District Court Finds No Standing to Sue after Security Breach, Holding Mere Loss of Personal Information Is Not an Injury
The U.S. District Court for the Eastern District of California held that where personal information was lost, and not stolen, and there was no more evidence of credible threat of real and immediate harm, such as a risk of identity theft, the loss did not meet the injury in fact requirement for standing under Article III. Therefore, the court dismissed a putative class action against Health Net of California, Inc. and International Business Machines Corporation (“IBM”) that claimed violation of California privacy statutes resulting from IBM’s loss of computer servers containing the plaintiffs’ medical information.
IBM Lost Drives Containing Personal Medical Information
IBM managed Health Net’s information technology infrastructure, including its members’ information. In January 2011, IBM notified Health Net that it had lost nine Health Net server drives containing the personal and medical information of over 800,000 California residents, including plaintiffs. Health Net sent its members a letter in March 2011 to inform them.
Three of the drives were later located, but the others, which contained plaintiffs’ information, remained missing. Dwight Whitaker filed a class action against Health Net and IBM claiming violation of the Confidentiality of Medical Information Act (“CMIA”), Cal. Civ. Code § 56 and the Customer Records Act (“CRA”), Cal. Civ. Code § 1798.82. The putative class consisted of “[a]ll current or former members of Health Net of California, Inc. who were notified . . . that their health information was included on missing Health Net server drives.” Whitaker at 2. Defendants moved to dismiss.
Standing Required Real and Immediate Harm
IBM asserted that plaintiffs lacked standing to sue because they did not claim that they had suffered any injury, and plaintiffs bore the burden of establishing standing. As the court explained
To demonstrate standing, a plaintiff must (1) have suffered an injury in fact — an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) there must be a causal connection between the injury and the conduct complained of — the injury has to be fairly … traceable to the challenged action of the defendant, and not . . . the result [of] the independent action of some third party not before the court; and (3) it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.
Id. at 3 (quoting Pritikin v. Dep’t of Energy, 254 F.3d 791, 796–97 (9th Cir. 2001)). In support for their claim, plaintiffs cited a Ninth Circuit opinion which held that “If a plaintiff faces ‘a credible threat of harm,’ and that harm is ‘both real and immediate, not conjectural or hypothetical,’ the plaintiff has met the injury-in-fact requirement for standing under Article III.” Id. (quoting Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010)). Plaintiffs also cited Ruiz v. Gap, Inc., 380 Fed. Appx. 689 (9th Cir. 2010) in which the Ninth Circuit held in a security breach case that a risk of identity theft was not conjectural, but was an alleged injury sufficient to confer standing. For more detailed information about that opinion, see Ninth Circuit Finds Risk of ID Theft Sufficient for Standing, But Not Enough to Maintain Negligence Claim, Bloomberg Law Reports® – Privacy & Information, Vol. 3, No. 7. (July 2010).
Plaintiffs Did Not Allege Real Harm
Plaintiffs argued that the Ninth Circuit’s test for standing under Krottner and Ruiz was met, due to the threat of harm posed to them as a result of the loss of their personal information. The court distinguished these cases, noting that they were based on the theft, not just loss, of information. In these cases, the plaintiffs faced a “credible threat of real and immediate harm” from the theft of a laptop containing personal data. Whitaker at 4 (quoting Krottner, 628 F.3d at 1143).
The court observed that even if it accepted plaintiff’s argument that loss and theft were equivalent, plaintiffs failed to explain how IBM’s loss of their data harmed or threatened to harm them. “Any harm stemming from their loss thus is precisely the type of conjectural and hypothetical harm that is insufficient to allege standing.” Id. (citing Birdsong v. Apple, Inc., 590 F.3d 955, 961 (9th Cir. 2009)).
The court cited Low v. LinkedIn Corp., 2011 BL 292771 (N.D. Cal. 2011), in which the court found no standing for plaintiffs who alleged only a possible future harm. In that case, the plaintiff claimed that LinkedIn disclosed its members’ private information to third parties, but he did not identify the information actually disclosed, or allege that his information was actually transmitted to third parties, or how he was harmed. While the plaintiffs in Krottner alleged harm from the actual publication or theft of their personal data, Low did not allege that he was a likely target of identity theft or that his sensitive data was exposed to the public. For an analysis of the court’s opinion in Low, see District Court Grants LinkedIn’s Motion to Dismiss Class Action Suit Based on Unauthorized Disclosure of Cookie Information, Bloomberg Law Reports®–Technology Law, Vol. 3, No. 25 (Dec. 12, 2011).
The court noted that in the instant case, the only allegation of particularized immediate harm was a letter one plaintiff had received informing parents that their minor child’s Social Security number had been misused. The child was not a named plaintiff, so this evidence did not confer standing, which requires a showing that plaintiffs were personally injured. “It is not enough that the conduct of which the plaintiff complains will injure someone. The complaining party must also show that he is within the class of persons who will be concretely affected.” Id. at 6 (quoting Blum v. Yaretsky, 457 U.S. 991, 999 (1982)). “Here, the threat plaintiffs allege is wholly conjectural and hypothetical; plaintiffs lack standing to bring these claims,” the court wrote. Id. Accordingly, the court dismissed the claims, with leave to amend the complaint.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.