In Blahous v. Sarrell Reg’l Dental Ctr. for Pub. Health, Inc., No. 2:19-cv-798-RAH-SMD, 2020 U.S. Dist. LEXIS 125394 (M.D. Ala. July 16, 2020), Judge Huffaker dismissed a data breach case due to absence of compensable loss. The facts were as follows:
For many, the phrase “data breach” provokes dread and invokes disquiet. Suddenly, a person’s once private information roams untrammeled, and a degree of uncertainty as to its location and possessor now unexpectedly exists. Of course, for as long as individuals and companies have maintained documentary records and stored private information, data has been poached. Then, as even now, cabinets were jimmied, trashcans were rifled through, and manila envelopes were haphazardly left open, furtively glimpsed. Once companies committed to storing files on local machines, enterprise databases, and cloud servers, however, breaching a company’s every bit of data required no more than gaining access to restricted networks. Soon enough, data breaches became inescapable features of a digitized world. This case grew from one such breach, its extent and depth still murky. Sometime in January 2019, hackers successfully infiltrated the computer network of Sarrell Regional Dental Center for Public Health, Inc. (“Sarrell” or “Defendant”), installing ransomware that could allow the hackers to demand payment for its deactivation (the “Breach”). Among Sarrell’s thousands of unsuspecting patients were Lindsey Blahous (“Blahous”) and her three minor children, L.B., F.B., and D.I. (“Minor Plaintiffs”) (collectively, “Plaintiffs”). Months later, after its investigation had purportedly yielded no evidence of copied, downloaded, or removed files, Sarrell notified each of the four Plaintiffs of the Breach in four substantively identical missives (“Notice” individually, and collectively, “Notices”).
The District Court found no damage/Article III standing.