Despite the above cases, plaintiffs alleging data breach still face legal challenges in bringing claims for intangible damages.
In February 2015, a Texas Federal Judge rejected a plaintiff’s claim for data breach, based on the “heightened risks” posed by potential identity theft and security fraud. The court ruled that despite the possibility that thieves could “drain” her back accounts, charge her credit cards, and perpetrate tax, medical, and insurance fraud, the plaintiff’s injuries were not “imminent” or “certainly impending,” as required under applicable precedent. Consequently, the court held that the plaintiff lacked the standing to sue.
In 2014, St. Joseph Services Corporation and St. Joseph Regional Health Center (“St. Joseph”), reported that hackers had infiltrated its computer network and gained access to the names, social security numbers, birthdates, addresses, medical records, and bank account information of approximately 405,000 patients. Following the report, St. Joseph arranged to provide potentially affected patients with one year of free credit monitoring and identity theft protection and encouraged victims to take steps to safeguard personal information by monitoring credit reports and account statements.
The plaintiff, Beverly Peters, a former patient of St. Joseph, sued the healthcare provider by way of a class action for violations of the Fair Credit Reporting ACT. Peters alleged that individuals had fraudulently attempted to access her Amazon.com account and make retail purchases with her Discover card. She also reported receiving unsolicited telephone and email communications from medical products and service companies.
St. Joseph moved to dismiss the case for lack of standing on the part of the plaintiff. The Southern District of Texas Court accepted the motion to dismiss reiterating that Peters could not describe her injuries without beginning the explanation with the word “if.” The court explained that Peters’s theory that she had the necessary standing to bring her claim, relied on a “highly attenuated chain of possibilities” and, as such, failed to satisfy the requirement that the threatened injury be “certainly impending.”