An interesting decision from Judge Elizabeth Wolford of the Western District of New York has revived a data breach claim against Excellus Health Plan. The court had previously dismissed claims by plaintiffs who did not allege any actual misuse of there personal data for lack of standing. Plaintiffs moved for reconsideration based on the Second Circuit’s subsequent decision in Whalen v. Michaels Stores, Inc, 689 F. App’x 89 (2d Cir. 2017). In Whalen, the Second Circuit upheld the dismissal of a data breach claim for lack of standing where the plaintiff failed to alleged any actual misuse of her stolen credit card information, but suggested that a claim might proceed if actual misuse of the data could be shown. Even though the Second Circuit’s ruling in Whalen was an unpublished summary order, Judge Wolford read it to suggest that the Second Circuit would likely find standing in a data breach claim if actual data misuse could be shown. Fero, at 14. The plaintiffs submitted with their motion for reconsideration evidence that the plaintiffs’ PII was available on the Dark web. Plaintiffs also presented an expert report concerning the hacking methods through which plaintiffs’ data was exfiltrated from Excellus, and offering the following conclusion: “it is my opinion to a reasonable degree of scientific certainty that PII and PHI maintained on the Excellus network was targeted, collected, exfiltrated, and put up for sale o[n] DarkNet by the attacker for the purpose of, among other things, allowing criminals to purchase the PII and PHI to commit identity theft.” Fero, at 17. Based on this information and its reading of the Whalen summary order, the court granted the motion for reconsideration and denied the defendant’s motion to dismiss for lack of standing.
I think Judge Wolford overread the Whalen summary order and I’m not sure what the plaintiffs’ evidence shows in relation to standing. I would agree with plaintiffs’ expert that the the reason the PII appears on the Dark Web is that someone is trying to sell it. This does not prove, however, that it was actually sold, or that, even if it was sold, the sale caused a legally compensable harm to the plaintiffs. This last issue is going to become central to the standing issue in data breach cases. Is the disclosure or sale of a person’s PII in itself a legally cognizable harm? This would suggest an individual has a property-like right in his or her PII or that there is some kind of compensable dignitary or emotional harm for mere disclosure of PII, which is not the typical framework for American privacy law. Even in cases where it is clear that PII has been improperly used, through fraudulent credit card charges, some courts have found no standing if the issuing bank reimburses the cardholder. As Dark Web search reports become routine forms of evidence in these cases, courts will need to grapple more directly with the question whether there is some kind of inherent harm in the disclosure or sale of PII.