Data Breach Class Actions in New York: Standing and Damages Requirements: Constangy Cyber Advisor

Good news for businesses: NYS courts will dismiss data breach class actions for lack of concrete harm to plaintiff

By Christopher Deubert, Allen Sattler, Xuan Zhou on 10.21.24
Posted in Class actions, Cybersecurity, Data Privacy

Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers.

In New York State, as in other jurisdictions, the claims generally include negligence, based on the defendants’ alleged insufficient cybersecurity measures. However, the U.S. Constitution and most state constitutions require that plaintiffs plead sufficient harm – that is, damages – for which they can seek redress through the courts. Without a showing of damages, the plaintiffs lack “standing” to sue.

A number of cybersecurity class actions have been dismissed because the plaintiffs were unable to articulate the harm that they suffered as a result of the defendants’ alleged negligence.

The U.S. Supreme Court addressed the issue of standing in several decisions, most recently in TransUnion, LLC v. Ramirez. In that 2021 case, the Court ruled that plaintiffs do not have standing if their claimed damages are not concrete and materialized. The mere risk of future harm is not enough for standing.

New York State courts considering standing in the data privacy context have reached decisions consistent with TransUnion by dismissing suits based on the plaintiffs’ failure to sufficiently allege damages. The decisions are here, here, and here.

Significantly, a New York appellate court recently addressed standing in this context and granted the defendants’ motion to dismiss. In Greco v. Syracuse ASC, a plaintiff brought a putative class action against a health care provider based on a data breach that allegedly exposed the plaintiff’s personal information to unauthorized third parties. The plaintiff did not allege any misuse of information in more than one year between the alleged breach and the issuance of the trial court’s decision. In dismissing the lawsuit, the court explained that hypothetical future harm was not enough for standing.

Data breach case law is evolving state by state, and the Constangy cybersecurity litigation team is available to represent businesses defending these class actions.

The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.

Tags: Class Actions, Cyber Incident Response, Cyber Insurance Claims, Cyber Team, CyberMonday, Cybersecurity, Data Breach, Data Privacy, Data Security, New York, Personal Data, TransUnion

Christopher R. Deubert
Senior Counsel
Email
Chris is an attorney with more than thirteen years of experience at law firms, in-house, and in academia, with extensive expertise in sports, litigation, and labor and employment. He represents and advises employers with respect to ...
Full Bio | Contact Author | LinkedIn | Blog Posts
Allen Sattler
Partner
Email | 315.430.4888
Allen Sattler is a partner and vice chair of the Constangy Cyber Team. He is based in Orange County, California. He has significant experience serving clients as incident response counsel, having managed the responses to hundreds of ...
Full Bio | Contact Author | Blog Posts
Xuan Zhou
Attorney
Email | 858.910.0420
Xuan is a member of the Constangy Cyber Team and is affiliated with our San Diego, California office. Xuan has several years of litigation experience and works with our cyber litigation team to defend clients in class actions arising ...
Full Bio | Contact Author | Blog Posts

Subscribe

Contributors

Archives