fraudulent tax return filed in Webb ’ s name did not sufficiently allege a connection between the data breach and this false return. Id. at *6-7. The district court also opined that the complaint ’ s other allegations - that the potential future misuse of the plaintiff ’ s PII was not sufficiently imminent to establish an injury-in-fact and that actions to safeguard against this risk - could not confer standing either. Id. at *7. The district court did not reach the defendant ’ s Rule 12(b)(6) arguments because the case was dismissed under Rule 12(b)(1). Id. On the plaintiffs’ appeal, the First Circuit reversed the district court ’ s ruling. It held that the plaintiffs plausibly alleged a concrete injury-in-fact. In regards to Plaintiff Webb, the First Circuit concluded that “the complaint plausibly alleged a concrete injury in fact as to Webb based on the plausible pleading that the data breach resulted in the misuse of her PII by an unauthorized third party (or third parties) to file a fraudulent tax return.” Id. at *10-11. The First Circuit rejected the district court ’ s conclusion that the complaint did not plausibly allege a connection between the data breach and the filing of the false tax return. Id. at *13. Instead, the First Circuit opined “[t]here is an obvious temporal connection between the filing of the false tax return and the timing of the data breach.” Id. Turning to Plaintiff Charley, the First Circuit held that in light of the plausible allegations of some actual misuse, the complaint plausibly alleged a concrete injury in fact based on the material risk of future misuse of Charley ’ s PII and a concrete harm caused by the exposure to this risk. Id. at *15. Further, the First Circuit asserted that the totality of the complaint plausibly alleged an imminent and substantial risk of future misuse of the Plaintiffs’ PII. Id. at *19. In addition, the First Circuit found the complaint ’ s allegations satisfied the traceability and redressability standing requirements. Id. at *21. The complaint alleged that the defendant ’ s actions led to the exposure and actual or potential misuse of the plaintiffs’ PII, thereby making their injuries “fairly traceable to IWP ’ s conduct.” Id. As to redressability, the First Circuit stated that “monetary relief would compensate [the plaintiffs] for their injur[ies], rendering the injur[ies] redressable.” Id. at *22. The First Circuit thus held that the plaintiffs supported each of their five causes of action for damages with at least one injury-in-fact caused by the defendant and redressable by a court order. Id. Finally, the First Circuit affirmed the district court ’ s ruling that the plaintiffs lacked standing to seek injunctive relief, stating that they faced “much the same risk of future cyberhacking as virtually every holder of private data.” Id. at *24. For these reasons, the First Circuit affirmed the district court ’ s holding that Plaintiffs lacked standing to seek injunctive relief. In Whitfield, et al. v. ATC Healthcare Services, LLC, 2023 U.S. Dist. LEXIS 147602 (E.D.N.Y. Aug. 22, 2023), the plaintiff, a former employee and Illinois citizen, filed a class action alleging that the defendant, a Georgia-based healthcare staffing company with its principal place of business in New York, subjected her and others’ highly sensitive personal identifying information (PII) and personal health information (PHI) when it was subjected to a data breach by cybercriminals. The plaintiff further alleged that she spent time and effort dealing with the consequences of the breach and that subsequently, her debit card and bank account were compromised three times. The defendant confirmed to employees after the breach that the employee information exposed included “names, Social Security numbers, driver ’ s licenses, financial account information, usernames, passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures and employer-assigned identification numbers.” Id. at *3. The defendant filed a motion to dismiss the claims pursuant to Rule 12(b)(1) or Rule 12(b)(6). The court denied the motion in part and granted it in part. The defendant contended that the plaintiff lacked standing based on her failure to establish that the defendant caused her a concrete injury, and that she instead asserted speculative allegations of a risk of non-imminent, future harm. The plaintiff argued that the defendant ’ s failure to prevent the data breach caused concrete injuries, including a “disclosure of private information,” identity theft, lost time and expenses, emotional damages, and the “lost benefit of the bargain.” Id. at *7. The court agreed with the plaintiff that her alleged injuries established standing under Article III and thereby denied the motion to dismiss pursuant to Rule 12(b)(1). The defendant further argued that the claims should be dismissed for failure to state a claim and failure to plausibly plead attendant damages. The court rejected this argument on the basis that a data breach victim who plausibly alleges a post-breach misuse of her PII/PHI, which the plaintiff did, may seek associated damages. Finally, the court determined that the plaintiff pled facts sufficient to support her claim under the Illinois Biometric Information Privacy Act, which prohibits the disclosure or dissemination of a person ’ s biometric identifiers or information without that person ’ s consent. Id. at *19. For these reasons, the court denied the defendant ’ s motion to dismiss.
9
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online