The most common defense against class actions for data breach has itself been breached in a ruling last week by the West Virginia Supreme Court.
The Court’s opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result.
The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative.
Standing is one of the fundamental gatekeepers to the judicial system. A plaintiff must be able to allege he suffered or will imminently suffer an injury in fact – a violation of a legally protected interest that is concrete and particularized, not merely hypothetical, as a proximate result of the conduct of the defendant. Most data breach cases fail on this test because plaintiffs are unable to establish that the release of their information has actually caused them an economic loss of sufficient size to warrant litigation.
The West Virginia case differs from other data breach standing cases in two respects: (i) it concerns health data, in addition to personal identifying information, and health data has the benefit of legal protections that other personal information does not enjoy; and (ii) West Virginia has a judicial history of allowing actions based upon an invasion of the right of privacy without proof of special economic (liquidated, out-of-pocket) damages.
The Court said that while the mere risk of future identify theft alone does not constitute in injury in fact sufficient to confer standing, the plaintiffs also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy, and that those claims were not hypothetical or speculative. The breach by a doctor of his duty of confidentiality to the patient is an independent basis of a tort claim that may result in damages for the loss of the confidential relationship. Likewise, under West Virginia law (and in a number of other states as well) an unwarranted invasion of personal privacy, which includes the appropriation of another’s name or likeness or that places another in a false light before the public, is grounds for an action in tort against the perpetrator.
This decision was issued on the question of whether a class could be certified to prosecute the action, and it is far from over. But the fact that the Court overturned a lower court decision dismissing the action and ordered that the class be certified has raised the stakes over personal data losses in one more state.