Commercial Division Blog

Posted: April 7, 2021 / Categories Commercial, Standing, Damages, Negligence

Claim Related to Hacking of Client Data Dismissed for Lack of Damages

On March 30, 2021, Justice Platkin of the Albany County Commercial Division issued a decision in Keach v. BST & Co. CPAs, LLP, 2021 NY Slip Op. 50273(U), dismissing a claim based on the hacking of the defendant's servers because of the lack of damages, explaining:

Whether a person seeking relief is a proper party to request an adjudication is an aspect of justiciability which, when challenged, must be considered at the outset of any litigation.

On a defendant's motion to dismiss the complaint based upon the plaintiff's alleged lack of standing, the burden is on the moving defendant to establish, prima facie, the plaintiff's lack of standing as a matter of law. The motion will be defeated if the plaintiff's submissions raise a question of fact as to its standing.

To have standing to sue, plaintiffs must allege the existence of an injury in fact — an actual legal stake in the matter being adjudicated that ensures that they have some concrete interest in prosecuting the action. Each of the named plaintiffs therefore must allege that he or she has suffered, or will suffer, an actual injury-in-fact by reason of the Data Breach.

The injury in fact element must be based on more than conjecture or speculation, and the claimed injury cannot be tenuous or ephemeral. Plaintiffs must allege an actual or imminent injury — one that is impending rather than speculative.

In evaluating whether plaintiffs in a data breach case have alleged an actual injury or the imminent prospect thereof, the New York courts have looked to five principal factors: (1) the type of personal information that was compromised; (2) whether hackers were involved in the data breach or personal information otherwise was targeted; (3) whether personal information was exfiltrated, published and/or otherwise disseminated; (4) whether there have been any incidents of, or attempts at, identity theft or fraud using the compromised personal information; and (5) the length of time that has passed since the data breach without incidents of identity theft or fraud.

The first factor looks to the type of personal information that was compromised and the extent to which the disclosure of such information renders individuals susceptible to identity theft or fraud. The personal information at issue here consists of names, dates of birth, medical record numbers, medical billing codes and health insurance descriptions.

While the foregoing collection of information about an individual certainly can be misused, particularly in connection with medical identity theft or other healthcare fraud, the instant cases are unlike those involving the disclosure of social security numbers or financial account information.

As plaintiffs recognize, the disclosure of social security numbers leaves individuals at a considerably greater risk of identity theft or fraud, and the same is true of information concerning active financial accounts. The instant cases also differ from Lynch, where the compromised personal information belonged to New York Police Department officers, who are subject to heightened risks by reason of their official position.

The second factor looks to whether computer hackers were involved in the data breach or personal information otherwise was targeted. In this regard, case law recognizes that the involvement of computer hackers creates an inference of malicious intent to steal private information, supporting an increased risk of identity theft.

Plaintiffs specifically allege that the attack on BST's computer systems was the work of the notorious Maze ransomware ring. On the other hand, the Complaints repeatedly characterize the Data Breach as a ransomware attack, which, by plaintiffs' own definition, is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. Thus, while ransomware deprives the victim of access to electronically stored information, the information itself ordinarily is not the object of the hackers' attack. Nonetheless, plaintiffs do allege that the Maze ransomware gang has been known to extort businesses by publicly posting breached data on the Internet — and threatening full dumps of stolen data if the ring's customers don't pay for their files to be unencrypted.

The third factor looks to whether the compromised personal information was exfiltrated, published and/or otherwise disseminated.

Here, plaintiffs allege that their personal information was stolen, citing the Maze ransomware gang's history of extorting businesses by publicly posting breached data on the Internet — and threatening full dumps of stolen data if the ring's customers don't pay for their files to be unencrypted. Relatedly, the Complaints cite a Florida data breach incident where hackers publicly released a portion of the stolen data as part of their extortion scheme. Plaintiffs also allege that the Maze ransomware gang published the Private Data online for all cyberthieves to access.

Fourth, courts look to whether there have been any incidents of identity theft or fraud using the compromised personal information or any attempts to do so. Plaintiffs do not allege any incidents of, or attempts at, identity theft or fraud using the compromised personal information of CCP members.

Finally, in cases like these, where there are no allegations of actual or attempted misuse of the compromised personal information, a temporal component may factor into determining whether a threatened harm is sufficient for standing. In other words, a lengthy passage of time without any suspicious activity weighs against finding an injury in fact.

The intrusion into BST's computer systems occurred in early December 2019. Thus, nearly 16 months have passed without incidents of identity theft, fraud or similar misuse of the compromised personal information of CCP members. This lengthy period without incident counsels against finding injuries that are imminent or substantially likely to occur.

Upon consideration of the foregoing factors, as well as the other arguments and contentions raised by the parties in their written submissions and at oral argument, the Court concludes that the two named plaintiffs, Keach and Murray, have not sufficiently alleged an injury-in-fact sustained from the Data Breach.

Even assuming that the personal information of plaintiffs, which did not include social security numbers or financial account information, was exfiltrated from BST's computer systems as part of the ransomware attack, plaintiffs have alleged no acts of identity theft, fraud or other suspicious activity involving their personal information. Nor have plaintiffs alleged any attempts to commit identity theft, fraud or other wrongdoing using their personal information.

Instead, plaintiffs are left to speculate about the prospect of future harms that may or may not come to pass. As in Smahaj, plaintiffs rely on allegations of:

(1) an increased risk of suffering from identity theft and fraud; (2) time, money, and other resources spent to mitigate against risks, both now and in the future, by cancelling credit cards, ability to open new bank accounts, reversing fraudulently imposed charges, and incurring high interest rates due to the inevitable decline in credit score when plaintiff and class members reasonably do not pay for items and services they did not purchase; and (3) the diminution of the value and/or loss of the benefits or products and services purchased directly or indirectly from defendants.

But the passage of a lengthy period following the Data Breach with no suspicious activity weighs heavily against finding that the injuries claimed by the named plaintiffs are imminent or substantially likely to occur.

Amorphous allegations of potential future injury do not suffice, and plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending. Thus, while injury from the Data Breach is possible, as it was in Smahaj, Lynch and Manning, it remains only a risk, too speculative to constitute injury.

As well articulated by the Jantzer Court in dismissing a similar data breach case against a healthcare institution:

Those who are entrusted with details about an individual's health care should guard against even the inadvertent disclosure of that confidential information and those duties were allegedly breached in this case when hackers secured access to confidential health care information through a cyberattack. Nonetheless, while legal remedies may be pursued by those who were injured, the law only allows for the pursuit of claims only by those who have standing based on an alleged legally compensable injury. The Court finds the harm of increased risk of future identity fraud too speculative to support standing in this case.

The Court therefore concludes that the named plaintiffs have failed to allege particularized and concrete injuries that are impending, imminent or substantially likely to occur. For this reason, their Complaints must be dismissed.

In conclusion, the Court recognizes that the case law from outside of the New York State courts concerning the standing of data breach plaintiffs is far from uniform, and some federal courts and courts of other jurisdictions have found standing on facts somewhat similar to those presented here. The Court further recognizes that Smahaj, Lynch and Manning — decisions from courts of coequal jurisdiction — are not binding precedent.

But the Court finds the multi-factor analysis taught by Smahaj, Lynch and Manning to be a sound approach to identifying whether the injuries alleged by data breach plaintiffs are actual or imminent, rather than based on conjecture or speculation. Indeed, under New York law, the bulk of plaintiffs' claims do not even accrue and become legally enforceable until plaintiffs have sustained actual and ascertainable damages.

The ubiquitous nature of data breaches further counsels in favor of a cautious approach to standing. More than six years ago, a federal Judge addressing a data breach lawsuit observed: "There are only two types of companies left in the United States, according to data security experts: those that have been hacked and those that don't know they've been hacked." As illustrated by the reference sources copiously cited in plaintiffs' Complaints, the prevalence of data breaches has only increased since then.

(Internal quotations and citations omitted) (emphasis added).

A key element in commercial litigation is proving damages. As this decision shows, often, if a plaintiff has no damages, it has no claims. Contact Schlam Stone & Dolan partner John Lundin at jlundin@schlamstone.com if you or a client have questions regarding proving damages.