Affirms Dismissal Of Data Breach Complaints Based On Possible Future Injury
On June 2, 2015, in a consolidated appeal, the Second Appellate District of Illinois affirmed the dismissals by a Kane County court and a Lake County court of complaints claiming data breaches by a hospital system. Maglio v. Advocate Health & Hospitals, Corp., Case Nos. 2-14-0782 & 2-14-0998 cons., 2015 IL App (2d) 140782-U (2nd Dist. Jun. 2, 2015).
In the wake of burglars stealing four password-protected computers from the health care provider, in the summer of 2013, two patients or former patients claimed Advocate did not properly secure their personal information, as required by law. They also alleged consumer fraud or unfair acts by failing to maintain reasonable procedures to protect against unauthorized access, and claimed it was an invasion of their privacy. Nowhere did plaintiffs contend that “anyone had improperly accessed or used the information” or that “they [had] suffered identity theft and/or identity fraud as a result of the burglary.”
In affirming the dismissals by the trial courts, the Appellate Court found neither plaintiff had suffered an injury-in-fact. The plaintiffs never claimed that any “identity theft [had] occurred,” “that their personal information [had] actually been used or that they have been victims of identity theft or fraud.” These would be requisite “distinct and palpable” injuries. Instead, the plaintiffs had “clearly speculative” injuries as they claimed an increased risk of identity theft, which is no more than a possible, future injury.
Without these injuries-in-fact, the plaintiffs simply did not have a basis for being in court—they did not have “standing” to bring their claims. They had no existing injury to be considered by a judge or jury. “The doctrine of standing insures that issues are raised only by those parties with a real interest in the outcome of the controversy.” As against Advocate, merely claiming an increased risk of identity theft was not enough as “no such identity theft has occurred to any of the plaintiffs.” (Emphasis Added.)
The Illinois Appellate Court decision is directly in-line with the majority of other courts that have addressed the issue of standing in alleged data breach cases. Indeed, this requisite—an injury-in-fact—has become the cornerstone of the analysis applied to the propriety of not only data breach matters but also consumer action cases. At its core, the courts require more than a claim of an increased risk of identity theft from a data breach.
Yet, the Illinois Appellate Court noted, as have others, that allegations of future injury may suffice but only when the threatened injury is “certainly impending” or there is a “substantial risk” that the plaintiff will be victimized. What remains to be seen is if artful pleading alone will aid future claimants in making it past the motion to dismiss stage. As of now, it is clear that the factual underpinnings for standing or a cause of action require more than claims of an increased risk of identity theft and more than a chain of hypothetical events about future injury.