A federal judge in New York has reinstated claims brought against a healthcare provider by customers whose personal information was exposed in the 2015 data breach of Excellus BlueCross Blue Shield. The breach affected the information of as many as 10.5 million individuals.
Last week, U.S. District Judge Elizabeth A. Wolford granted plaintiffs’ motion for reconsideration and reversed her prior partial grant of a motion to dismiss, finding that the U.S. Court of Appeals for the Second Circuit was likely to find that a data breach resulting in the disclosure of personally identifiable information leading to a risk of future identify theft is sufficient to give a plaintiff standing to pursue claims relating to that breach. The case is Fero v. Excellus Health Plan, 6:15-CV-06569 (Jan. 19, 2018).
In doing so, Judge Wolford is the second district court in the Second Circuit to reach the conclusion that the risk of future identify theft is sufficient to confer Article III standing. Her decision is consistent with other cases from the Sixth, Seventh, Ninth, and D.C. Circuits. The Third, Fourth, and Eighth Circuits have reached the opposition conclusion.
By way of background, in February 2017 Judge Wolford issued her initial ruling on the defendants’ motion to dismiss. See Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735 (W.D.N.Y 2017). Excellus is a healthcare provider and had been the victim of a series of data breaches in which hackers had obtained access to a variety of PII, including names, dates of birth, social security numbers, addresses, prior medical claims, and other sensitive information.
A number of plaintiffs subsequently filed claims against Excellus and related entities claiming that the defendants had failed to employ appropriate safeguards with respect to the PII. Many of the plaintiffs were able to allege specific, negative events that they claimed resulted from the breach, such as the filing of false tax returns, identity theft, or fraudulent credit card charges. Four plaintiffs, however, had not suffered any specific consequences, but claimed that they faced an increased risk of identity theft in the future.
The defendants moved to dismiss on a variety of grounds, including that plaintiffs lacked Article III standing based on their failure to plead an injury-in-fact caused by the defendants’ conduct. The district court found that the plaintiffs who alleged they had suffered specific consequences (such as an incident of identity theft of false charges) had pleaded sufficient facts to establish standing. But after a thorough survey of the case law, the court concluded that the risk of future identify theft was not “certainly impending” under the standards of the Supreme Court’s decisions in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016) and Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) to confer standing. Accordingly, it dismissed the claims of the four plaintiffs who could not plead a specific misuse of their data (the so-called “non-misuse” plaintiffs.) The district court also concluded that money spent on prophylactic measures (such as credit monitoring) also could not suffice, as it would allow a plaintiff to manufacture standing where none existed.
In its most recent decision, the district court reversed its decision with regard to the non-misuse plaintiffs, finding that the Second Circuit’s unreported decision in Whalen v. Michaels Stores, Inc., 689 Fed. Appx. 89 (2d Cir. 2017) suggested that the Second Circuit would ultimately align itself with the circuits that found the risk of future identify theft was sufficient to confer standing. In Whalen, the defendant had suffered a data breach that had led to the disclosure of the plaintiff’s credit card information. After noticing fraudulent charges on her card, the plaintiff promptly cancelled it (and there were no allegations that she had to pay the fraudulent charges). The district court found that, in light of the lack of injury, she lacked standing to pursue any claims. The Second Circuit, in affirming the dismissal, noted that “[plaintiff] does not allege how she can plausibly face a threat of future fraud, because her stolen credit card was promptly cancelled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.” In reaching this conclusion, the Second Circuit cited, by way of comparison, the Sixth Circuit’s decision in Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016), which found standing when such information had been stolen.
Although the Whalen court ultimately concluded there was no standing in that case, Judge Wolford found the distinction it made in citing the Sixth Circuit’s decision to be critical, and suggestive of the way it would eventually rule on the issue of standing with respect to risk of future identify theft. Unlike in Whalen (where the data breach was limited to credit card information and the consequences were promptly curtailed), it concluded that the type of PII disclosed in the Excellus breach could lead to a variety of future fraudulent conduct, and as such gave the “non-misuse” plaintiffs standing to pursue their claims. See Fero v. Excellus Health Plan, Inc., 2018 U.S. Dist. LEXIS 8999 (W.D.N.Y. Jan. 19, 2018).
The district court in Sackin v. Transperfect Global, Inc., 2017 U.S. Dist. LEXIS 164933 (S.D.N.Y. Oct. 4, 2017), reached a similar conclusion. Sackin also involved a data breach where hackers gained access to PII including names, addresses, dates of birth, Social Security numbers, and banking information. The Sackin court, like the Excellus court, noted that the disclosure of this type of information could lead to a variety of fraudulent acts by the hackers (or third parties who subsequently purchased the information) and read Whalen to suggest that the Second Circuit would recognize this as an in injury-in-fact.
The Sackin court further looked to the probable motivation of the hackers, noting that given the nature of the breach, “[t]he most likely and obvious motivation for the hacking is to use Plaintiffs’ PII nefariously or sell it to someone who would.” In doing so, it distinguished cases from other circuits where the motivation behind the breach was less clear (such as a case where a laptop containing PII was stolen, but there was no evidence that the PII, as opposed to the laptop itself, was the target of the thief’s efforts).
This is still an evolving area of the law, and the decisions of the Excellus and Sackin courts are no guarantee of how the Second Circuit might eventually rule.