By Gerald L. Maatman, Jr., Alex W. Karasik, and George J. Schaller
Duane Morris Takeaways: In Webb et al. v. Injured Workers Pharmacy, LLC, No. 22-1896, 2023 U.S. App. LEXIS 16650 (1st Cir. June 30, 2023), the First Circuit reversed a district court’s ruling finding that Plaintiffs’ complaint plausibly alleged a concrete injury in fact where Defendant misused personally identifiable information, affirmed the district court’s ruling on injunctive relief , and remanded the case for further proceedings consistent with its First Circuit’s findings. For employers facing data breach class actions, this decision is instructive in terms of what courts consider for Article III standing requirements and, in particular, the “injury in fact” and “concrete harm” requirements.
Case Background
Alexis Webb and Marsclette Charley (“Plaintiffs”) brought a putative class action against Defendant, Injured Workers Pharmacy, LLC (“IWP” or “Defendant”), asserting various state law claims related to a data breach that allegedly exposed their personally identifiable information (“PII”) and the PII of over 75,000 other IWP patients. Id. at *2. In January 2021, IWP suffered a data breach. Id. at *3. Plaintiffs’ complaint alleged hackers infiltrated IWP’s patient record systems and gained access to the PII of over 75,000 IWP patients, and stole PII including patient names and Social Security numbers. Id. As a result of the breach, Plaintiff Webb alleged she “fears for her personal financial security and [for] what information was revealed in the [d]ata [b]reach,” she “has spent considerable time and effort monitoring her accounts to protect herself from identity theft,” and she “is experiencing feelings of anxiety, sleep disruption, stress and fear.” Id. at 4-5. In 2021, Webb’s PII was used to file a fraudulent 2021 tax return. Id. at *5. Plaintiff Charley alleged that she, “fears for her personal financial security,” “expends considerable time and effort monitoring her accounts to protect herself from identity theft,” and “is experiencing feelings of rage and anger, anxiety, sleep disruption, stress, fear, and physical pain.” Id.
On May 24, 2022, Plaintiffs filed a class action complaint against IWP in the U.S. District Court for the District of Massachusetts, and invoked the court’s jurisdiction under the Class Action Fairness Act of 2005 (“CAFA”). Id. at *5-6. The complaint asserted state law claims for negligence, breach of contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty. Id. at 6. The complaint sought damages, an injunction “enjoining IWP from further deceptive and unfair practices and making untrue statements about the [d]ata [b]reach and the stolen PII,” “other injunctive and declaratory relief … as is necessary to protect the interests of [the] [p]laintiffs and the [c]lass”, and attorneys’ fees. Id. Plaintiffs also sought to certify a class of U.S. residents whose PII was compromised during the data breach. Id.
On August 9, 2022, IWP moved to dismiss the complaint for lack of Article III standing, under Rule 12(b)(1), and for failure to state a claim as to each of the complaint’s asserted claims, pursuant to Rule 12(b)(6). Id. Plaintiffs opposed the motion. On October 17, 2022, the district court granted IWP’s motion and dismissed the case under Rule 12(b)(1). Id. The district court concluded that Plaintiffs lacked Article III standing because their complaint did not plausibly allege an injury in fact. Id. The district court reasoned that the complaint’s allegations that the fraudulent tax return filed in Webb’s name did not sufficiently allege a connection between the data breach and this false return. Id. at 6-7. The district court also reasoned the complaint’s other allegations that the potential future misuse of the Plaintiff’s PII was not sufficiently imminent to establish an injury in fact and that actions to safeguard against this risk could not confer standing either. Id. at 7. The district court did not reach IWP’s Rule 12(b)(6) arguments because the case was dismissed under Rule 12(b)(1). Id. Plaintiffs timely appealed the district court’s decision. Id.
The First Circuit’s Decision
The First Circuit reversed the judgment of the district court and held that Plaintiffs plausibly alleged a concrete injury in fact. In regards to Plaintiff Webb, the First Circuit concluded that “the complaint plausibly alleged a concrete injury in fact as to Webb based on the plausible pleading that the data breach resulted in the misuse of her PII by an unauthorized third party (or third parties) to file a fraudulent tax return.” Id. at *10-11. The First Circuit rejected the district court’s conclusion that the complaint did not plausibly allege a connection between the data breach and the filing of the false tax return. Id. at *13. Instead, the First Circuit opined “[t]here is an obvious temporal connection between the filing of the false tax return and the timing of the data breach.” Id.
Turning to Plaintiff Charley, the First Circuit held that in light of the plausible allegations of some actual misuse, the complaint plausibly alleged a concrete injury in fact based on the material risk of future misuse of Charley’s PII and a concrete harm caused by the exposure to this risk. Id. at *15. Further, the First Circuit opined that the totality of the complaint plausibly alleged an imminent and substantial risk of future misuse of the Plaintiffs’ PII. Id at *19.
In addition, the First Circuit found the complaint’s allegations satisfied the traceability and redressability standing requirements. Id. at *21. The complaint alleged IWP’s actions led to the exposure and actual or potential misuse of Plaintiffs’ PII, making their injuries “fairly traceable to IWP’s conduct.” Id. As to redressability, the First Circuit stated “monetary relief would compensate [the plaintiffs] for their injur[ies], rendering the injur[ies] redressable.” Id. at *22. The First Circuit thus held that Plaintiffs supported each of their five causes of action for damages with at least one injury in fact caused by the defendant and redressable by a court order. Id.
Finally, the First Circuit affirmed the district court’s ruling that Plaintiff’s lacked standing to seek injunctive relief. The sole allegation in the complaint that injunctive relief was necessary was that Plaintiffs’ PII was still maintained by IWP with its inadequate cybersecurity system and policies. Id. The First Circuit rejected the idea that an injunction requiring IWP to improve its cybersecurity measures would protect Plaintiffs from future misuse of their PII and instead would only safeguard against a future breach. Id. The First Circuit declined to extend injunctive relief where IWP faces, “much the same risk of future cyberhacking as virtually every holder of private data.” Id. at *24. For these reasons, the First Circuit affirmed the district court’s holding that Plaintiffs lacked standing to seek injunctive relief.
Implications For Employers
For employers facing data breach class actions, Article III standing defenses are often an optimal avenue to attack the pleadings at the outset, especially in situations involving questionable “injuries” to the named plaintiffs. Businesses that endure data breaches should take note that the First Circuit relied heavily on the temporal connection between the data breach and fraudulent tax filing which constituted a concrete injury. Accordingly, the lowered pleading threshold that results from this ruling suggests that employers should carefully evaluate the safeguards in place for any personally identifiable information stored, and swiftly respond to any data breaches.