Courts are now requiring more than a mere increased risk of a data breach in order to have standing to file suit for data breaches. In Maglio v. Advocate Health and Hosps. Corp., 2015 IL App (2d) 140782 (Ill. App. Ct. August 6, 2015), the Illinois Appellate Court held that plaintiffs did not have standing to bring suit for violations of consumer data protection laws despite the fact that their personal data was compromised because there was no showing that the data had been used to actually harm the individuals. Maglio gives us a glimpse into the future of the requirements for standing to file a data breach complaint in Illinois. To date, Illinois plaintiffs who only allege technical statutory violations without a concrete harm will be unable to sue for such violations.
In July 2013, burglars stole four password protected laptop computers from an Advocate building that contained personal information of 4,029,530 patients; this was reportedly the second-largest medical records breach since 2009. Advocate notified these patients of the theft a month later resulting in two sets of class actions in Lake and Kane Counties primarily claiming that Advocate violated two state consumer data protection laws by failing to maintain adequate procedures to protect the personal information of plaintiffs. Advocate moved to dismiss as plaintiffs lacked standing because they had not suffered any injury as a result of their data being stolen because there had been no public disclosure of the information or any identity fraud; both trial courts granted the motions to dismiss finding that “[t]he increased risk that plaintiffs will be identity theft victims at some indeterminate point in the future … did not constitute an injury sufficient to confer standing.” The appellate court affirmed after analyzing Illinois, federal court and U.S. Supreme Court case law.
Since plaintiffs had no injuries-in-fact, the appellate court affirmed that they did not have standing to bring their claims. The appellate court found that merely claiming an increased risk of identity theft was not enough to show injury as “no such identity theft has occurred to any of the plaintiffs.” The court also held that “appreciable emotional injury” alone did not confer standing. The court hinted that future injuries may suffice as allegations if the threatened injury is “certainly impending” or there is a “substantial risk” that the harm will occur.
In the wake of Maglio, the U.S. Supreme Court granted certiorari in Spokeo, Inc. v. Robins, No. 13-1339 (U.S. Ap. 27, 2015) which addresses similar issues as the Maglio decision under the Fair Credit Reporting Act. In Spokeo, the Ninth Circuit held plaintiff had sufficient standing to bring a class action despite the fact that plaintiff did not suffer actual and cognizable harm; plaintiff alleged Spokeo willfully violated the FCRA by publishing factually incorrect personal information about him on its website. The Spokeo petitioner’s brief was filed July 2, thus we should see a decision from the Supreme Court this year on this issue. The trend across the U.S. indicates that courts are shutting down these lawsuits to discourage class actions seeking millions in statutory damages with no actual harm/injury suffered. While this is good news for Illinois hospitals and employers, they will need to keep watch for the Spokeo opinion which could change this legal landscape entirely.
In the meantime, employers (especially healthcare providers) should make sure employees understand HIPAA privacy and security regulations as well as state data privacy laws. These entities should consider stronger safeguards such as increased data security and encryption measures, periodic audits, and increased training programs.