{"id":1791,"date":"2024-10-04T09:00:50","date_gmt":"2024-10-04T13:00:50","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/classactiondefense\/?p=1791"},"modified":"2024-10-04T09:00:51","modified_gmt":"2024-10-04T13:00:51","slug":"colorado-federal-court-tosses-data-breach-class-action-alleging-speculative-harms-on-behalf-of-250000-individuals","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/classactiondefense\/2024\/10\/04\/colorado-federal-court-tosses-data-breach-class-action-alleging-speculative-harms-on-behalf-of-250000-individuals\/","title":{"rendered":"Colorado Federal Court Tosses Data Breach Class Action Alleging Speculative Harms On Behalf Of 250,000 Individuals"},"content":{"rendered":"
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

By<\/em><\/strong> Gerald L. Maatman, Jr., Bernadette Coyle, and Ryan T. Garippo<\/strong><\/p>\n\n\n\n

Duane Morris Takeaways<\/em><\/strong>:\u00a0 On September 30, 2024, in Henderson, et al. v. Reventics LLC, et al., <\/em>No. 23-CV-00586 (D. Colo. Sept. 30, 2024), Magistrate Judge Michael Hegarty of the U.S. District Court for the District of Colorado granted <\/a>Reventics, LLC and OMH Healthedge Holdings, Inc.\u2019s (collectively Omega\u201d) motion to dismiss based on lack of Article III standing in a data breach class action.\u00a0 This decision represents another arrow in the quiver of corporate defendants looking to protect themselves against data breach claims involving speculative harms.<\/em><\/p>\n\n\n\n

Case Background<\/strong><\/p>\n\n\n\n

Omega is a company that provides data analytics and software solutions to healthcare organizations.  In December 2022, Omega learned that cyber criminals exfiltrated its network and obtained the \u201cnames, dates of birth, Social Security numbers, and clinical data\u201d of 250,000 of its clients\u2019 patients.  Id. <\/em>at 3.  Two months later, after its investigation of the cybercrime was completed, Omega sent out notices regarding the incident to the potentially affected individuals.<\/p>\n\n\n\n

Within the next few weeks, Omega was sued seven times, by fifteen different plaintiffs (the \u201cPlaintiffs\u201d), each alleging that the cyber security incident constituted a breach of their personally identifiable information (\u201cPII\u201d) and protected health information (\u201cPHI\u201d).  These Plaintiffs all alleged that they suffered injuries in the form of:<\/p>\n\n\n\n

\u201c(1) public disclosure of private information, including Social Security numbers and medical information; (2) increased spam communications; (3) diminution of the value their PHI\/PII; (4) emotional distress; (5) actual fraud; and (6) future impending injury.\u201d<\/p>\n\n\n\n

Id.<\/em> at 9 (quotations omitted).  Tellingly, despite the existence of 15 separate Plaintiffs, none of these individuals could plausibly allege that they lost any money as a result of the cyber security incident.  Consequently, once all these class actions where consolidated into one proceeding, Omega moved to dismiss on the grounds that Plaintiffs lacked Article III standing to sue.<\/p>\n\n\n\n

The Court\u2019s Opinion<\/strong><\/p>\n\n\n\n

Magistrate Judge Hegarty granted Omega\u2019s motion to dismiss.  In so doing, he systematically rejected each of Plaintiffs\u2019 theories of standing.  Article III standing requires a plaintiff to plead the existence of an injury in fact, that is traceable to the defendant\u2019s conduct, and that can be redressed by judicial relief.  Spokeo, Inc. v. Robins<\/em>, 578 U.S. 330, 338 (2016).  The Court reasoned that Plaintiffs failed to meet several of these requirements.<\/p>\n\n\n\n

First, <\/em>the Court rejected Plaintiffs\u2019 theory that the public disclosure of their so-called \u201cprivate information\u201d constitutes a compensable injury in fact.  Plaintiffs argued that public disclosure of their alleged PII and PHI would cause them to voluntarily spend money on future credit monitoring services.  However, the Court found that \u201cPlaintiffs cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.\u201d  Henderson, et al.<\/em>, No. 23-CV-00586, at 10-11 (quotations omitted).  In the absence of imminent risk of harm, the Court concluded proactive credit monitoring cannot constitute an injury.<\/p>\n\n\n\n

Second<\/em>, the Court found that Plaintiffs\u2019 allegations of increased spam communications were also not an injury in fact.  But even if they were, the Court held that Plaintiffs could not plausibly allege that they received those spam communications because of Omega\u2019s conduct.  Put differently, \u201cthere [were] no specific allegations regarding the timing of these communications from which the Court could infer a causal connection between the breach and the spam\u201d and the theory, therefore, also failed on traceability <\/em>grounds.  Id. <\/em>at 12. <\/p>\n\n\n\n

Third<\/em>, the Court considered and dispensed with the idea that Plaintiffs\u2019 personal information \u201chas independent monetary value\u201d sufficient to support a claim for diminution of value as to that information.  Id. <\/em>at 13.  Even still, the Court ruled that because Plaintiffs lacked the means to sell their own personal information at a lower price, this theory failed as well.<\/p>\n\n\n\n

Fourth<\/em>, as to Plaintiffs\u2019 claims of emotional distress, the Court succinctly found that \u201c[e]motional distress does not constitute a cognizable injury-in-fact in data privacy litigation\u201d  Id.<\/em> at 14 (quotations omitted).  This holding is aligned with other district courts around the country and should not have come as a surprise.<\/p>\n\n\n\n

Fifth<\/em>, the Court dismissed Plaintiffs\u2019 claim of \u201cactual\u201d fraud on a different part of the standing analysis \u2014 namely its lack of traceability to Omega\u2019s conduct.  The Court reasoned that the mere existence<\/em> of isolated incidents of \u201cfraud\u201d alerts on the Plaintiffs\u2019 bank accounts were not the same as actual proof <\/em>that the so-called harm was caused by Omega. <\/p>\n\n\n\n

Sixth<\/em>, the Court held that allegations of a \u201cfuture injury based on stolen personal information\u201d only can be considered a plausible injury in fact where accompanied by allegations of current direct harm.  Id. <\/em>at 17.  If no such current harm exists, then Plaintiffs were merely speculating that harm may or may not occur in the future.<\/p>\n\n\n\n

With all of these theories considered (and rejected), the Court dismissed the class action as a whole and entered judgment on behalf of Omega.<\/p>\n\n\n\n

Implications For Companies<\/strong><\/p>\n\n\n\n

As corporate counsel is often well aware, the staggering liability associated with class actions frequently hinges on the merits of a cause of action or on whether the named plaintiff can achieve class certification.  However, in the data breach context, an attack to the named plaintiffs\u2019 Article III standing is often a swift and efficient way to dispense of such claims. <\/p>\n\n\n\n

Corporate counsel should continue to take stock of opinions like this one under the event that their companies\u2019 cybersecurity protocols are put to the test.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Gerald L. Maatman, Jr., Bernadette Coyle, and Ryan T. Garippo Duane Morris Takeaways:\u00a0 On September 30, 2024, in Henderson, et al. v. Reventics LLC, et al., No. 23-CV-00586 (D. Colo. Sept. 30, 2024), Magistrate Judge Michael Hegarty of the U.S. District Court for the District of Colorado granted Reventics, LLC and OMH Healthedge Holdings, … <\/p>\n

Continue reading “Colorado Federal Court Tosses Data Breach Class Action Alleging Speculative Harms On Behalf Of 250,000 Individuals”<\/span><\/a><\/p>\n","protected":false},"author":583,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"ppma_author":[30],"class_list":["post-1791","post","type-post","status-publish","format-standard","hentry","category-general"],"authors":[{"term_id":30,"user_id":583,"is_guest":0,"slug":"classactiondefense","display_name":"Class Action Defense","avatar_url":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2020\/10\/dmlogo.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/1791","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/users\/583"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/comments?post=1791"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/posts\/1791\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/media?parent=1791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/categories?post=1791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/tags?post=1791"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-json\/wp\/v2\/ppma_author?post=1791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}