A magistrate judge in the Western District of New York recently recommended dismissing the putative class action Tassmer et al v. Professional Business Systems, concluding that any risk of identity theft or other injury was too “speculative” to show standing.  The recommendation is in line with numerous other federal circuit and district courts similarly requiring plaintiffs in data breach cases to show concrete harm, not merely a risk of future harm.  This recommendation, if adopted, will be another helpful precedent for companies facing class action lawsuits as a result of a data breach or cyber hack.

In December 2020, hackers accessed data held by Professional Business Systems (doing business as Practicefirst Medical Management Solutions and PBS Medcode Corporation), stealing information on approximately 1.2 million patients of medical providers who used Practicefirst’s medical management services.  The stolen data reportedly included sensitive personal information, such as Social Security numbers, bank account and credit/debit card information, and medical diagnoses.  Practicefirst was then subjected to a ransomware attack, where computer system access was blocked until a fee to restore access was paid.

The four plaintiffs brought a putative class action after being notified of the data breach in June and July 2021.  They alleged injuries relating to diminution of value of their personal information, violation of privacy, and imminent injury from the increased risk of identity theft and fraud.  They also alleged they had spent time and resources ensuring the security of their accounts.

Magistrate Judge Michael Roemer concluded the plaintiffs lacked Article III standing to sue because they had not alleged any actual or imminent threat of future harm and a separate concrete harm.  The judge first noted that several cases, including the U.S. Supreme Court’s June 2021 decision in TransUnion LLC v. Ramirez, made clear that a plaintiff alleging a risk of future harm must also allege “a separate, concrete harm that was caused by exposure to the imminent risk and is proportional to the actual likelihood of the future harm occurring.”  

The judge then analyzed plaintiffs’ claims under the Second Circuit’s three-factor test for standing in data breach cases from McMorris v. Carlos Lopez and Associates, LLC.  The judge concluded that the primary purpose for the hack was not to steal data; rather, it was a “garden-variety ransomware attack.”  Thus, plaintiffs had not alleged a targeted attempt or clear intent to use the data for identity theft or fraud.  Further, none of the plaintiffs had yet experienced any fraud or identity theft.  The sensitive nature of the stolen information did not “by itself” demonstrate a “substantial risk of future identity theft” or fraud.  Because there was no such substantial risk, plaintiffs’ time and resources taken to protect their accounts was manufactured in anticipation of non-imminent harm.  The judge also decided that plaintiffs lacked standing based on any diminution in value of their data, since they never specified how the information was devalued or that they sold their data for a decreased price.  Finally, the judge rejected any theory of standing based on a common-law tort of violation of privacy rights.

For other class action standing coverage, see previous Inside Class Action posts on the Supreme Court’s June 2021 decision TransUnion LLC v. Ramirez and the Second Circuit’s decision reconsidering its standing precedent in light of Ramirez.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.