The plaintiffs in Teeter, et al. v. EasterSeals-Goodwill North Rocky Mountain, Inc., 2023 U.S. Dist. LEXIS 35347 (D. Mont. Mar. 2, 2023), filed a class action alleging that the company failed to take reasonable measures to assure the security of personal identifying information (PII) that was subject to a data breach. The plaintiff alleged that she was subjected to identity theft; loss of an opportunity to determine how PHI/PII and financial information is used; and compromise, publication, and/or theft of personal information in connection with the breach. The plaintiff asserted seven causes of action, including: (i) negligence; (ii) negligence per se ; (iii) invasion of privacy; (iv) breach of confidence; (v) breach of implied contract; (vi) breach of the implied covenant of good faith and fair dealing; and (vii) unjust enrichment. The defendant filed a motion to dismiss pursuant to Rule 12(b)(1) and Rule 12(b)(6), which the court granted in part and denied in part. The defendant argued that the plaintiff failed to allege any injury because the evidence indicated that the actors responsible for the data breach never targeted employee information. The plaintiff contended that she sufficiently alleged that she lost time in dealing with the implications of the breach, and that constituted a concrete, particularized injury. The court declined to dismiss the action on standing grounds and thus analyzed the merits of the plaintiff ’ s claims. The defendant argued that the plaintiff failed to establish a duty necessary to support her negligence claim. The plaintiff alleged that the defendant failed to take adequate precautions to prevent the data breach; that there was some degree of moral blame for the breach; that holding defendant liable would not impose too great a burden and would benefit the public; that appropriate insurance was available; and that the consequences of the breach proved foreseeable. The court ruled that the plaintiff ’ s complaint contained sufficient factual allegations, taken as true, to state a viable claim that a common law duty exists for purposes of the negligence claim. However, the court dismissed the remaining claims from the action, finding that the plaintiff failed to state a claim for those allegations. Accordingly, the court granted in part and denied in part the defendant ’ s motion to dismiss. In one of the most significant data breach decisions of 2023, a former employee filed a class action in Bohnak, et al. v. Marsh & McLennan Cos., 2023 U.S. App. LEXIS 22390 (2d Cir. Aug. 24, 2023), alleging that the defendants exposed personally identifying information (PII) to unauthorized actors after being subjected to a data breach. The district court granted the defendants’ motion to dismiss for lack of standing and failure to establish an injury-in-fact. On appeal, the Second Circuit reversed and remanded the district court ’ s ruling. The Second Circuit determined that the plaintiff ’ s allegation that an unauthorized third party accessed her name and Social Security number (SSN) through a targeted data breach provided her with Article III standing to bring the action against the defendants to whom she had entrusted her PII. Id. at *4. The Second Circuit further ruled that the district court erred in dismissing the plaintiff ’ s claims for failure to plausibly allege cognizable damages because by pleading a sufficient Article III injury-in-fact, the plaintiff also satisfied the damages element of a valid claim for relief. Id. The plaintiff specifically asserted that despite the sensitivity of the data in the defendants’ possession, they did not secure the data from potential unauthorized actors through encryption, and it was accessed by hackers in the data breach. The district court concluded that the plaintiff could not establish standing merely by virtue of the risk of future misuse of her PII. The Second Circuit disagreed. It found the plaintiff ’ s claims to be identical to the claims of the plaintiffs in TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190 (2021), and that under TransUnion , the plaintiff ’ s alleged injuries arising from the risk of future harm are concrete. In TransUnion , the U.S. Supreme Court specifically recognized that “disclosure of private information” was an intangible harm “traditionally recognized as providing a basis for lawsuits in American courts.” 141 S. Ct. at 2204. Therefore, the Second Circuit found that the Supreme Court described an injury arising from such disclosure as “concrete” for purposes of the Article III analysis. Id. at *18. The Second Circuit further reasoned that the plaintiff ’ s allegations established a concrete injury because she asserted that, among other things, she incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft” and “lost time” and other “opportunity costs” associated with attempting to mitigate the consequences of the data breach. Id. at *19. The Second Circuit concluded that the plaintiff: (i) alleged that her PII was exposed as a result of a data breach; (ii) that the PII taken by the hackers included her name and SSN. From these allegations the Second Circuit opined that the targeted hack that exposed the plaintiff ’ s name and SSN to an unauthorized actor were sufficient to suggest a substantial likelihood of future harm, thereby satisfying the “actual or imminent harm” component of the injury-in-fact analysis. For
10
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online