Data Breach Liability Requires Actual Misuse; More U.S.-EU Data Transfer Uncertainty; Airline App Exempt from State Privacy Law; Pending Cyber Bill Would Create Consortium; Encryption-Related Deceptive Advertising Settlement; PayPal Fined for Deceptive Trade Practices
The Spokeo effect: data breach claims require actual examples of information misuse
Last week, a federal court dismissed claims alleging harm from a hospital data breach, on the grounds that the plaintiff failed to allege more than the mere threat of injury. In Khan v. Children’s National Health System, No. 8:15-cv-2125 (D. Md.), the plaintiff alleged that phishing attacks compromised hospital employees’ email accounts containing patient information, including social security numbers, addresses, dates of birth, and other private healthcare information. The court held that the plaintiff lacked standing and could not proceed in federal court because the plaintiff failed to allege either specific instances of misuse from the particular breach at issue or “a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.”
The court’s reasoning also demonstrates the favorable impact that this month’s Supreme Court decision in Spokeo v. Robbins may have for defendants in data breach actions. The Khan opinion explained that mere violation of a statute does not necessarily create the “concrete harm,” such as actual misuse of information, required by Spokeo. Although it remains to be seen what the Ninth Circuit does with Spokeo on remand and how Spokeo will impact future cases, it seems likely that federal courts will continue to be inclined to disfavor claims where the harm alleged is the “diminished value” of personal information, a general loss of privacy, or simply a technical statutory violation.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 23, 2016