District Court (Cal.) Dismisses Data Breach Case for Lack of Art. III Standing

In Patterson v. Med. Review Inst. of Am., LLC, No. 22-cv-00413-MMC, 2022 U.S. Dist. LEXIS 111617, at *5-8 (N.D. Cal. June 23, 2022), Judge Chesney surveyed California law on the subject and dismissed a data breach case on Art. III standing grounds.

First, with respect to an increased risk of fraud and identity theft, although Patterson alleges the hackers “accessed highly sensitive PHI/PII and financial information” from MRIoA’s network (see Compl. ¶ 2), MRIoA has submitted undisputed evidence that none of the information about Patterson potentially exposed in the data breach was sufficiently sensitive to create a credible risk of future fraud or identity theft (see Leichliter Decl. ¶ 10 (stating the only information regarding Patterson that was “potentially accessed by the hackers . . . consisted of a single one-page document” containing Patterson’s name, a date, the title “Advisory,” a reference to Patterson as the “Insured” and the “Patient,” the phrase “Review Time 60 minutes,” and that the “[t]otal amount[] to be billed [was] $327.000”)); see also In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 888 F.3d 1020, 1027 (9th Cir. 2018) (holding injury in fact exists where information obtained from data breach is “sufficiently sensitive” to “g[ive] hackers the means to commit fraud or identity theft”); Greenstein v. Noblr Reciprocal Exch., Case No. 21-cv-04537-JSW, 2022 WL 472183, at *4 (N.D. Cal. Feb. 15, 2022) (finding no “credible and imminent threat of future” identity theft where data breach did not involve “social security or credit card information” or other information that could be used to “open a new account in [p]laintiffs’ names or to gain access to personal accounts likely to have more sensitive information”); Antman v. Uber Techs., Inc., Case No. 3:15-cv-01175-LB, 2015 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) (holding no “credible risk of identity theft” exists “[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers”).  Next, with respect to lost time and anxiety associated with the breach, where, as here, there is no credible threat of future identity theft, Patterson cannot “manufacture standing by inflicting harm on [himself] based on [his] fear of hypothetical future harm that is not certainly impending.” See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013); see also Greenstein (finding no injury in fact based on “time and effort spent monitoring . . . credit reports” after data breach where “risk of identity theft and fraud” was not “real and imminent”); Antman, 2015 WL 6123054, at *11 (holding “risk of identity theft must first be real and imminent[] . . . before mitigation costs establish injury in fact”); Callahan v. Ancestry.com, Inc., Case No. 20-cv-08437-LB, 2021 WL 2433893, at *4-5 (N.D. Cal. June 15, 2021) (holding, in data breach context, “anxiety and stress” without “credible threat of future identity theft” is not cognizable injury in fact).  With respect to diminution in value, although Patterson alleges a market for PHI, PII, and financial information exists on the “dark web” (see Compl ¶ 75), he does not explain how his information is “less valuable than before the breach,” nor does he allege he “had plans to sell” or is “prevent[ed] . . . from selling such information in the future,” see Greenstein, 2022 WL 472183, at *5-6 (holding, “to successfully demonstrate injury in fact by diminution in value of PI, [p]laintiff[] must establish both the existence of a market for her personal information and an impairment of her ability to participate in that market” (internal quotation and citation omitted)).  Lastly, with respect to loss of privacy, Patterson, as MRIoA points out, has not “allege[d] facts to show any unauthorized individual actually viewed” or misused his information (see Mot. at 8:7-17); rather, MRIoA has submitted undisputed evidence that the hackers “demanded a ransom payment . . . in exchange [for] return [of] the data” and that, after receiving such payment from MRIoA, “returned the data they had obtained” (see Sullivan Decl. ¶¶ 7-9); see also In re Practicefirst Data Breach Litig., Case No. 1:21- CV-00790 (JLS/MJR), 2022 WL 354544, at *8 (W.D.N.Y. Feb. 2, 2022) (finding no cognizable injury based on loss of privacy theory where there was no allegation that the “data . . . copied by a hacker and held hostage for payment of a fee . . . was ever . . . viewed by any [unauthorized] person”); Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 368 (M.D. Penn. 2015) (finding no cognizable injury where plaintiffs did not allege “unidentified hacker was actually able to view, read, or otherwise understand the data it accessed”; noting privacy is not “violated” unless unauthorized person “has viewed” or “is [imminently] about to view” private information (internal quotation and citation omitted)); In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 786 (N.D. Cal. 2019) (noting plaintiff cannot establish standing “by simply intoning that she suffered an intangible privacy injury”).  Accordingly, Patterson’s complaint is subject to dismissal for lack of standing. The Court will, however, afford Patterson leave to amend. See Warth, 422 U.S. at 501 (holding, where defendant successfully challenges plaintiff’s standing at pleading stage, district courts ordinarily should afford plaintiff leave to amend).