Who has Standing to Bring a Lawsuit When Your Company's Computers are Stolen?
October 21, 2015
Today, employees travel the country (and globe) with electronic devices containing their company's trade secrets and highly sensitive information about their customers, clients, and/or patients. Unfortunately, along with the positive growth technological advances bring, the related crimes in obtaining valuable electronics or confidential data is also a continuous concern. Many corporations have developed policies when it comes to accessing or handling confidential information, along with policies on what to do in case such information is exposed to the public (through theft, loss, etc.)
However, no matter how many policies are in place, the number of lawsuits filed by those alleged to have been damaged by data breaches continues to grow. Common allegations are brought under such laws as the Illinois Personal Information Protection Act and the Consumer Fraud and Deceptive Business Practices Act. Also, plaintiffs often-include "common law" or general allegations of negligence and invasion of privacy. One of the major questions facing courts in these lawsuits is whether the parties have "standing" to bring their claims. This is a concept that does not only focus on if the claims are legally recognized, but if the timing is appropriate to bring them (sometimes also referred to as "ripeness" of a claim).
This issue was directly addressed in the case of Maglio vs. Advocate Health and Hospitals Corporation, 2015 IL App (2d) 140782, issued on August 6, 2015. This was a decision from the Illinois Appellate Court's Second District that stemmed from two separate trial court cases (one in Kane County, the other in Lake County), both of which were filed because of a theft of four laptops owned by Advocate Health in 2013. The plaintiffs (who were patients of the health system) alleged the types of claims noted above, and Advocate Health brought motions to dismiss. The trial courts granted the motions and plaintiffs appealed.
Understanding that Advocate Health may have increased reporting obligations under federal health laws (including HIPAA), the appellate court noted that Advocate took several necessary steps after the theft of the laptops. For example, Advocate learned of the burglary on July 15, 2013, and notified all of the persons affected (about four million patients) roughly one month later.
On appeal, the plaintiffs (who maintained they were still at risk for identity theft) continued their arguments that Advocate had a duty to securely maintain the personal information, and it breached that duty when it used unsecured and unencrypted computers (even though they were password protected). They further alleged that Advocate did not timely notify them of the breach, did not maintain reasonable procedures to protect against unauthorized access to the information, and allowed for the impermissible and unauthorized disclosure and dissemination of their information which caused an unauthorized intrusion into their privacy. In plaintiffs' minds, these actions (or lack thereof) also caused them anguish and suffering.
After reviewing the briefs and hearing arguments, the appellate court affirmed the trial courts. It did not address the legal merits of the claims, but instead held the plaintiffs did not have standing to bring their lawsuits.
In Illinois, a court will look at whether a plaintiff has standing as part of a test. Specifically, a claimed injury can be actual or threatened, but it must be: 1) distinct and palpable; 2) fairly traceable to the defendant's actions; and 3) substantially likely to be prevented or redressed by the grant of the requested relief. In looking at both state and federal cases, the court here noted that "purely speculative" or "purely conjectural" evidence was not sufficient to show standing.
The appellate court also concluded that plaintiffs' claims were speculative and conclusory because no actual theft (and use) of their specific personal information had occurred. An allegation of future injury may be sufficient if the threatened injury is certainly impending or there is a substantial risk, but a simple increased risk or credible threat is plainly different from a certainly impending harm. Since the plaintiffs in these cases did not allege their personal information had actually been used or that they had evidence they were victims of identity theft, their claims could not survive.
Plaintiffs pointed out that there were other lawsuits filed as a result of this theft, and that some of the parties were found to have standing. However, the court responded that only two plaintiffs were found to have standing because they were actually injured by proven fraudulent activity (attempted access to their bank accounts and cell phone accounts). In the court's opinion, two out of four million potential cases did not show these plaintiffs faced imminent, certain or substantial risk of harm as a result of the burglary, especially two years after the theft of the laptops.
The Maglio case is certainly instructive to those of us who travel with laptops, tablets, or other devices that can be left behind, stolen, or otherwise misplaced. Heyl Royster strongly recommends you coordinate with your in-house information technology staff or consult with outside IT companies to figure out how best to protect your information. Should your company face a data breach (whether intentional or due to a misplaced device), how do your own policies or specific laws governing your company require you to act? Even if you act as required but someone suffers identity theft, what is your plan on how to defend those cases? Are you insured? Will your actions be enough?
Heyl Royster routinely assists corporations in developing and reviewing existing policies related to electronic devices and data. Do not hesitate to contact us about your needs.