In June, we discussed a putative class action filed in the Eastern District of Pennsylvania concerning a data breach involving COVID-contact tracing data. Following the Plaintiff’s filing of an amended complaint, the remaining Defendant has now moved to dismiss on both standing and substantive grounds. Read on below.
To recap the alleged facts underlying this litigation: Plaintiff alleges that a contractor was retained by the Pennsylvania Department of Health (“DOH”) in the midst of the COVID pandemic to contact individuals who were either diagnosed with or in close proximity to individuals diagnosed with COVID-19. Plaintiff alleges that notwithstanding representations that all protected health information (“PHI”) “obtained in connection with COVID-19 contact tracing would be kept private and confidential, Defendants (including the contractor and Pennsylvania DOH) failed to take “appropriate or even the most basic steps to protect the PHI of Plaintiff and other class members from being disclosed.” This included the contractor purportedly having employees who used “unsecure data storage and communications methods,” that resulted in the disclosure of Plaintiff’s and class members’ PHI.
After the original complaint was filed, Plaintiff amended the pleadings to remove the Commonwealth of Pennsylvania as a defendant, leaving only the private company contracted to do contact tracing. She likewise abandoned her negligence per se claim and added a claim for breach of implied warranty, premised on the theory each person who gave their personally identifying information (“PII”) to the Defendant had an implied agreement and/or warranty from the Defendant to keep that information private.
The Defendant’s motion to dismiss first attacks the complaint on standing. As readers of CPW are aware, one of the most hotly litigated areas in consumer privacy is standing—namely, the existence of a concrete, particularized injury. Following the Supreme Court’s decisions in Clapper v. Amnesty International, 568 U.S. 398 (2013), Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) and TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), plaintiffs may no longer predicate liability under privacy laws on the fear of future events or precautionary steps taken to avoid injury. Instead, they must show that they have actually been harmed by a data event in a cognizable and concrete way.
Plaintiff’s amended complaint alleges a variety of common alleged harms in data breach litigation: time, energy, and money devoted to monitoring accounts, substantial risks of future identity theft, the receipt of unwanted phone calls in messages in the days after the breach occurred, and the diminishment of the value of PII. And Defendant raises the arguments that have resulted, fairly often, in full dismissal of claims on standing grounds: plaintiffs cannot generate harm for the purposes of standing by relying steps taken to avoid harm, the fear of future harm, or spam communications that cannot be fairly attributed to the breach, and cannot imbue an independent monetary value to information that, presumably, a plaintiff would never actually sell.
Defendant also argues that Plaintiff’s negligence, publicity given to private life, and breach of implied warranty claims fail. The most interesting of these arguments concerns the breach of implied warranty claim, in which Plaintiff alleges that her provision of PII and Defendant’s acceptance of it creates an implied contract and/or warranty to keep the information private. Defendant’s primary argument is that the scope of the contract, including the scope of Defendant’s duties, is simply undefined. Plaintiff’s claim also runs into an issue not normally present in data breach litigation: her PII was submitted for COVID contact tracing, the entire purpose of which is to ensure that the information is shared so that a network of contacts can be established. If PII given to a contact tracer cannot be shared, it is difficult to see why it was given in the first place.