May 04, 2016
Hacked in Houston: Who Can Sue?
Target, Home Depot, Zappos.com, and many major medical providers have all recently had their customers’ personal information stolen through cyber-attacks to the their data storage systems. After many of these large hacks, customers have sued the hackee for damages arising out of the intrusion. One of these cases was brought against the St. Joseph health care system in Houston, Texas after hackers infiltrated St. Joseph’s computer network and gained access to around 405,000 patients, employee, and employee’s beneficiaries’ names, social security numbers, birthdates, addresses, medical records, and bank account information. Peters v. St. Joseph Services Corp., 74 F.Supp.3d 847 (S.D. Tex. 2015). St. Joseph provided a year of free credit reporting to all those that had their information taken. A class action was initiated by those affected by the breach.
The named plaintiff, Peters, alleged that her information had been stolen and misused by unauthorized and unknown third parties due to the information breach. Specifically, Peters alleged injuries included: an unauthorized attempt to make a purchase on the credit card she used to previously pay for medical care at St. Joseph; an attempt at accessing her amazon.com account; daily telephone solicitations; having her email account compromised to where it sends spam mail to her other contacts; and, a new vulnerability to future attacks by thieves who may seek to commit any number of identity theft-related crimes. In reality, Peters’s credit card company declined the attempted charge and issued her a new credit card, her amazon account was never accessed, and Peters has not incurred any damages from the increased telephone calls or email spam.
The plaintiffs did not suffer any actual injury so their only viable claim was for potential future injury. Peters argued that but for St. Joseph’s failure to safeguard her personal information, her identity would not have been exposed, stolen, and misused, and she would not be vulnerable to potential future attacks. St. Joseph argued that Peters, and the other class members, did not have standing to bring any suit because they had not suffered an actual or imminent injury that was traceable to St. Joseph’s conduct. The Houston district court sided with St. Joseph.
The U.S. Supreme Court has held that in order to bring a case before a federal court, a plaintiff has the burden of establishing an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013). Imminent injury does not stretch far enough to reach an allegation of possible future injury. Id. “An allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014). Something more than a mere speculative injury is required to bring suit.
The Houston court found: “Peters’ alleged future injuries are speculative – even hypothetical – but certainly not imminent. Critically, Peters ‘cannot describe how [she] will be injured without beginning the explanation with the word ‘if.’” Peters, 74 F.Supp.3d at 854. Further, even an allegation that the breach has increased the risk of identity theft does not transform plaintiffs’ claims into a recognizable injury. The court held that the plaintiffs did not have standing to bring suit against St. Joseph because they did not suffer an actual or imminent injury and the court dismissed the case.
This case (and those similar in other jurisdictions) is very important to insurers that provide cover for “privacy events” and “network security liability,” i.e. coverages that indemnify the various insured-responses to data breaches. A recent Swiss Re presentation on cyber coverage estimated that the average cost paid by an insured per individual for the unauthorized release of the individual’s personal information is around $154; that number is up from $145 in 2014. According to these numbers, this case brought St. Joseph and its insurers’ exposure from potentially $62,216,000 for the 404,000 individuals affected to $0. This case should help insurers and their insureds better estimate at least part of the risk of a data breach because it better defines the class of potential complainants, post-breach. Rulings like this also shrink the class of post-breach litigants to those individuals that have suffered cognizable harm, as opposed to those fearful of an uncertain future event.