“I’ve Been Hacked!” (OK, But Have You Been Damaged?)

April 22, 2021

A critical inquiry to be considered at the outset of any litigation is whether the party seeking relief is, in fact, a proper party to seek the court’s adjudication of the dispute.  This concept is known as “standing,” which is a threshold determination to be made by the court, the absence of which warrants dismissal of a pleading under CPLR 3211 (a)(3).

Last month, Albany Commercial Division Justice Richard M. Platkin issued a decision in Keach v BST & Co. CPAs, LLP confirming that in order for the plaintiff in a hacking/data breach action to survive a CPLR 3211 (a)(3) motion to dismiss predicated on standing grounds, the plaintiff must allege that “he or she has suffered, or will suffer, an actual [or imminent] injury-in-fact by reason of the [d]ata [b]reach.”

In Keach, each of the two plaintiffs and his putative class commenced an action against Community Care Physicians, P.C. (“CCP”), an Albany-based medical group, and BST & Co. CPAs, LLP (“BST”), an accounting and consulting firm servicing CCP, following a “ransomware” attack on BST’s computer systems.

Plaintiffs are CCP patients who provided certain information to CCP in the course of receiving health-related services.  In December 2019, BST had a data security incident whereby hackers obtained access to a portion of BST’s network on which client data, including member data provided by CCP, was hosted.  As a result of this data breach, the personal information of 170,000 current and former CCP patients was accessed, which included the patients’ names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions, but did not include Social Security numbers, medical diagnoses, financial information, or bank account information.

Plaintiffs cumulatively asserted nine causes of action against the defendants based on the data breach: (1) negligence; (2) negligence per se; (3) violation of General Business Law 349; (4) breach of fiduciary duty; (5) breach of contract; (6) trespass to chattels; (7) bailment; (8) unjust enrichment; and (9) conversion. Thereafter, defendants jointly filed a single motion to dismiss applicable to the two actions, arguing, among other things, that plaintiffs did not, and cannot, allege that they have sustained an injury-in-fact from the data breach, and instead have relied exclusively on the speculative possibility of harm that could occur in the future. Defendants further noted that, at best, in their respective complaints, plaintiffs have merely alleged that they were “significantly injured” by the data breach and “now forever face an amplified risk of fraud and identity theft.”

The Court articulated and applied a five-factor test to determine whether the harm allegedly incurred by the plaintiffs was actual or imminent, namely: “(1) the type of personal information that was compromised; (2) whether hackers were involved in the data breach or personal information otherwise was targeted; (3) whether personal information was exfiltrated, published and/or otherwise disseminated; (4) whether there have been any incidents of, or attempts at, identity theft or fraud using the compromised personal information; and (5) the length of time that has passed since the data breach without incidents of identity theft or fraud.”

After application of these five factors, the Court held that the plaintiffs did not have the requisite standing and dismissed both complaints, noting as follows:

“Even assuming that the personal information of plaintiffs, which did not include social security numbers or financial account information, was exfiltrated from BST’s computer systems as part of the ransomware attack, plaintiffs have alleged no acts of identity theft, fraud or other suspicious activity involving their personal information. Nor have plaintiffs alleged any attempts to commit identity theft, fraud or other wrongdoing using their personal information … the passage of a lengthy period following the Data Breach with no suspicious activity weighs heavily against finding that the injuries claimed by the named plaintiffs are imminent or substantially likely to occur…”

The Court then recognized that courts in other jurisdictions, including jurisdictions in which New York courts shared co-equal jurisdiction, found plaintiffs to have standing under similar circumstances. Nevertheless, the Court found that the “ubiquitous nature of data breaches” weighs in favor of applying a “cautious approach to standing,” citing to the first sentence of a decision of the U.S. District Court for the Middle District of Pennsylvania, observing:

“There are only two types of companies left in the United States, according to data security experts: those that have been hacked and those that don’t know they’ve been hacked.”

This decision serves as a reminder that a fundamental element to any claim is damages, and, where the plaintiff has not sustained any damages, there are no claims for the court to adjudicate.