In August 2015, Privacy Risk Report published a post regarding Target sealing its documents associated to the massive 2013 data breach in order to protect itself from hackers. Target contended that if documents related to its data breach litigation were filed unsealed, there was a chance that hackers would have access to “detailed information about Target’s IT infrastructure, Target’s information security controls, and information about Target’s information security policies and procedures.” Following Target’s lead, there is more litigation stemming from the inadvertent disclosure of private information on a court’s online website.
In its October 18, 2016, decision, a court in McCoy v. Fisher dismissed a plaintiff’s complaint against a law firm that failed to redact personal information in a court document that ended up on the court’s website for a short time. In April 2015, defendants Jeffrey B. Fisher and The Fisher Law Group (Fisher Law), initiated a foreclosure action against plaintiffs Antonio McCoy and his former wife after they defaulted on their Maryland home loan. During the foreclosure action, Fisher Law filed a document that McCoy claimed included his loan number and his social security number. In May 2015, Fisher Law sent McCoy a letter notifying him of the inadvertent disclosure of personal information and further stated that the unredacted documents may have included McCoy’s loan number and his social security number.
As is the case in many jurisdictions, Maryland Rule 1-322.1 states, “the filer of any paper or electronic filing with a Maryland court must redact or omit certain ‘personal identifier information’ from the document before it is filed, including an individual’s social security number.”
On February 4, 2016, McCoy, a pro se litigant, filed his complaint seeking recovery under the Gramm-Leach-Bliley Act for the alleged disclosure of private information, the Ninth Amendment of the U.S. Constitution and negligence theories.
In its motion to dismiss, Fisher Law argued first that McCoy failed to establish he had standing to bring the action. Specifically, Fisher Law asserted McCoy’s action should be dismissed because McCoy merely claimed he could be the victim of identity theft in the future. And, as seen on a number of other occasions, under the Clapper decision, the U.S. Supreme Court has held that “standing must be based on the ‘substantial risk’ that harm will occur, so long as the future injury is ‘certainly impending.’” That is, “allegations of ‘possible future injury’ are not sufficient” to sustain a cause of action.
While the McCoy court found it had no controlling law in the 4th U.S. Circuit Court of Appeals on this standing issue, it relied on the holding in Khan v. Children’s Nat’l Health Sys., where the court found the named plaintiff could not prove injury in fact because the plaintiff failed to allege “facts indicating that the hackers have attempted to engage in any misuse of [the hospital] patients’ personal information since the breach was discovered.” In Khan, the court held “the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute any injury sufficient to confer standing.”
In dismissing the complaint, the McCoy court found McCoy’s claims of future injuries to be speculative at best. “At most, Plaintiff alleges that his information was accidentally made publicly available for a period of time, introducing the risk that a bad actor could obtain such information.” The McCoy court found no evidence that McCoy’s information was accessed or misused during the six days it was viewable by the public on PACER, the court’s online website.
There should be no doubt that the potential use of information found in documents maintained on court websites by criminals should be a concern. Consequently, Target’s argument to file documents under seal to protect private information from hackers may be justified in certain situations. However, the McCoy decision demonstrates that when private information inadvertently ends up on court websites, a person will need to meet the same standards as any litigant in a data breach case. That is, a litigant will need to demonstrate that harm was done by the disclosure with more than speculation.