As has been previously reported here, a series of recent federal court decisions has suggested a trend in data breach litigation – that an increased risk of harm will be sufficient to satisfy the injury-in-fact requirement for Article III standing. In fact, less than three weeks ago, the Seventh Circuit Court of Appeals revived a previously-dismissed data breach class action lawsuit, ruling that plaintiffs did not have to wait until hackers actually committed identity theft in order to establish standing. On August 6, 2015, the Illinois Appellate Court held exactly the opposite.
In Maglio v. Advocate Health and Hospitals Corporation, several plaintiffs sued Advocate Health and Hospital after computers containing patients’ personal information were stolen. 2015 IL App (2d) 140782 (August 6, 2015). Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they faced an increased risk of identity theft and identity fraud. Advocate Health moved to dismiss the complaint, arguing that mere stolen information is insufficient to establish standing, because an increased risk of identity theft and/or identity fraud is too speculative to constitute cognizable injury-in-fact.
Affirming the trial court’s dismissal of the action, the Illinois Appellate Court agreed with the defendant’s argument, concluding that the increased risk of harm arising out of a data breach is inadequate to confer standing on consumers. The Illinois Appellate Court noted the similarity between Illinois’ and federal standing principles, and relied for the most part on federal decisions, including Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013) – a case which the Seventh Circuit interpreted as not completely foreclosing on the use future injuries to support Article III standing. Yet, in stark contrast to recent federal court decisions, the Illinois Appellate Court opined that where no identity theft had yet occurred, the elevated risk of such harm was too speculative and conclusory to be considered a distinct and palpable injury.
The plaintiffs in Maglio also tried to achieve standing by alleging that they suffered emotional injury as a result of the data breach, such as anxiety, and that their privacy had been invaded. Again, the court found such allegations to be speculative and therefore insufficient, absent allegations of actual disclosure of personal information.
We expect to see fewer data breach class actions being filed in Illinois state courts – long criticized as plaintiff-friendly venues – and an uptick in federal court filings. The full opinion is available here.