On October 17, the District of Massachusetts added to the growing line of federal courts that have held a mere data breach, without additional harm, is insufficient to grant customers Article III standing.  See Webb v. Injured Workers Pharmacy, LLC, 2022 WL 10483751, at *1 (D. Mass. Oct. 17, 2022).  In February 2022, a home delivery pharmacy notified over 75,000 affected customers that hackers broke through its defenses and accessed patients’ personal data.  Two of these customers filed a putative class action against the pharmacy, alleging various tort and contract theories.  The court dismissed their claims for lack of standing, holding that plaintiffs had failed to allege any actionable harm stemming from the data breach despite their allegations that the breach caused them significant emotional harm.

Webb is notable because the plaintiffs attempted to distinguish their situation from other data breach cases that courts dismissed on similar standing grounds.  Unlike in those cases, which did not allege emotional injuries associated with the stress of potential data misuse, the plaintiffs in Webb argued that they suffered “anxiety, sleep disruption, stress, and fear” and spent “considerable time and effort” monitoring their accounts for suspicious activity.  Moreover, one plaintiff suggested—without alleging causation—that the data breach might have led to the filing of a fraudulent tax return in her name. 

The court held that those allegations were insufficient.  According to the court, some “future possibility that an unauthorized third party will, at some undetermined time, misuse [the plaintiffs’]” information, was “not sufficiently threatening to establish an ‘injury in fact.’”  As to their emotional distress and monitoring allegations, the court concluded that the plaintiffs could not manufacture standing by “inflicting harm on themselves based on . . . hypothetical future harm.”  In addition, the court held that the fact that fraudulent tax returns were filed in one plaintiff’s name was insufficient to avoid dismissal because the plaintiffs failed to allege that the data breach caused the fraudulent returns to be filed or point to any harm stemming from the fraudulent filing. 

This decision reinforces the standing hurdles for plaintiffs to clear in data-breach cases in the wake of TransUnion LLC v. Ramirez,141 S. Ct. 2190 (2021).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of James Holloway James Holloway

James Holloway advises companies and trade associations on FDA regulation of cosmetic, food, dietary supplement, drug, and medical device products as well as advertising and consumer protection law. With a focus on consumer products, James regularly counsels clients on how to minimize FDA…

James Holloway advises companies and trade associations on FDA regulation of cosmetic, food, dietary supplement, drug, and medical device products as well as advertising and consumer protection law. With a focus on consumer products, James regularly counsels clients on how to minimize FDA, FTC, state, and consumer class action risks while advancing their business objectives. His practice encompasses issues related to product labeling and marketing, favorable regulatory classifications, Proposition 65, mobile medical applications, strategic engagement with regulators and legislators, and FDA’s implementation of the Modernization of Cosmetics Regulation Act (MoCRA).

James also advises on a range of advertising and consumer protection issues including influencers, claim substantiation, and green claims. He also has experience representing clients before the NAD and in investigations conducted by the FTC regarding product marketing practices.