Data Breach Class Action Plaintiffs Lack Standing
A federal court in New Jersey is the latest in a series of courts to dismiss a putative data breach class action due to plaintiffs’ failure to adequately plead standing. In re Horizon Healthcare Services, Inc. Data Breach Litigation, No. 2:13-cv-07418-CCC-JBC (D.N.J. Mar. 31, 2015).
This class action was brought against a health insurer that suffered a data breach through the theft of two password-protected laptops from the company’s headquarters. It was not clear how much personal information was accessible on the laptops. Several putative class action suits were filed by members who claimed to be at an increased risk of harm from identity theft, identity fraud, and medical fraud as a result of the breach. The defendant moved to dismiss the consolidated class action complaint for lack of standing.
The court agreed with the defendant that the plaintiffs’ allegations were insufficient to support standing. The court rejected the plaintiffs’ argument that they had suffered “economic injury” because their insurance premiums were partially allocated to data protection and defendant failed to secure their data; some actual injury, such as monetary loss or identity theft, would be required. For the same reason – lack of actual injury – the plaintiffs did not have standing to pursue claims for violation of their rights. The court also followed Third Circuit precedent holding that an increased risk of identity theft was insufficient to confer standing. (Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).) The plaintiffs’ potential future injuries, which would require numerous hypothetical actions on the part of the malefactor, were too conjectural.
One plaintiff did allege some particular harms: he claimed that someone had filed a fraudulent tax return in his and his wife’s names and stolen their tax refund, and that he had suffered fraudulent use of his credit card. The court found that these allegations, even if true, were not “fairly traceable” to the defendant. “[E]ven if [plaintiff’s] theory is adequate to support standing in the abstract, the facts of this case demonstrate the remote possibility, rather than the plausibility, that the fraudulent tax return was connected to the . . . laptop theft.” In any event, plaintiff also failed to meet the standing requirement of redressability; any harm had already been remedied, as he ultimately received his tax refund. Similarly, his claim about credit card fraud was not “fairly traceable” to the defendant, since credit card information was not stored on the stolen laptops.