While many federal courts have weighed in on the issue of what suffices for Article III standing in the context of a data breach litigation, not all state courts have. Last week, the Superior Court of Delaware found that a group of plaintiffs who received a notice that their personal information had been potentially compromised in a data breach had not alleged an injury in fact, and did not have standing to bring suit.
In Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021), defendant Brandywine Urology Consultants (“Brandywine”) experienced a ransomware attack in January 2020 that blocked access to its computer system and data, including patient records. During the pendency of the attack, the cybercriminals also encrypted patient records that contained sensitive personal and financial information. Brandywine took steps to remedy the attack, including removing the malware and hiring an outside security firm to investigate whether protected health information (“PHI”) had been compromised (the security firm later confirmed that it had not). In March 2020, Brandywine sent a notice to its patients about the attack, informing them that their data could potentially have been compromised.
Plaintiffs filed suit in May 2020 for negligence and breach of contract among other claims, including two state law claims. Brandywine responded with a 12(b)(6) and 12(b)(1) motion to dismiss, alleging that Plaintiffs lacked standing to bring the case. [As a quick reminder, to establish standing to sue in federal court, Plaintiffs had the burden to demonstrate: (1) an injury in fact; (2) a causal relationship between the injury and the challenged conduct; and (3) a likelihood that the injury will be redressed by a favorable decision. In many data breach litigations – including this one – the key inquiry is whether or not plaintiffs have suffered an injury in fact.]
The Abernathy court found that the fact that a ransomware attack had occurred, without more, was not sufficient to confer standing on Plaintiffs. While plaintiffs had alleged that the “imminent risk of future harm” was sufficient as an injury in fact, the court noted that a year had passed between the attack and its decision, and no harm had occurred – plaintiffs had not been the victims of identity theft or experienced any other harm. On that basis, it found that the alleged risk of harm was not concrete or particularized. The court also noted that the notice of attack alone could not serve as the basis for liability, because Brandywine had taken appropriate and immediate steps to remedy the harm, and so should not be punished for alerting its clients to the breach – the court found that to do otherwise could “chill efforts to notify patients or clients of security breaches out of an abundance of caution.”
The Abernathy court further found that the other damages alleged by Plaintiffs were also insufficient to confer standing. Plaintiffs had alleged mitigation damages, increased anxiety and emotional distress, loss of benefit of the bargain, loss of value of property, and disruption to medical care. The court addressed each in turn, generally finding that the harm was too speculative, particularly where there was no evidence (and Plaintiffs offered none) to show that Plaintiffs’ information had actually been sold.
Delaware joins a number of federal courts that have found that plaintiffs lacked standing in the context of a data breach litigation. But the verdict is still very much out on this issue, as other federal courts have found that, in certain circumstances, data breach plaintiffs do have standing. Abernathy is also notable for expressly finding that a notice of data breach, without more, cannot serve as a basis for liability, because doing so would risk chilling companies that are victims of data breaches from reporting those breaches at all. We’ll keep an eye on how these cases develop for you. Stay tuned.