No Injury = No Standing Article III in Data Breach Class Action
As we have discussed here at CPW, one of the biggest challenges facing a plaintiff in a data breach class action is establishing an injury resulting from the alleged data breach. Earlier this week, in David De Midicis v Ally Bank & Ally Fin., Inc., 2022 US Dist. LEXIS 137337 (SDNY Aug 2, 2022), Southern District of New York dismissed case for lack of Article III standing because plaintiffs failed to allege factual harm resulting from breach of data.
As alleged in the Complaint, the Plaintiff had checking, savings and securities accounts with the Defendants. In April 2021, defendants discovered a coding error that resulted in certain customers’ usernames and passwords being sent to a limited group of entities with which defendants had ongoing contractual and business relationships. . When the coding error was discovered, the defendants immediately corrected the coding error, demanded a password change, and worked with the entities receiving the usernames and passwords to remove the information. With respect to the affected customers, the defendants have begun fraud monitoring efforts. In addition, defendants notified affected customers and also offered free credit monitoring and identity theft insurance coverage for two years. Through these efforts, Defendants state that they have not identified any instances of account takeover, identity theft, or similar occurrences attributable to the coding error.
Plaintiff filed a class action lawsuit against defendants in August 2021. Defendants moved to dismiss for lack of standing and failure to assert a claim. As to standing, the defendants argued that the plaintiff did not allege: (1) concrete and specific present harm; or 2) a substantial risk of future harm and therefore could not establish standing under Article III.
The Court found that none of the three “injuries” identified by the plaintiff met the requirements of a concrete and specific present injury. First, the Court rejected the plaintiff’s claim that the time spent mitigating risks associated with the incident, such as investigating credit monitoring and changing passwords, qualified as an injury because the plaintiff had not demonstrated that there was a substantial risk of identity theft or future fraud. The Court held that a plaintiff cannot manufacture standing simply by inflicting harm on himself based on the fear of hypothetical future harm; only where there is a substantial risk of future harm would that period constitute present harm. Second, with respect to the alleged diminishment of the value of the plaintiff’s personal information, the Court rejected such a theory as present harm because the plaintiff did not allege that there is a market for this information, pointing out usernames and passwords can easily be changed. Third, the Court found that the three alleged attempts to access the plaintiff’s email account also failed to satisfy the current harm requirement because the plaintiff does not allege a plausible connection between the error of coding and alleged attempts to hack his email. In other words, the court found no connection between the coding error and the attempts to access his email account beyond the time and sequence allegations. Thus, the Court found that the plaintiff failed to allege present injury.
The Court also found that the plaintiff did not allege harm based on a substantial risk of future harm. First, the coding error was unintentional and not the result of a targeted attack. Second, there is no allegation that the personal information disclosed was misused. Third, the leaked information – usernames and passwords – was neither sensitive nor high-risk. The Court therefore dismissed the complaint for lack of standing.
This decision highlights that in the event of an inadvertent data incident, it is difficult for a claimant to identify an injury from the alleged incident. Fortunately, the case was filed in federal court, so the result of the lack of Article III status was dismissal. If the case were removed from state court, an Article III nonqualification decision would result in a dismissal. Whether the case could proceed in state court would then depend on the standing requirements under state law. But even if the quality requirements were less stringent, at some point to succeed on claims like the ones asserted here (that’s to say, negligence and implied breach of contract), a plaintiff will have to show that he has suffered damages, and what this case highlights is that when the incident is the result of an unintentional error and the defendant takes appropriate action, most of the suspected affected group members are uninjured.