Plaintiffs’ Breach Claims Dismissed for Lack of Standing

Published On June 2, 2014 | By Bart Huff | Data Security, General, Litigation, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

In a decision representative of a growing trend, an Illinois trial court dismissed class claims for lack of standing following an alleged data breach. Plaintiffs had filed a putative class action lawsuit against Advocate Health and Hospitals Group, alleging state law claims of negligence, intentional infliction of emotional distress, invasion of privacy and consumer fraud, following the theft of four laptops from the defendant’s administrative offices. Defendant moved to dismiss arguing, among other things, that plaintiffs had failed to meet Article III’s standing requirement. The court agreed.

The court ruled that, because plaintiffs had not alleged that their data had actually been accessed and used for an unauthorized purpose, they could not allege an injury-in-fact. The court stated that the plaintiffs must establish that injury is “distinct and palpable” and “fairly traceable” to the defendant’s actions. Plaintiffs attempted to meet this burden by arguing that they were subject to increased risk of identity theft and/or fraud due to the exposure of their personal information. The court noted that “the harm that plaintiffs fear is contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant.” Relying on the Supreme Court’s 2013 decision in Clapper and several subsequent state and federal cases, the court noted that “[a]lthough plaintiffs do not need to show that they are ‘literally certain’ they will be victims of identity theft and/or fraud, they have not alleged facts that would plausibly establish an ‘imminent’ or ‘certainly impending’ risk that they will be victimized. Under Clapper, the mere fact that the risk has been increased does not suffice to establish standing.”

Plaintiffs also argued that statutory violations (of Illinois’ Personal Information Protection Act and Consumer Fraud and Deceptive Practices Act), in and of themselves, were sufficient injury for purposes of standing. The court disagreed, holding that “statutory violations by themselves are insufficient to establish standing. The Plaintiffs’ Complaint must include allegations that they have been damaged by the violations to establish standing.”

The Advocate Health decision is a good reminder to go back to first principles when responding to a class action complaint in breach and privacy cases. After Clapper, courts are becoming more willing to dismiss claims based on speculative, future-oriented injury.

Photo by Ian Sane From Flickr

About The Author

Bart's practice focuses on representing clients on many areas related to online content and services, including criminal and internal investigations, internet privacy and security litigation, theft of trade secrets, compliance obligations relating to the use and disclosure of customer and subscriber information, and gaming law. Before ZwillGen, Bart was an AUSA in Chicago, prosecuting federal crimes including white collar fraud, securities and other regulatory violations, and computer and internet related crimes. Bart tried 18 jury trials and briefed and argued numerous appeals before the Seventh Circuit.