No Harm, No Standing: Texas Federal Court Dismisses Data Breach Class Action

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/no-harm-no-standing-texas-federal-cour-45824/


Dismissing a class action based on a data breach, the Southern District of
Texas added to the growing number of decisions that find an alleged risk of
future identity theft due to a data breach is not an injury that creates
standing to bring federal claims. The plaintiff, Beverly Peters, a former
St. Joseph patient, brought a class action lawsuit against the medical
provider after receiving notification that her personal information and
protected health information had been compromised. St. Joseph moved to
dismiss the complaint for lack of standing and failure to state a claim for
relief.

During the course of her treatment at St. Joseph, Ms. Peters provided
personal information that was stored on St. Joseph’s computer network.
Hackers subsequently invaded St. Joseph’s computer network, obtaining
access to the personal information of approximately 405,000 individuals.

Despite the fact that St. Joseph had no evidence that any personal
information had been misused, it automatically enrolled all potentially
affected individuals in a free credit monitoring and identity theft
protection service for one year.

Ms. Peters’s complaint alleged violations of the Fair Credit Reporting Act
along with various state and common law tort and contract claims. Her core
allegation was that she and similarly situated individuals were at “an
elevated risk of future identity theft/fraud” due to the breach of St.
Joseph’s computer network. In support, she pointed to several incidents:
(1) an attempt at a fraudulent charge on her Discover credit card; (2) a
fraudulent attempt to access her Amazon.com account using her son’s name,
which was contained in St. Joseph’s records; (3) receipt of “daily
telephone solicitations from medical products and services companies”; and
(4) receipt of unsolicited marketing materials and emails regarding the
medical condition listed in St. Joseph’s records.

The Southern District Court of Texas, in an issue of first impression,
cited Clapper v. Amnesty Int’l USAand Susan B. Anthony List v. Driehaus to
support its finding that the injury alleged by Ms. Peters failed to rise to
the level of “certainly impending” or “substantial” risk to establish the
requisite Article III standing. Clapper v. Amnesty Int’l USA, 133 S. Ct.
1138 (2013); Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014).

The court reasoned that Ms. Peters’s allegations of future harm had
numerous variables, including time and manner. The court also noted the
difficulty in determining whether any misuse of her personal information
could be traced to St. Joseph’s breach. Most importantly, the Court found
that:

"Even if the above injuries were traceable to St. Joseph’s alleged failures
under the FCRA, it is not likely that a favorable decision from this Court
would redress the harm she has experienced.  St. Joseph argues that Peters
has not alleged any quantifiable damage or loss she has suffered as a
result of the Data Breach.  This Court agrees."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!