized present injury. First, the Court rejected the plaintiff’s claim that time spent mitigating the risks from the incident, such as investigating credit monitoring and changing passwords, qualified as an injury because the plaintiff failed to show there was any substantial risk of future identity theft or fraud. The Court found that a plaintiff cannot manufacture standing merely by inflicting harm on himself based on a fear of hypothetical future harm; only when there is a substantial risk of future injury would such time constitute a present injury. Second, as to the alleged diminution in value of the plaintiff’s personal information, the Court rejected such a theory as a present injury because the plaintiff failed to allege a market for such information, emphasizing that usernames and passwords can easily be changed. Third, the Court found that the three alleged attempts to access the plaintiff’s email account also do not satisfy the present injury requirement because the plaintiff fails to allege a plausible link between the coding error and the alleged attempts to hack his email. In other words, the Court found no nexus between the coding error and the attempts to access his email account beyond allegations of time and sequence. Thus, the Court found that plaintiff had failed to allege a present injury.
The Court also concluded that the plaintiff failed to allege injury based on a substantial risk of future injury. First, the coding error was inadvertent and not the result of a targeted attack. Second, there are no allegations that the personal information disclosed was misused. Third, the information disclosed – usernames and passwords – was not sensitive or high risk. The Court, therefore, dismissed the complaint for lack of standing.
This decision highlights that in cases of an inadvertent data incident, it is hard for a plaintiff to identify an injury from the alleged incident. Luckily, the case was filed in federal court, so the result of no Article III standing was dismissal. If the case were removed from state court, then a no Article III standing determination would result in remand. Whether the case could proceed in state court would then depend on the standing requirements under state law. But even if the standing requirements were less stringent, at some point, to succeed on claims like those asserted here (i.e., negligence and breach of implied contract), a plaintiff is going to have to demonstrate injury, and what this case highlights is where the incident was the result of an inadvertent error and the defendant takes appropriate measures, most impacted putative class members are uninjured.