Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers.
In New York State, as in other jurisdictions, the claims generally include negligence, based on the defendants’ alleged insufficient cybersecurity measures. However, the U.S. Constitution and most state constitutions require that plaintiffs plead sufficient harm – that is, damages – for which they can seek redress through the courts. Without a showing of damages, the plaintiffs lack “standing” to sue.
A number of cybersecurity class actions have been dismissed because the plaintiffs were unable to articulate the harm that they suffered as a result of the defendants’ alleged negligence.
The U.S. Supreme Court addressed the issue of standing in several decisions, most recently in TransUnion, LLC v. Ramirez. In that 2021 case, the Court ruled that plaintiffs do not have standing if their claimed damages are not concrete and materialized. The mere risk of future harm is not enough for standing.
New York State courts considering standing in the data privacy context have reached decisions consistent with TransUnion by dismissing suits based on the plaintiffs’ failure to sufficiently allege damages. The decisions are here, here, and here.
Significantly, a New York appellate court recently addressed standing in this context and granted the defendants’ motion to dismiss. In Greco v. Syracuse ASC, a plaintiff brought a putative class action against a health care provider based on a data breach that allegedly exposed the plaintiff’s personal information to unauthorized third parties. The plaintiff did not allege any misuse of information in more than one year between the alleged breach and the issuance of the trial court’s decision. In dismissing the lawsuit, the court explained that hypothetical future harm was not enough for standing.
Data breach case law is evolving state by state, and the Constangy cybersecurity litigation team is available to represent businesses defending these class actions.
