Privacy Risk Report » Privacy Law

New Decision Provides Reminder Of Privacy Law Before The Pandemic

Todd Rowe — Tue, 26 May 2020 15:13:06 +0000

Over the last few months, cyber security issues may have taken a backseat to health and economic issues. Thankfully, there has not been a major cyber incident during the coronavirus pandemic. To pick up where we were before the pandemic, we were closely analyzing the number of court decisions where it was found that a litigant could not establish standing to bring a lawsuit for a data breach. However, it is only a matter of time until we are again analyzing privacy cases. The recent decision in Jantzer v. Elizabethtown Community Hosp., 2020 WL 2404764 (N.D. New York May 12, 2020), provides the perfect opportunity to get reacquainted with the fundamentals of data breach cases.

In Jantzer, the lead class action plaintiff claimed that an employee of Elizabethtown Community Hospital (“ECH”) fell prey to a phishing attack which resulted in the disclosure of patient personal information. The information exposed included “names, addresses, social security numbers, dates of birth, driver’s license numbers and medical information such as medical record numbers, dates of service and summaries of medical services provided.” (Id. ¶ 16). The Plaintiffs claim this breach resulted from ECH’s failure to adopt proper security measures including the following alleged failures:

To “take adequate and reasonable measures to ensure its data systems were protected,”
To “disclose that it did not have adequately robust computer systems and security practices,”
To “take standard and reasonable available steps to prevent the Data Breach,”
To “monitor and timely detect the Data Breach,” and
To “provide Plaintiff … prompt and accurate notice of the Data Breach.”

Ronald Jantzer, the lead class action plaintiff, received notice that his personal information taken when he was a patient of the hospital, was exposed. In particular, ECH’s notice stated that while his name and “limited medical information” was compromised, his social security number was not involved in the incident, and therefore, ECH acknowledged that it did not see any “financial risk” related to the phishing incident. ECH claimed that while the potential for harm was limited, the information “‘did contain limited information associated primarily with billing’ including ‘information relating to the processing of payment from insurers: date of treatment, information identifying the insurer that provided reimbursement and payment dates and amounts.’”

As commonly seen in breach cases, Jantzer claimed he “has spent time monitoring and protecting his financial well-being by, among other things, corresponding with the major credit bureaus.” Jantzer further alleged that he expects to spend “significant amounts of time and money in an effort to protect [himself] from the adverse ramifications of the Data Breach and will forever be at a heightened risk of identity theft and fraud.”

The initial step in this case involving the ECH breach—as with most breach cases—focuses on whether a plaintiff has “standing” to bring an action. The ECH court first stated “[t]he Second Circuit has not yet addressed the issue of standing for a plaintiff alleging injury based on a data breach.” Nevertheless, it is well settled under cases such as Lujan v. Defs. of Wildlife, 504 U.S. 555, 560, 112 S. Ct. 2130, 119 L.Ed 2d 351 (1992), to establish standing, (1) “the plaintiff must have suffered an ‘injury in fact’–an invasion of a legally protected interest,” (2) “there must be a causal connection between the injury and the conduct complained of,” and (3) “it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.”

Here, Jantzer claimed he had standing to bring an action against ECH for at least two reasons: “(1) “the threa[t] of future harm is sufficiently imminent” and (2) he “has suffered an injury by time spent protecting himself.” On the other hand, ECH argued Jantzer did not have standing since he “‘is unable to demonstrate any injury-in-fact” because [Jantzer] did not have sufficiently sensitive information stolen in the Data Breach and thus does not face ‘a risk that is substantial or imminent.’”

Based on the above, the Jantzer court first stated that, to resolve this matter, it “must determine whether the theft of Plaintiff’s personal information related to the date and amount of his treatment and his insurer, creates an imminent risk of identity theft.” In short, the Jantzer court held that plaintiff could not meet this standard, and, therefore, Jantzer could not allege the requisite injury, in fact, necessary for standing. In particular, Jantzer was not able to pinpoint the exact injury he suffered related to the breach and “the harm of increased risk of future identity fraud too speculative to support standing in this case.” Consequently, the Jantzer court held Jantzer lacked standing and granted ECH’s motions to dismiss.

Finally, under the heading “Mitigation Efforts,” the Jantzer court also rejected Plaintiff’s “alternative basis for standing” where Plaintiff argues “that he has ‘suffered an injury by time spent protecting himself.’” The Jantzer court held these “expenses do not qualify as actual injuries where the harm is not imminent.”

It will be important to remember that breach incidents will not give rise to viable lawsuits unless litigants show precisely how they were damaged as privacy incidents grow with more people working from home during the pandemic. While the Jantzer decision may not be a seminal privacy decision, this case serves as a reminder of where the law was prior to the pandemic and the fundamental concepts that control this area of law during and after the pandemic.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post New Decision Provides Reminder Of Privacy Law Before The Pandemic appeared first on Privacy Risk Report.

Home On The Range: Recent Decision Addresses Range Of Data Breach Cases

Todd Rowe — Mon, 07 Oct 2019 16:45:48 +0000

The recent decision in Kimbriel v. Abb, Inc.,19-CV-215 (October 1, 2019), provides insight into how far privacy law has developed in a short time. A couple of years ago there was little guidance as to what a plaintiff needed to establish standing in a data breach case. Many data breach lawsuits were dismissed as courts found the nexus between the breach and the alleged damages to be too weak or speculative to support a viable cause of action. The Kimbriel decision provides a “range” for plaintiffs to show they have standing to bring a lawsuit after a breach. First, the Kimbriel court finds plaintiffs cannot meet their burden to establish standing if they cannot show breached data was used or reasonably could be used after the breach. For example, credit inquiries using breached data is not sufficient to establish standing under the Kimbriel court’s reasoning. On the other end of the range, to meet their burden, plaintiffs will need to show they suffered an injury-in-fact and have standing when they can show criminals used their data. For example, plaintiffs that can show fraudulent credit cards were open with the breached information have a better chance of establishing standing to sue.

The Plaintiffs’ Allegations Related To The Breach Of Personal Information

In Kimbriel, the Defendant, the Plaintiffs’ employer, filed a motion to dismiss the Plaintiffs’ complaint asserting the Defendant breached employee data. Plaintiffs claimed the breach involved a database that housed employees’ sensitive information including full names, addresses, birth dates and social security numbers plaintiffs provided to Defendant in order to participate in an employee health plan. After the breach, the Defendant agreed to pay for identity credit monitoring services for the employees. On February 13, 2019, a credit-monitoring service notified the lead plaintiff, Paula Kimbriel, of five unauthorized credit inquiries with banking institutions.

The Defendant’s Argument That Plaintiffs Lack Standing For This Action

On the other hand, the Defendant argued in its motion to dismiss that Plaintiffs lack standing under Article III of the U.S. Constitution to bring this action because they have not alleged an injury-in-fact. That is, it is well settled by the U.S. Supreme Court that “[t]o establish standing, plaintiffs must show they have suffered an injury-in-fact-an injury that is “concrete, particularized, and actual or imminent[.]” See, Clapper v. Amnesty Int’l USA. The Clapper court held the injury-in-fact must be “fairly traceable to the challenged action[,] and redressable by a favorable ruling.” Id. Threatened injuries cannot be speculative, but “must be certainly impending.” Id.” Questions related to standing have plagued many data breach plaintiffs to the extent it is difficult to show damage (such as credit card fraud) is directly related to a particular breach. The Kimbriel court address this question by creating a range that examines the damage from a breach.

The District Court’s Dismissal Of The Complaint

The District Court dismissed the Plaintiffs’ complaint finding the District Court lacked subject-matter jurisdiction over the plaintiffs’ claims. In particular, the District Court held that without any allegations the hacked personal information had or will be used, in identity theft or fraud, the employees are not capable of demonstrating a concrete injury.

The District Court found this case fell in the middle of two recent decisions that “address injury-in-fact in the data privacy context.” First, Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), provides an example where “the plaintiffs did not have standing because, critically, they could neither show that their data was actually used nor allege enough plausible facts to show that threatened future harms were “certainly impending.” The plaintiff’s allegations in the Beck case were fatally defective since the “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.”

On the other end of the range, the court in Hutton v. Nat’l Bd. of Examiners in Optometry, Inc. Hutton v. Nat’l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018), found “plaintiffs had suffered an injury-in-fact because their data had actually been used to open fraudulent credit card accounts.

Here, the District Court found the Plaintiffs’ allegations in the Kimbriel case were closer to the allegations brought by the plaintiffs in Beck rather than the allegations in Hutton That is, Plaintiffs’ complaint in Kimbriel did not establish the District Court had standing since, “[b]y plaintiffs’ own admission, the credit inquiries do not, by themselves, constitute an independent injury-in-fact.” Further, the District Court rejected the argument that the credit inquiry coupled with allegations that the breach was a result of a targeted phishing scheme, “constitute a sufficient factual basis to conclude there is a certainly impending risk of identity theft.”

While the District Court found the Plaintiffs in Kimbriel presented a stronger case for an injury-in-fact than the plaintiffs in Beck, “their asserted injuries are still too speculative to meet the ‘certainly impending’ threshold” necessary to support their claim.

What The Kimbriel Decision Tells Us About Privacy Law

We can expect other courts to adopt a similar analysis to that seen in Kimbriel as data breach cases continue to reach the courts. Thankfully, not every data breach results in damage to the individuals that had their information compromised. This decision provides an important reminder that not every data breach results in damages.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Home On The Range: Recent Decision Addresses Range Of Data Breach Cases appeared first on Privacy Risk Report.