plaintiff stated that now she has been required to take mitigation measures “to deter and detect identity theft and fraud,” including “placing ‘ freezes’ and ‘ alerts’ with credit reporting agencies, contacting [her] financial institutions, closing or modifying financial accounts, and closely reviewing [her] credit reports, financial accounts, explanations of benefits, and medical accounts for unauthorized activity.” Id. at *5. The court determined that a plaintiff suing for damages and injunctive relief from a data breach based on a risk that fraud or identity theft may occur in the future, without any facts to show a misuse of the data had occurred, failed to allege a concrete injury-in-fact and lacked standing. Id. at *6. The court thus concluded that the plaintiff failed to plausibly allege an actual, present injury that would support her claims for damages, or an imminent threat of future harm that would warrant injunctive relief. For these reasons, the court found that the plaintiff failed to allege sufficient facts to show an actual or imminent injury that would confer standing, and granted the defendant ’ s motion to dismiss. In Flores, et al. v. AON Corp., 2023 Ill. App. LEXIS 356 (Ill. App. 1st Dist. Sept. 29, 2023), the plaintiffs filed a class action alleging that the defendant failed to protect individuals’ personal information during a data breach. The trial court granted the defendant ’ s motion to dismiss for lack of standing. On appeal, the Illinois Appellate Court reversed in part and affirmed in part. The plaintiffs argued that the trial court erred in dismissing their complaint due to lack of standing, and stated that they sufficiently alleged: (i) their imminent risk of future identity theft or fraud, (ii) unauthorized charges experienced by some plaintiffs; (iii) the diminishment in the value of plaintiffs’ personal information; (iv) their emotional distress due to the data breach; and (v) the lost time they had spent responding to the data breach. Id. at *5-6. The defendant contended that the allegations were insufficient to establish injury-in-fact for standing purposes. The Appellate Court ruled that the negligence, privacy invasion, and Florida state law injunction claims were sufficient to state a claim. The Appellate Court further determined that the implied contract, consumer fraud and unjust enrichment claims should not have been dismissed with prejudice, as any defects could be cured in an amended complaint. The Appellate Court opined that the plaintiffs sufficiently alleged that they “face imminent, certainly impending, or a substantial risk of harm due to the data breach.” Id. at *9. Thus, the Appellate Court reversed the ruling granting dismissal of the implied contract, consumer fraud and unjust enrichment claims. However, the Appellate Court ruled that the plaintiffs’ claim for breach of implied contract was insufficiently pled because they failed to allege they suffered actual monetary damages. The Appellate Court also determined that the plaintiffs’ allegations including emotional stress, a loss of privacy, time spent responding to the breach, and certain other effects were not specific injuries under consumer fraud law. Further, the Appellate Court held that the plaintiffs’ unjust enrichment claims were insufficient because they failed to identify any benefit that the defendant received from the breach. Accordingly, the Appellate Court affirmed in part and reversed in part the circuit court ’ s ruling. In Gannon, et al. v. Truly Nolen Of America Inc., 2023 U.S. Dist. LEXIS 181410 (D. Ariz. Aug. 31, 2023), the defendant Truly Nolen of America Inc. is an Arizona corporation that provides pest control services across the United States and in 30 countries around the world. The defendant experienced a data breach between April 29, 2022 and May 11, 2022. On May 11, 2022, the defendant learned the breach occurred and identified personally identifiable information (PII) and personal health information (PHI) that was compromised. In August of 2022, the defendant sent notice letters to individuals whose data may have been compromised. The plaintiff alleged that she received her notice letter regarding the data breach in August of 2022. The plaintiff sought to represent two proposed classes, including one for a nationwide class and one for an Arizona sub-class related to the data breach. The plaintiff alleged numerous claims such as negligence, invasion of privacy, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violation of the Arizona Consumer Fraud Act (Fraud Act). Id. at *4. In response, the defendant filed a motion to dismiss on the grounds that the plaintiff ’ s case was without basis and the entire case was subject to dismissal. Id. The court held that there was no valid basis for the plaintiff ’ s negligence claim. The plaintiff argued that the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA) created a duty in Arizona from which relief could be sought. Id. at *4-5. The court disagreed. It found that neither the HIPAA nor the FTCA provided a private right of action. Id. at *5. The court reasoned that “[p]ermitting HIPAA to define the ‘ duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded. ’ ” Id. The court applied the
13
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online