Another data-breach class action has met an early demise in light of the U.S. Supreme Court’s decision in Clapper and related notions of injury-in-fact and Article III standing. See May 27, 2014 opinion, Vides, et al. v. Advocate Health and Hospitals Corp., Case No. 13-CH-2701 (19th Judicial Circuit, Lake County, Illinois) (relying heavily on Clapper v. Amnesty Intern’l USA, 133 S.Ct. 1138 (2012)). In the new Illinois decision, Circuit Court Judge Mitchell L. Hoffman reasoned:
In the present matter, Clapper compels rejection of Plaintiffs’ argument that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing. Whether Plaintiffs actually become victims of identity theft as a result of the removal of the computers depends on a number of variables, such as whether their data was actually taken after the removal, whether it was subsequently sold or otherwise transferred, whether anyone who obtained the data attempted to use it, and whether or not they succeeded. Plaintiff’s Complaint provides no basis to believe that any of these events have come to pass or are imminent.
Id. at *5.
In the Vides case, the plaintiffs sued Advocate (a doctor and hospital network) because four unencrypted Advocate laptop computers had been stolen, and those computers contained Protected Health Information (“PHI”) (patient names, addresses, dates of birth, Social Security numbers, treating physicians and departments, medical diagnoses, medical record numbers, medical service codes, and health insurance information). Id. at *1-2. The plaintiffs alleged negligence, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, violation of the Illinois Personal Information Protection Act, public disclosure of private fact, and intentional infliction of emotional distress. Id. at *2, 7.
The court found that the statutory violations, standing alone, could not confer standing. Id. at *8. Moreover, the damages asserted by the plaintiffs (time and expense to mitigate the risk of identity theft, anxiety and emotional distress, and loss of privacy) were too speculative and indefinite to confer standing. Id. at *9-11.
In dismissing the case in its entirety, the court set forth a survey of the law on data breach class actions and injury in fact, noting that numerous courts across the country had rejected risk of harm as injury in fact under Article III of the U.S. Constitution. Id. at *5-11 (citing Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3rd Cir. 2011); In re Barnes & Noble Pin Pad Litig., 2013 WL 475988, at *3 (N.D. Ill. 2013); Hammond v. The Bank of New York Mellon Corp., 2010 WL 2643307, at *2 (S.D.N.Y. 2010); Allison v. Aetna, Inc., 2010 WL 3719243, at *5 (E.D. Pa. 2010); Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1052 (E.D. Mo. 2009); Hinton v. Heartland Payment Sys., Inc., 2009 WL 704139, at *1 (D.N.J. Mar. 16, 2009); Randolph v. ING Life Ins. and Annuity Co., 486 F. Supp. 2d 1, 8 (D.D.C. 2007); Key v. DSW, Inc., 454 F. Supp. 2d 684, 689 (S.D. Ohio 2006); Bell v. Acxiom Corp. 2006 WL 2850042, at *2 (E.D. Ark. 2006).
And the court distinguished Seventh and Ninth Circuit decisions that the mere increased risk of theft or fraud was sufficient to confer standing, noting that those decisions predated the U.S. Supreme Court’s decision in Clapper and thus were no longer precedential or persuasive. Id. at *7 (distinguishing Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)).
There are at least two primary lessons in this decision: (1) if your damage claims are tenuous, speculative, or indefinite, you will have an extremely tough time trying to serve as a class representative in a data-breach class action, and (2) more importantly, if you have PHI or Personally Identifiable Information (“PII”) on your corporate computer systems, encrypt those systems immediately if you haven’t already done so. Such encryption can render expensive battles over issues such as Article III standing completely unnecessary because when you’ve encrypted, you often don’t have to give widespread public notice, and if you don’t have to give widespread public notice, your chances of being sued in private litigation are reduced substantially.