District Court (Ala.) Dismisses Data Breach Case for Lack of Compensable Loss

In Blahous v. Sarrell Reg’l Dental Ctr. for Pub. Health, Inc., No. 2:19-cv-798-RAH-SMD, 2020 U.S. Dist. LEXIS 125394 (M.D. Ala. July 16, 2020), Judge Huffaker dismissed a data breach case due to absence of compensable loss. The facts were as follows:

For many, the phrase “data breach” provokes dread and invokes disquiet. Suddenly, a person’s once private information roams untrammeled, and a degree of uncertainty as to its location and possessor now unexpectedly exists. Of course, for as long as individuals and companies have maintained documentary records and stored private information, data has been poached. Then, as even now, cabinets were jimmied, trashcans were rifled through, and manila envelopes were haphazardly left open, furtively glimpsed. Once companies committed to storing files on local machines, enterprise databases, and cloud servers, however, breaching a company’s every bit of data required no more than gaining access to restricted networks. Soon enough, data breaches became inescapable features of a digitized world. This case grew from one such breach, its extent and depth still murky. Sometime in January 2019, hackers successfully infiltrated the computer network of Sarrell Regional Dental Center for Public Health, Inc. (“Sarrell” or “Defendant”), installing ransomware that could allow the hackers to demand payment for its deactivation (the “Breach”). Among Sarrell’s thousands of unsuspecting patients were Lindsey Blahous (“Blahous”) and her three minor children, L.B., F.B., and D.I. (“Minor Plaintiffs”) (collectively, “Plaintiffs”). Months later, after its investigation had purportedly yielded no evidence of copied, downloaded, or removed files, Sarrell notified each of the four Plaintiffs of the Breach in four substantively identical missives (“Notice” individually, and collectively, “Notices”).

The District Court found no damage/Article III standing.

Taken together, the weight of authority shows that a plaintiff must provide at least some plausible specific allegation of actual or likely misuse of data to satisfy Article III’s standing requirement and avoid dismissal under Rule 12(b)(1), a position consistent even with pre-Clapper precedent. See, e.g., Burrows v. Purchasing Power, LLC, No. 1:12-CV-22800-UU, 2012 U.S. Dist. LEXIS 186556, 2012 WL 9391827, at *2 (S.D. Fla. Oct. 18, 2012) (finding an injury in fact where plaintiff alleged that his identity was stolen when an unknown individual misused his PII to file a tax return and that he was denied tax refund); see also Krottner, 628 F.3d at 1142; In re Google Privacy Policy Litig., No. C 12-01382 PSG, 2012 U.S. Dist. LEXIS 183041, 2012 WL 6738343, at *6 (N.D. Cal. Dec. 28, 2012) (dismissing plaintiffs’ claims based on Google’s policy of retaining personal information for lack of Article III standing because there were no allegations plaintiffs’ personal information had been disseminated). In fact, “since Clapper . . . courts have been even more emphatic in rejecting increased risk as a theory of standing in data-breach cases.” In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litig., 45 F. Supp. 3d at 28 (internal quotation marks omitted). Here, the fact that the Breach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue. The Complaint lacks any allegations suggesting that any “disclosure” of their data, such as an actual review by a third party, has occurred; in fact, Plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of possibilities and traffics in maybes. (E.g., Doc. 1, pp. 3, 16.) The Notice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary. (Doc. 1-1 p. 2.) True enough, the Notices concede that “[t]he information potentially impacted may [have] include[d a patient’s] name, address, and health insurance number,” as well as, per one of the Notice letters, the patient’s Social Security Number and health treatment information, (see Doc. 1-2, p. 2), but, [*16]  Sarrell’s investigation had not “discovered any evidence that the information that may be involved in this incident ha[d] been misused” between July and September 2019. (Doc. 1-1, p. 2; Doc. 1-2, p. 2; Doc. 1-3, p. 2; Doc. 1-4, p. 2; see also Doc. 21, p. 16.) Unquestionably, “the possibility that the hacker [had] obtained sensitive information from the network” could not be discounted. (Doc. 1-1, p. 2; Doc. 1-2, p. 2; Doc. 1-3, p. 2; Doc. 1-4, p. 2; see also Doc. 21, p. 16.) But the Notices do not say-and the Complaint does not allege-that the hackers both obtained and intend to expose the Plaintiffs’ specific personal data. If, per the Complaint, the allegation-which must be taken as fact-stating the “result of Defendant’s failure to implement and follow basic securities strategies” is that “Patient PII is now likely in the hands of thieves,” but no “evidence that the information that may be involved in this incident ha[d] been misused” has been found, and given that there is no more than the “possibility that the hackers obtained sensitive information,” which may include names, addresses, dates of birth, health insurance numbers, and in one case, a social security number and treatment [*17]  information, despite the Plaintiffs’ insistence to the contrary, (Doc. 1-1, p. 2, (emphasis added)), Plaintiffs simply have failed to plausibly point to a certain threat of the hackers’ making use of their specific personal data as a result of the Breach. An account of other hacks and the potential uses to which hackers may put stolen data, the use of such buzzwords as “secret,” and even appeals to protect children and their privacy, cannot obscure the Plaintiffs’ failure to point to an injury both particularized and concrete, imminent and plausible.11 In the absence of an actuality or a likelihood, the mere possibility that the Plaintiffs’ PII may have been gathered and disseminated and that their credit may suffer if the hackers opt to sell or release this information to those able and willing to exploit it cannot impart the requisite standing.12 E.g., Clapper, 568 U.S. at 410. Other district courts within the Eleventh Circuit have held the same. See In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F. Supp. 3d at 1250-56; I Tan Tsao v. Captiva MVP Rest. Partners, LLC, No. 8:18-CV-1606-T-02SPF, 2018 U.S. Dist. LEXIS 187119, 2018 WL 5717479, at *2 (M.D. Fla. Nov. 1, 2018); Provost v. Aptos, Inc., No. 1:17-CV-02120-ELR, 2018 WL 1465766, at *3 (N.D. Ga. Mar. 12, 2018); Torres v. Wendy’s Co.,195 F. Supp. 3d 1278, 1283 (M.D. Fla. 2016); Smith, 2015 U.S. Dist. LEXIS 130935, 2015 WL 5793318, at *7; see also Reilly, 664 F.3d at 44-45; Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 532-33 (D. Md. 2016); Key v. DSW, Inc., 454 F. Supp. 2d 684, 687-90 (S.D. Ohio 2006). This wide array of authority leaves the Plaintiffs with but the slenderest of reeds upon which to rest their standing argument:  that of their alleged money damages. Yet even here, the Plaintiffs’ actual incurred costs to address the data breach are insufficient to demonstrate standing.