The United States District Court of Maryland recently dismissed a putative class action alleging that CareFirst’s failure to adequately secure the computer hardware storing their customers’ personal information led to two separate data breaches in June 2014 and May 2015. Plaintiffs alleged that CareFirst knew or should have known that a data breach could have occurred because the information stolen is “highly coveted by and a frequent target of hackers.” Plaintiffs also alleged that CareFirst’s customers had a “reasonable expectation” that their personal information would remain private and confidential. Thus, plaintiffs alleged negligence, breach of implied contract, unjust enrichment, declaratory judgment pursuant to the Declaratory Judgment Act, and violation of the Maryland Personal Information Act. In moving to dismiss the complaint, defendants argued that the plaintiffs did not have Article III standing. Joining the majority of federal courts, the court agreed.
The court separately addressed each of the four forms of alleged injury stemming from the data breaches: (1) an increased risk of identity theft, (2) incurred mitigation costs, (3) loss of the benefit of the bargain, and (4) decreased value of their personal information. First, the court held that the mere loss of data without evidence of misuse does not constitute injury. The court characterized the plaintiffs’ unrealized injury as based on a “chain of assumptions that must occur before the harm materializes.” Most importantly, the court was not persuaded by plaintiffs’ efforts to establish that any harm was “actual or imminent.” Responding to a previously reported case, the court distinguished Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 692-64 (7th Cir. 2015) based on the fact that customers in Remijas had actually experienced fraudulent charges, so “there was no need to speculate” as to the harm’s imminence. Plaintiffs’ imminence allegations failed because there were no instances of misuse, and even if there were, plaintiffs did not state how the hackers would use the limited amount of stolen personal information — names, birthdates, email addresses, and subscriber identification numbers — that did not include credit card or social security numbers.
Second, the court held that the expenses incurred from only one of the plaintiffs obtaining credit-monitoring services does not constitute an injury for the purposes of Article III standing. Citing Clapper v. Amnesty International USA, 133 S.Ct. 1138, 1151 (2013), the court held that plaintiffs “cannot manufacture standing” by incurring expenses to stave off non-impending harm made solely on “a non-paranoid fear.” Thus, the lack of any “certainly impending” harm did not relegate the purchase of credit-monitoring as an injury-in-fact. Third, the plaintiffs alleged that the data breach caused a loss to the benefit of their bargain with CareFirst. The court found that plaintiffs failed to quantify any loss attributed to the data breach. Fourth, the court summarily dismissed the idea that the data breach diminished the intrinsic value of plaintiffs’ personal information, since the plaintiffs did not attempt to sell their personal information, or if they had, did not do so at a decreased price. The court thus found that the plaintiffs lacked Article III standing and dismissed the putative class action.
The authors would like to acknowledge the contributions of Thomas Rucker, summer associate from George Mason University, in the preparation of the article.