Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers.
In New York State, as in other jurisdictions, the claims generally include negligence, based on the defendants’ alleged insufficient cybersecurity measures. However, the U.S. Constitution and most state constitutions require that plaintiffs plead sufficient harm – that is, damages – for which they can seek redress through the courts. Without a showing of damages, the plaintiffs lack “standing” to sue.
A number of cybersecurity class actions have been dismissed because the plaintiffs were unable to articulate the harm that they suffered as a result of the defendants’ alleged negligence.
The U.S. Supreme Court addressed the issue of standing in several decisions, most recently in TransUnion, LLC v. Ramirez. In that 2021 case, the Court ruled that plaintiffs do not have standing if their claimed damages are not concrete and materialized. The mere risk of future harm is not enough for standing.
New York State courts considering standing in the data privacy context have reached decisions consistent with TransUnion by dismissing suits based on the plaintiffs’ failure to sufficiently allege damages. The decisions are here, here, and here.
Significantly, a New York appellate court recently addressed standing in this context and granted the defendants’ motion to dismiss. In Greco v. Syracuse ASC, a plaintiff brought a putative class action against a health care provider based on a data breach that allegedly exposed the plaintiff’s personal information to unauthorized third parties. The plaintiff did not allege any misuse of information in more than one year between the alleged breach and the issuance of the trial court’s decision. In dismissing the lawsuit, the court explained that hypothetical future harm was not enough for standing.
Data breach case law is evolving state by state, and the Constangy cybersecurity litigation team is available to represent businesses defending these class actions.
The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.
- Senior Counsel
Chris is an attorney with more than thirteen years of experience at law firms, in-house, and in academia, with extensive expertise in sports, litigation, and labor and employment. He represents and advises employers with respect to ...
- Partner
Allen Sattler is a partner and vice chair of the Constangy Cyber Team. He is based in Orange County, California. He has significant experience serving clients as incident response counsel, having managed the responses to hundreds of ...
- Attorney
Xuan is a member of the Constangy Cyber Team and is affiliated with our San Diego, California office. Xuan has several years of litigation experience and works with our cyber litigation team to defend clients in class actions arising ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Bert Bender
- Ansley Bryan
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Brent Sedge
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou