While the number of data breach litigations is on the rise, CPW has been tracking another trend—dismissal of inadequate data breach complaints. For the latest and greatest in this area of the law, read on below. Darnell v. Order Wyndham Capital Mortg., 2021 U.S. Dist. LEXIS 55490 (W.D.N.C. Mar. 24, 2021).
Defendant Wyndham is a nationwide mortgage provider incorporated in North Carolina. Plaintiff allegedly applied for and received a home loan from Defendant in January of 2020. Shortly thereafter Defendant allegedly “sold” Plaintiff’s mortgage loan to another company. Several months later, in October 2020, Defendant sent multiple “Notice of Data Incident” disclosures to regulators. The first notice provided:
This correspondence is to notify you of [a] potential security issue caused by a recent single occurrence of user error. On September 18, 2020, an email containing personal information was sent in error to an email account not belonging to [Defendant]. [Defendant] has no evidence that this email was opened or that the information has been used. . . ..
A second notice was one week later, which additionally disclosed a phishing scam “which allowed access to [the email account of one of Defendant’s employees] for a limited period of time.” The second notice additionally provided that “[Defendant] has put additional protections in place to keep this from happening again, has provided additional training to employees, and continues to strengthen system controls and monitoring.”
In the wake of these disclosures, Plaintiff filed a putative class action lawsuit against defendant, asserting claims for (1) negligence; (2) violating Florida’s Unfair and Deceptive Trade Practices Act; (3) unjust enrichment; (4) breach of implied contract; (5) breach of confidence; and (6), seeks a declaratory judgment that Defendant’s data security protocols are insufficient as a matter of law.
Plaintiff alleged that, once he was made aware of the data incidents, he began to monitor his financial accounts and suffered from “great anxiety.” Plaintiff alleged the following injuries: “(a) damages to and diminution in the value of his [personally identifiable information]—a form of intangible property that the Plaintiff entrusted to [Defendant] as a condition of his employment; (b) loss of his privacy; and (c) imminent and impending injury arising from the increased risk of fraud and identity theft.”
Defendant moved to dismiss both for lack of standing and for failure to state a claim. The Court agreed with Defendant that Plaintiff lacked Article III standing, which meant the Court lacked subject matter jurisdiction to hear the case.
In regards to Plaintiff’s first “injury”—in the form of “damages to and diminution in the value of his PII”—the Court observed “[i]t is not clear from the Complaint exactly how the exposure of Plaintiff’s PII has damaged or diminished its value.” However, the Court assumed “Plaintiff is prevented from realizing the full extent of his PII’s value if it has been potentially exposed to cyber criminals.” Even with this assumption, however, this purported harm was inadequate for purposes of establishing Plaintiff’s standing. This was because, the Court explained, “the exposure of PII, without more, is sufficient to confer Article III standing.”
Plaintiff’s alleged loss of privacy fared no better. The Court held that “the factual allegations related to this asserted injury suffer from the same deficiencies . . . Plaintiff alleges nothing more than the ‘mere compromise’ of his PII and a resulting loss of privacy, which is too abstract of an injury to satisfy standing requirements.”
Plaintiff’s remaining allegations of injury were also insufficient. The Plaintiff asserted that “he has been injured because the exposure of his PII has left him with the ‘imminent and impending [risk] of fraud and identity theft.’” As a result of this speculative risk of future harm, Plaintiff also alleged that he “spent time routinely reviewing his credit monitoring service results and reports.” However, Plaintiff neither alleged actual misuse of his PII, nor alleged his PII was intentionally targeted. This omission was significant to the Court as “to the extent any injury or allegation is based on the accidental data breach, Plaintiff has not sufficiently alleged injury-in-fact.”
Insofar as the phishing data incident was concerned, Plaintiff’s allegations fared no better. The Court found that they were based on the same “attenuated chain of possibilities” that other courts had rejected as establishing standing. In order for Plaintiff’s allegations to pass muster, the Court would be required to assume that: “(1) the phishing attempt intentionally targeted the PII belonging to Defendant’s clients rather than other information potentially stored on Defendant’s servers; (2) the reactionary steps taken by Defendant in an effort to protect against the phishing attempt failed, and clients’ PII was taken by hackers; (3) Plaintiff’s PII was among the PII taken by the hackers; and (4), hackers have attempted or will attempt to use Plaintiff’s, as opposed to anyone else’s, PII to steal his identity.” This was several steps too far for the Court (as it probably is for many CPW readers).
Another day, another data breach litigation dismissed at the pleading stage. Whether Plaintiff will refile the litigation in state court (where satisfaction of Article III is not required) remains to be seen. Regardless of what happens, not to worry-CPW will be there.