Over the last couple of years, alleged privacy violations of the Illinois Biometric Information Privacy Act (“BIPA”) have flooded Illinois courts. One unique aspect of the BIPA class action cases in Illinois is seen when plaintiffs do not have to allege any actual injury or adverse effect. That is, since the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Ent. Corp., 432 Ill. Dec. 654, 129 N.E.3d 197 (Ill. 2019), Illinois courts have found plaintiffs have standing to bring cases with nothing more than the mere allegation of a technical violation of BIPA. These cases have survived motions to dismiss despite no allegations of identity fraud or theft of private biometric information. Of course, outside of Illinois BIPA cases, courts still require plaintiffs to at least allege harm resulting from a privacy incident to survive a motion to dismiss.
A recent example of a privacy dispute requiring allegations of damage to survive a motion to dismiss is seen in the unpublished decision Abernathy v. Brandywine Urology Consultants, P.A., 2021 WL 211144 (Del. 2021). The privacy incident in Abernathy resulted from a ransomware attack on Brandywine’s computer network that contained sensitive patient data and medical records needed for the operation of the medical clinic. For some reason, there was no attempt to collect a ransom. A group of Brandywine patients filed a class-action lawsuit.
The Abernathy court found the following information to be important about the privacy incident:
- Brandywine took immediate steps to notify its patients of the attack by issuing a Notice of Potential Data Breach.
- The Notice informed patients “that it was possible, though [Brandywine] believed that it was unlikely,’ that their personal information and financial information was compromised.”
- The Notice also stated that Brandywine would keep patients informed of “the results of its ongoing investigation.”
The class-action plaintiffs filed suit against Brandywine alleged the privacy incident resulted from Brandywine’s negligence along with a number of other causes of action. Brandywine filed a motion to dismiss the complaint arguing the plaintiffs lacked standing to bring the class action. In particular, Brandywine argued that plaintiffs failed to allege an injury in fact and that any alleged injuries could not be traced back to Brandywine. As seen in many “standing” cases, plaintiffs took the position they sustained an injury from the following “harms:” (1) imminent risk of future harm; (2) mitigation expenses; (3) loss of privacy; (4) anxiety; (5) failure to receive the benefit of a bargain; (6) loss of value of property in personally identifying information; and (7) disruption to plaintiff’s medical care.
In granting Brandywine’s motion to dismiss, the Court provided the following analysis on whether the plaintiffs suffered an injury. First, while Delaware courts had not addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact, the Abernathy Court looked to a number of federal court decisions holding a plaintiff lacks standing to sue a party that failed to protect data. These courts held there was no standing absent proof of actual misuse or fraud. The Abernathy Court further noted that the Notice sent to Brandywine’s patients “stated there was a possibility that personal and financial information was compromised during the attack.” This Notice was found by the Court to not be a “concession of a plausible, concrete, imminent, or certain threat.”
Additionally, the Abernathy Court held the response to the attack was proper and found Brandywine “appeared to take swift and appropriate measures to investigate and mitigate the data breach.” The Court made it clear that Brandywine should not be punished for sending out the Notice. This conduct, informing individuals quickly about a potential privacy issue, should be encouraged. (“The Court is reluctant to make any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution.”)
In conclusion, the Abernathy Court granted Brandywine’s motion to dismiss because plaintiffs “failed to allege that any of them have been victims of any actual harm stemming from the attack. As almost a year has now passed without any harm occurring, it appears unlikely that plaintiffs would be harmed in the near future.”
The Abernathy decision offers a useful reminder that plaintiffs, outside of BIPA litigation, will need to show real harm results from a privacy incident. It also shows how a data collector can control the situation even after a security incident by having a good response plan in place and ready to go. The Abernathy Court may not have been willing to side with Brandywine if it was shown that Brandywine lacked a reasonable response and kept its patients informed of the steps taken in response to the ransomware attack. This decision provides even more reason to have a proper response plan in place and ready to go.
For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com [1].