As the number of data breaches seems to increase every day, so does the number of lawsuits being filed. While the litigation is growing, the need for evidence of actual misuse of personal information is not. Recent cases demonstrate that custodians of personal information may face liability after a security breach, even without any evidence that the personal information was actually misused.
Recent Cases Show Expansive View of Standing
Two recent cases underscore this trend. In Resnick et al. v. AvMed Inc., 1:10-cv-24513 (S.D.Fla 2014), laptops were stolen from the corporate headquarters of AvMed, a health insurer. The laptops, which were unencrypted, contained information of approximately 1.2 million current and former AvMed members. Some AvMed customers whose information was stored on the stolen laptops did not experience any identity theft, although other customers had. The District Court for the Southern District of Florida twice dismissed the action. On appeal, the Eleventh Circuit Court of Appeals overturned the dismissal, finding that the plaintiffs sufficiently pled a claim for unjust enrichment by alleging that this group paid monthly premiums to AvMed, which used the premiums partly to pay for the costs of data management and security. In February 2014, the District Court approved a settlement agreement between the plaintiffs and AvMed that established additional security protocols and a $3 million settlement fund, available even in the absence of identity theft.
A similar result was reached in Tabata et al. v. Charleston Area Medical Center Inc., 13-0766 (W.Va. 2014). The Supreme Court of Appeals of West Virginia reversed a lower court order denying class certification in a case involving accidental disclosure of personal health information (PHI) of patients of the Charleston Area Medical Center. During discovery, it was learned that neither party was aware of any actual or attempted identity theft as a result of the accidental posting of the information. The Supreme Court of Appeals reversed found that the plaintiffs had established standing by alleging causes of action for breach of confidentiality and invasion of privacy, simply because of the legal interest in having medical information kept confidential. It reached this result even though there was not any showing of the misuse of the PHI.
Increased Risk of Liability for Security Breaches
As Resnick and Tabata show, a breach of personal information can result in liability for the custodian of the data, even in the absence of evidence that the information was misused or that any customers were the victims of identity theft. Courts have been willing to accept theories that a security breach alone is an independently cognizable injury. Because of the greater potential for liability, compliance with state and federal cybersecurity provisions is increasingly important.
In addition to the liability that may result from lawsuits stemming from security breaches, custodians of PHI face penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), which imposes civil money penalties for such breaches of PHI. The federal government can also enter into settlement agreements that require a corrective action plan to prevent further breaches. Although HIPAA states that there is no private right of action for a HIPAA violations, the cases above show that custodians of PHI may face liability under private litigation.