US Privacy & Breach Litigation Monitor
Welcome to the US Privacy & Breach Litigation Monitor
We are pleased to share the latest edition of Kennedys US Privacy & Breach Litigation Monitor. This mailing was created with our clients in mind - to bring you up to speed on the latest topics and trends in data privacy and breach litigation.
NYS DFS fines EyeMed $4.5 million and prohibits the use of insurance to pay the penalty
The New York State Department of Financial Services (DFS) announced that EyeMed Vision Care LLC (EyeMed) will pay a $4.5 million penalty to New York State for violations of the DFS’s Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public personal health data, including data concerning minors. Details of the events that led to the settlement can be found in the Consent Order. Notably, the Consent Order provides that EyeMed “shall neither seek nor accept, directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including but not limited to, payment made pursuant to any insurance policy,” nor can it “claim, assert, or apply for a tax deduction or tax credit with regard to any US federal, state, or local tax, directly or indirectly, for any portion of the civil monetary penalty.” Clearly, the DFS wants to make sure that violations of its Cybersecurity Regulation have a direct impact on covered entities’ bottom lines. Undoubtedly, matters like this will cause organizations to think twice before allowing complacency to result from a belief that insurance will always be there to pay regulatory fines, even if coverage may be available.
Kansas decision highlights common yet overlooked pleading deficiencies in data breach class actions
A recent decision from a federal court in Kansas highlights two pleading deficiencies that courts in data breach class actions sometimes overlook – the failure of plaintiffs to set forth specific PII which they allege was stolen, and their failure to allege that their harm is “fairly traceable” to the data breach, as required for Article III standing. In Dorothy Blood, et al. v. Labette County Medical Center (5:22-cv-04036-HLT-KGG, October 20, 2022), it was alleged that cyberthieves attacked Defendant hospital’s computer system, causing a data breach in which patient files were accessed. As in most cases of this type, the named Plaintiffs claimed that their names, plus one or more of the following were removed from Defendant’s system: “Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number, and/or health insurance information.” With respect to this common pleading tactic, the Court noted that this generalized type of allegation, in which plaintiffs fail to allege the specific additional pieces of information removed for each of them, “adds an overarching level of conjecture and speculation to the complaint and alleged harms.” In addition, the named Plaintiffs alleged that since the breach, unauthorized charges were made to their bank account, the IRS notified them that their Social Security numbers had issues, they had been notified that their PII was found on the “dark web,” and that they had been receiving a significantly higher number of spam calls. However, the Court found that plaintiffs failed to plead any facts suggesting (i) how the mere possession of their Social Security numbers and names would enable someone to make unauthorized charges on an existing account, (ii) how the IRS problem is traceable to Defendant’s actions, (iii) how the spam calls were causally linked to the data breach or (iv) any specificity concerning their information appearing on the dark web. Without these “fairly traceable” elements, the Court ruled that the Plaintiffs could not establish Article III standing as required by Clapper, leaving the Court without subject matter jurisdiction and requiring remand to state court.
California appellate court affirms denial of class certification in CMIA class action
While Article III standing is never an issue in state court matters, there are still statutory standing issues that come into play in some instances, as recently demonstrated in In Vigil v. Muir Medical Group IPA, Inc., (Cal. App. Ct. September 26, 2022). In a matter of first impression, a California Appellate Court affirmed a trial court’s denial of class certification in a data breach class action filed pursuant to California’s Confidentiality of Medical Information Act (CMIA). In Vigil, the Defendant healthcare provider was sued after it notified approximately 5,500 patients that their PHI was potentially compromised when an employee downloaded it without authorization. In affirming the lower court’s denial of class certification, the appellate court agreed that the predominance of common questions requirement of CMIA was not met because under the CMIA, individualized inquiries would be required to prove Defendant’s liability and damages to each of the nearly 5,500 proposed class members, as liability for each class member is predicated on whether his or her information was actually viewed. Based on the facts at issue, the court found that such a determination was not capable of resolution in the aggregate. The record before the court indicated that while the (now former) employee may have viewed some patient information, the Plaintiff presented no evidence indicating whose information was viewed, whether other unauthorized parties viewed the information, or if it was posted or disclosed in a public forum. Accordingly, most, if not all, of the almost 5,500 potential class members would be unable to maintain their CMIA claims.
Read other items in Privacy & Breach Ligation Monitor - November 1, 2022