A magistrate judge in the Western District of New York recently recommended dismissing the putative class action Tassmer et al v. Professional Business Systems, concluding that any risk of identity theft or other injury was too “speculative” to show standing. The recommendation is in line with numerous other federal circuit and district courts similarly requiring plaintiffs in data breach cases to show concrete harm, not merely a risk of future harm. This recommendation, if adopted, will be another helpful precedent for companies facing class action lawsuits as a result of a data breach or cyber hack.
In December 2020, hackers accessed data held by Professional Business Systems (doing business as Practicefirst Medical Management Solutions and PBS Medcode Corporation), stealing information on approximately 1.2 million patients of medical providers who used Practicefirst’s medical management services. The stolen data reportedly included sensitive personal information, such as Social Security numbers, bank account and credit/debit card information, and medical diagnoses. Practicefirst was then subjected to a ransomware attack, where computer system access was blocked until a fee to restore access was paid.
The four plaintiffs brought a putative class action after being notified of the data breach in June and July 2021. They alleged injuries relating to diminution of value of their personal information, violation of privacy, and imminent injury from the increased risk of identity theft and fraud. They also alleged they had spent time and resources ensuring the security of their accounts.
Magistrate Judge Michael Roemer concluded the plaintiffs lacked Article III standing to sue because they had not alleged any actual or imminent threat of future harm and a separate concrete harm. The judge first noted that several cases, including the U.S. Supreme Court’s June 2021 decision in TransUnion LLC v. Ramirez, made clear that a plaintiff alleging a risk of future harm must also allege “a separate, concrete harm that was caused by exposure to the imminent risk and is proportional to the actual likelihood of the future harm occurring.”
The judge then analyzed plaintiffs’ claims under the Second Circuit’s three-factor test for standing in data breach cases from McMorris v. Carlos Lopez and Associates, LLC. The judge concluded that the primary purpose for the hack was not to steal data; rather, it was a “garden-variety ransomware attack.” Thus, plaintiffs had not alleged a targeted attempt or clear intent to use the data for identity theft or fraud. Further, none of the plaintiffs had yet experienced any fraud or identity theft. The sensitive nature of the stolen information did not “by itself” demonstrate a “substantial risk of future identity theft” or fraud. Because there was no such substantial risk, plaintiffs’ time and resources taken to protect their accounts was manufactured in anticipation of non-imminent harm. The judge also decided that plaintiffs lacked standing based on any diminution in value of their data, since they never specified how the information was devalued or that they sold their data for a decreased price. Finally, the judge rejected any theory of standing based on a common-law tort of violation of privacy rights.
For other class action standing coverage, see previous Inside Class Action posts on the Supreme Court’s June 2021 decision TransUnion LLC v. Ramirez and the Second Circuit’s decision reconsidering its standing precedent in light of Ramirez.