By Gerald L. Maatman, Jr., Bernadette Coyle, and Ryan T. Garippo
Duane Morris Takeaways: On September 30, 2024, in Henderson, et al. v. Reventics LLC, et al., No. 23-CV-00586 (D. Colo. Sept. 30, 2024), Magistrate Judge Michael Hegarty of the U.S. District Court for the District of Colorado granted Reventics, LLC and OMH Healthedge Holdings, Inc.’s (collectively Omega”) motion to dismiss based on lack of Article III standing in a data breach class action. This decision represents another arrow in the quiver of corporate defendants looking to protect themselves against data breach claims involving speculative harms.
Case Background
Omega is a company that provides data analytics and software solutions to healthcare organizations. In December 2022, Omega learned that cyber criminals exfiltrated its network and obtained the “names, dates of birth, Social Security numbers, and clinical data” of 250,000 of its clients’ patients. Id. at 3. Two months later, after its investigation of the cybercrime was completed, Omega sent out notices regarding the incident to the potentially affected individuals.
Within the next few weeks, Omega was sued seven times, by fifteen different plaintiffs (the “Plaintiffs”), each alleging that the cyber security incident constituted a breach of their personally identifiable information (“PII”) and protected health information (“PHI”). These Plaintiffs all alleged that they suffered injuries in the form of:
“(1) public disclosure of private information, including Social Security numbers and medical information; (2) increased spam communications; (3) diminution of the value their PHI/PII; (4) emotional distress; (5) actual fraud; and (6) future impending injury.”
Id. at 9 (quotations omitted). Tellingly, despite the existence of 15 separate Plaintiffs, none of these individuals could plausibly allege that they lost any money as a result of the cyber security incident. Consequently, once all these class actions where consolidated into one proceeding, Omega moved to dismiss on the grounds that Plaintiffs lacked Article III standing to sue.
The Court’s Opinion
Magistrate Judge Hegarty granted Omega’s motion to dismiss. In so doing, he systematically rejected each of Plaintiffs’ theories of standing. Article III standing requires a plaintiff to plead the existence of an injury in fact, that is traceable to the defendant’s conduct, and that can be redressed by judicial relief. Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). The Court reasoned that Plaintiffs failed to meet several of these requirements.
First, the Court rejected Plaintiffs’ theory that the public disclosure of their so-called “private information” constitutes a compensable injury in fact. Plaintiffs argued that public disclosure of their alleged PII and PHI would cause them to voluntarily spend money on future credit monitoring services. However, the Court found that “Plaintiffs cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.” Henderson, et al., No. 23-CV-00586, at 10-11 (quotations omitted). In the absence of imminent risk of harm, the Court concluded proactive credit monitoring cannot constitute an injury.
Second, the Court found that Plaintiffs’ allegations of increased spam communications were also not an injury in fact. But even if they were, the Court held that Plaintiffs could not plausibly allege that they received those spam communications because of Omega’s conduct. Put differently, “there [were] no specific allegations regarding the timing of these communications from which the Court could infer a causal connection between the breach and the spam” and the theory, therefore, also failed on traceability grounds. Id. at 12.
Third, the Court considered and dispensed with the idea that Plaintiffs’ personal information “has independent monetary value” sufficient to support a claim for diminution of value as to that information. Id. at 13. Even still, the Court ruled that because Plaintiffs lacked the means to sell their own personal information at a lower price, this theory failed as well.
Fourth, as to Plaintiffs’ claims of emotional distress, the Court succinctly found that “[e]motional distress does not constitute a cognizable injury-in-fact in data privacy litigation” Id. at 14 (quotations omitted). This holding is aligned with other district courts around the country and should not have come as a surprise.
Fifth, the Court dismissed Plaintiffs’ claim of “actual” fraud on a different part of the standing analysis — namely its lack of traceability to Omega’s conduct. The Court reasoned that the mere existence of isolated incidents of “fraud” alerts on the Plaintiffs’ bank accounts were not the same as actual proof that the so-called harm was caused by Omega.
Sixth, the Court held that allegations of a “future injury based on stolen personal information” only can be considered a plausible injury in fact where accompanied by allegations of current direct harm. Id. at 17. If no such current harm exists, then Plaintiffs were merely speculating that harm may or may not occur in the future.
With all of these theories considered (and rejected), the Court dismissed the class action as a whole and entered judgment on behalf of Omega.
Implications For Companies
As corporate counsel is often well aware, the staggering liability associated with class actions frequently hinges on the merits of a cause of action or on whether the named plaintiff can achieve class certification. However, in the data breach context, an attack to the named plaintiffs’ Article III standing is often a swift and efficient way to dispense of such claims.
Corporate counsel should continue to take stock of opinions like this one under the event that their companies’ cybersecurity protocols are put to the test.