Over the last few months, cyber security issues may have taken a backseat to health and economic issues. Thankfully, there has not been a major cyber incident during the coronavirus pandemic. To pick up where we were before the pandemic, we were closely analyzing the number of court decisions where it was found that a litigant could not establish standing to bring a lawsuit for a data breach. However, it is only a matter of time until we are again analyzing privacy cases. The recent decision in Jantzer v. Elizabethtown Community Hosp., 2020 WL 2404764 (N.D. New York May 12, 2020), provides the perfect opportunity to get reacquainted with the fundamentals of data breach cases.
In Jantzer, the lead class action plaintiff claimed that an employee of Elizabethtown Community Hospital (“ECH”) fell prey to a phishing attack which resulted in the disclosure of patient personal information. The information exposed included “names, addresses, social security numbers, dates of birth, driver’s license numbers and medical information such as medical record numbers, dates of service and summaries of medical services provided.” (Id. ¶ 16). The Plaintiffs claim this breach resulted from ECH’s failure to adopt proper security measures including the following alleged failures:
To “take adequate and reasonable measures to ensure its data systems were protected,”
To “disclose that it did not have adequately robust computer systems and security practices,”
To “take standard and reasonable available steps to prevent the Data Breach,”
To “monitor and timely detect the Data Breach,” and
To “provide Plaintiff … prompt and accurate notice of the Data Breach.”
Ronald Jantzer, the lead class action plaintiff, received notice that his personal information taken when he was a patient of the hospital, was exposed. In particular, ECH’s notice stated that while his name and “limited medical information” was compromised, his social security number was not involved in the incident, and therefore, ECH acknowledged that it did not see any “financial risk” related to the phishing incident. ECH claimed that while the potential for harm was limited, the information “‘did contain limited information associated primarily with billing’ including ‘information relating to the processing of payment from insurers: date of treatment, information identifying the insurer that provided reimbursement and payment dates and amounts.’”
As commonly seen in breach cases, Jantzer claimed he “has spent time monitoring and protecting his financial well-being by, among other things, corresponding with the major credit bureaus.” Jantzer further alleged that he expects to spend “significant amounts of time and money in an effort to protect [himself] from the adverse ramifications of the Data Breach and will forever be at a heightened risk of identity theft and fraud.”
The initial step in this case involving the ECH breach—as with most breach cases—focuses on whether a plaintiff has “standing” to bring an action. The ECH court first stated “[t]he Second Circuit has not yet addressed the issue of standing for a plaintiff alleging injury based on a data breach.” Nevertheless, it is well settled under cases such as Lujan v. Defs. of Wildlife, 504 U.S. 555, 560, 112 S. Ct. 2130, 119 L.Ed 2d 351 (1992), to establish standing, (1) “the plaintiff must have suffered an ‘injury in fact’–an invasion of a legally protected interest,” (2) “there must be a causal connection between the injury and the conduct complained of,” and (3) “it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.”
Here, Jantzer claimed he had standing to bring an action against ECH for at least two reasons: “(1) “the threa[t] of future harm is sufficiently imminent” and (2) he “has suffered an injury by time spent protecting himself.” On the other hand, ECH argued Jantzer did not have standing since he “‘is unable to demonstrate any injury-in-fact” because [Jantzer] did not have sufficiently sensitive information stolen in the Data Breach and thus does not face ‘a risk that is substantial or imminent.’”
Based on the above, the Jantzer court first stated that, to resolve this matter, it “must determine whether the theft of Plaintiff’s personal information related to the date and amount of his treatment and his insurer, creates an imminent risk of identity theft.” In short, the Jantzer court held that plaintiff could not meet this standard, and, therefore, Jantzer could not allege the requisite injury, in fact, necessary for standing. In particular, Jantzer was not able to pinpoint the exact injury he suffered related to the breach and “the harm of increased risk of future identity fraud too speculative to support standing in this case.” Consequently, the Jantzer court held Jantzer lacked standing and granted ECH’s motions to dismiss.
Finally, under the heading “Mitigation Efforts,” the Jantzer court also rejected Plaintiff’s “alternative basis for standing” where Plaintiff argues “that he has ‘suffered an injury by time spent protecting himself.’” The Jantzer court held these “expenses do not qualify as actual injuries where the harm is not imminent.”
It will be important to remember that breach incidents will not give rise to viable lawsuits unless litigants show precisely how they were damaged as privacy incidents grow with more people working from home during the pandemic. While the Jantzer decision may not be a seminal privacy decision, this case serves as a reminder of where the law was prior to the pandemic and the fundamental concepts that control this area of law during and after the pandemic.