In a potentially precedent setting decision, New York partner Brian Middlebrook and associate John Mills obtained complete dismissal of two competing putative class actions against the firm’s client, an accounting and tax advisory firm, also serving as a business associate of a large healthcare provider in upstate New York. This was a case of first impression in New York state courts as it relates to standing in data breach litigation arising from an alleged Health Insurance Portability and Accountability Act (“HIPAA”) breach including alleged data exfiltration and publication.
In December 2019, the firm’s client was the victim of a ransomware attack. The plaintiffs, represented by separate prominent firms specializing in data breach class action litigation, thereafter brought suit each seeking to represent a putative class of 170,000 individuals who received notification of the incident. The complaints alleged causes of action sounding in negligence, negligence per se, breach of contract, breach of fiduciary duty, violation of General Business Law 349, trespass to chattels, bailment, unjust enrichment and conversion arising from the data security incident, the defendants’ alleged failure to implement adequate and reasonable cyber security procedures and protocols necessary to protect the plaintiffs’ personal information, and the alleged heightened and imminent risk of fraud and identity theft following the incident.
The Gordon & Rees team moved to dismiss the claim, arguing that the plaintiffs lacked standing to bring suit because they did not allege that they suffered any injury-in-fact. Specifically, the team argued that the plaintiffs’ fear of future identity theft and financial harm, out-of-pocket costs for mitigative measures, and loss of value of personal information were not sufficient injuries-in-fact to allow the complaints to proceed. Additionally, the team argued that the complaints failed to state a cause of action against the firm’s client based on applicable pleading standards.
In a lengthy decision, the Court acknowledged the fact that the issue of standing in data breach litigation in New York state courts is a rather novel issue, particularly in light of the alleged exfiltration and publication of data following the attack. Nonetheless, the Court dismissed both complaints in their entirety. The Court held that based on the type of personal information compromised in the incident, the hackers involved, the nature of the incident (including exfiltration, publication and dissemination), lack of alleged incidents or attempts of identity theft by the named plaintiffs, and passage of time since the incident, that the plaintiffs lacked standing to bring suit. The Court succinctly stated that “plaintiffs are left to speculate about the prospect of future harms that may or may not come to pass,” which is insufficient for purposes of alleging the essential element of injury-in-fact and is fundamental to bringing suit.
The issue of standing in data breach litigation continues to be hotly contested, particularly with the advent of double extortion and data publication in ransomware attacks, and certainly one at the forefront of the plaintiffs’ bar in the wake of the increasing cyber attacks as a result of COVID-19. As the court stated in its decision dismissing the claims against Gordon & Rees’ client: “[t]here are only two types of companies left in the United States, according to data security experts: those that have been hacked and those that don’t know they’ve been hacked.”
The Gordon & Rees team is thrilled to have achieved such a favorable result for its client on an issue of near first impression in New York state courts, and looks forward to continuing to achieve favorable results on behalf of its clients in similar matters across the country.