February 19, 2012
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
[Post by Venkat Balasubramani]
Whitaker v. Health Net of California, Inc., Civ S-11-0910 KHM-DAD (E.D. Cal.; Jan. 19, 2012)
This is another data breach class action. Plaintiffs tried to squeeze their claims through a narrow opening left by Ninth Circuit precedent, but the court dismisses the claims for lack of standing.
IBM manages Health Net's information technology infrastructure. In January 2011, IBM informed Health Net that it lost 9 Health Net server drives, which contained the personal and health information of approximately 800,000 Health Net customers. Health Net sent a letter to the affected invidiauls in March 2011. The opinion does not mention whether Health Net offered credit monitoring or other preventive services. At the time the parties finished briefing the motion to dismiss, three of the nine servers had been recovered. The other six remained missing. The defendants both filed motions to dismiss.
The court focuses on whether plaintiffs sufficiently alleged “injury in fact.” Plaintiffs argued that they satisfied the standing requirements established by the Ninth Circuit in Krottner v. Starbuck and Ruiz v. Gap. (Here are blog posts on Krottner ("Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit") and Ruiz ("9th Circuit Affirms Rejection of Data Breach Claims Against Gap").) The court distinguishes Krottner and Ruiz on the basis that, in both of those cases, the data breach occurred due to theft and not loss of the data. The court also highlights that the plaintiffs did not allege any actual harm, apart from the loss of data and the risk that the data would be misused. Although one of the plaintiffs received a letter informing them that the social security number of their minor child had been misused, the court says that this does not confer standing on plaintiffs, who have to satisfy standing on their own (unless they are asserting third party rights).
The court also relies on Low v. LinkedIn for the proposition that speculative allegations regarding disclosure or harm is not sufficient to support Article III standing. (See also Reilly v. Ceridian.)
End result: the court dismisses with leave to amend. The plaintiffs have thirty days to amend their complaint to allege sufficient harm.
It’s worth keeping in mind that although plaintiffs cited to Krottner and Ruiz, the plaintiffs in those cases did not prevail. Despite finding that the allegations sufficient from the perspective of Article III standing, plaintiffs lost on the merits in both cases. Plaintiffs have tried every possible combination of allegations (theft of information; misplacement of information; employment information; health information) but courts simply refuse to find a cognizable claim unless the plaintiff can allege that his or her data has been misused in a way that causes out-of-pocket losses. A few cases have pointed to credit monitoring services as recoverable mitigation, but where the defendant offers up this relief to consumers voluntarily, a plaintiff is pretty much out of luck.
It’s also interesting to note that this case involved claims under California statutes which provide for the confidentiality of medical records. Given that the court did not discuss statutory damages, I would assume the statutes in question did not provide for these damages. Even if they did, failure to satisfy Article III standing could still undermine the claims. (A case pending in front of the United States Supreme Court may answer this question. See "'Sleeper" Case Asks Whether Plaintiffs Can Sue Without An Injury.")
Posted by Venkat at February 19, 2012 09:15 AM | Privacy/Security