The West Virginia Supreme Court of Appeals recently issued an important – but outlier – decision in a data breach class action. In a per curiam decision, the Court held that the plaintiffs had standing to bring their claims even though discovery revealed that not a single class member – much less the named plaintiffs – had suffered any property damage or economic losses. Tabata v. Charleston Area Med. Ctr., No. 13-0766, — S.E.2d —, 2014 WL 2439961 (W. Va. May 28, 2014). Indeed, the court found that, although some of plaintiffs’ personal information had accidentally been made available on a website, there was no evidence anyone had ever viewed that information. Despite this, the Court concluded that the plaintiffs had standing to bring two common law claims.
This decision is potentially significant – especially for the health care industry – because it recognizes that plaintiffs have standing to bring a cause of action for breach of confidentiality, as well as a cause of action for invasion of privacy, on a class basis. Although this is an important decision (particularly for West Virginia state courts), there are several reasons why this case is not likely to be widely accepted, particularly in federal court where most data breach class actions are litigated. First, this case involved West Virginia standing principles, and there is good reason to believe federal courts would not apply those principles in the same way. Second, this case would seem to appear to only apply with respect to a few types of breach of confidentiality or invasion of privacy torts (in particular, those against health care providers where there is a well-established right of patient confidentiality). Third, even when this case does apply, plaintiffs will still likely have a hard time prevailing if the underlying causes of action require them to prove harm (and, in particular, economic harm). That said, expect to see plaintiffs increasingly assert breach of confidentiality and invasion of privacy claims in an attempt to satisfy standing and class certification requirements.
The West Virginia Supreme Court of Appeals’ Decision
Plaintiffs sued Charleston Area Medical Center, Inc. and CAMC Heath Education and Research Institute, Inc. (collectively CAMC) for an alleged data breach involving “personal and medical information.” Plaintiffs alleged that CAMC accidentally posted a database containing information for over 3,500 patients on the Internet. This database allegedly contained sensitive information, including names, Social Security Numbers, and birth dates.
Discovery failed to show that any unauthorized person actually accessed or even attempted to access the patients’ information. Moreover, there was no evidence that any of the patients’ identities had been stolen. As for the named plaintiffs, discovery showed they had “not suffered any property injuries or sustained any actual economic losses.”
Not surprisingly given these facts, CAMC argued that the plaintiffs lacked standing. The trial court agreed with this argument, finding plaintiffs lacked standing “because they [had] not suffered a concrete and particularized injury.” The West Virginia Supreme Court of Appeals reversed.
The Court first noted that it agreed that the future risk of identity theft alone could not constitute injury in fact for standing purposes. The court, however, went on to find that plaintiffs had standing to bring claims for breach of confidentiality and invasion of privacy.
Regarding the breach of confidentiality claim, the Court found that patients, including the plaintiffs, had “a legal interest in having their medical information kept confidential.” This interest, the Court found, was concrete because “[w]hen a medical professional wrongfully violates this right, it is an invasion of the patient’s legally protected interest.” Similarly, regarding the invasion of privacy claim, the Court determined that the plaintiffs had “a legal interest in privacy which is concrete, particularized, and actual.” The Court was careful to note that its standing ruling was “narrow” and did not address the merits of the plaintiffs’ claims.
With respect to class certification, the Court reversed the trial court’s denial of certification. It concluded that plaintiffs had met the requirements of commonality, typicality, and predominance of common issues of law or fact. The Court’s analysis on predominance of common issues is illustrative of its analysis on all three issues: “Simply put, all of the proposed class members are in the same position. Their causes of action are the same and they arise from the same event. Also, there is no evidence of unauthorized access of their personal and medical information, no evidence of actual identity theft, and no evidence of economic injury arising from the alleged wrongdoing. Rather, all of the proposed class members allege that their interests in confidentiality and privacy have been wrongfully invaded by the respondents.”
Justice Ketchum wrote a strong dissent. He said the case was a “typical example of a frivolous class-action lawsuit” where there was no evidence that anyone – including the named plaintiffs – had been injured. Justice Ketchum neatly summed up why there was no standing: “No harm, no foul.”
Although this decision is bad for defendants in West Virginia courts, particularly for medical professionals and organizations, its ultimate impact – even in those courts – may be limited. As an initial matter, even in a West Virginia state court, it is unclear if the plaintiffs in the factual circumstances of this case can prevail. To the extent the plaintiffs must show actual harm as part of the elements of the torts they assert, such a showing seems nearly impossible in this case (and in similar cases) where plaintiffs cannot claim any economic loss. Moreover, even if they can show harm, the prospect of significant damages seems doubtful given the likely ephemeral nature of any harm the plaintiffs might have suffered, particularly given that the West Virginia Supreme Court of Appeals implicitly rejected damages based on the potential increased risk of future identity theft.
This decision could have some impact in federal court, although its overall impact will likely be limited. Broadly speaking, many federal courts have traditionally dismissed similar data breach cases where the plaintiffs could only speculate that they might suffer an injury in the future but could not show any present injury. E.g., Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011). Some federal courts, however, have found that the future risk of increased injury could confer standing in federal court. E.g., Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (Krottner I); Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007). These decisions’ continuing validity, however, are in grave doubt after the United States Supreme Court’s decision in Clapper v. Amnesty Intern. USA, — U.S. —, 133 S.Ct. 1138 (2013)(holding that a group of private citizens lacked standing to challenge 2008 amendments to the Foreign Intelligence Surveillance Act because they could not show the government had actually spied on them). See, e.g., Galaria v. Nationwide Mut. Ins. Co., 2:13–CV–118, — F. Supp. 2d —, 2014 WL 689703, at *7 (S.D. Ohio Feb. 10, 2014) (rejecting Krottner I and Pisciotta based on Clapper); In re Science Applications International Corp. (SAIC) Backup Tape Theft Litigation, No. 1:12-mc-00347 (D.D.C. May 9, 2014)(dismissing all plaintiffs who failed to allege harm and establish a plausible causal connection between the alleged breach and their alleged harm); but see In re Sony Gaming Networks and Customer Data Security Breach Litig., — F. Supp. 2d —, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) (finding plaintiffs properly plead standing by alleging a “credible threat” of impending harm based on disclosure of their personal information). There is potentially greater impact in state courts where standing is not governed by the U.S. Supreme Court’s decision in Clapper.
Although federal standing requirements are high (and getting higher) in the data breach context, the West Virginia Supreme Court of Appeals’ decision in Tabata arguably could open up a new route to standing in federal (and state) courts even where a plaintiff cannot allege he or she has been injured by, for example, actual identity theft. The Tabata court, like many federal courts, rejected the idea that the increased risk of identity theft could confer standing. But the Tabata court went on to find that the interests protected by the common law claims at issue were violated – and that the violation conferred standing – merely where the information had been made public, even though there was absolutely no evidence this resulted in any actual harm. At least one federal court has found standing for a similar common-law invasion of privacy claim, although in that suit the data at issue had been stolen and disseminated by the thieves. Galaria, — F.Supp.2d —-, 2:13–CV–118, 2014 WL 689703, at *10 (finding plaintiffs had standing for invasion of privacy claim based on publication of a person’s private affairs). Notably, in a case like Tabata, where no evidence shows that anyone had even viewed the information at issue – much less stole it or disseminated it – any claim to federal standing is weak, at best.
That said, the Tabata decision may encourage plaintiffs to bring common law breach of confidentiality and invasion of privacy claims in hopes of avoiding standing issues on at least some of their claims and of prevailing on motions for class certification with respect to such claims. Even if courts find standing for these types of claims even when there are no allegations of identity theft or other concrete injury – and in our view they should not – plaintiffs will still face other hurdles, particularly where the plaintiffs cannot allege actual identity theft. This is especially true, as discussed above, if the invasion of privacy tort (or other claims) requires the plaintiffs to allege and prove harm. See, e.g., Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010) (finding plaintiffs failed to state a negligence claim under Washington law because they did not adequately allege any damage where they only alleged the possibility of future harm) (Krottner II).
Written by Zach Neal, Senior Associate, Privacy & Data Security and Alex Brown, Associate, Litigation & Trial Practice | Alston & Bird LLP