What does it take for a data breach plaintiff to have standing to sue in Illinois? More than a mere increased risk of harm, said the Illinois Supreme Court in a case where Taft represented the defendant, a large multi-specialty group medical practice.
This post highlights the importance of a thorough post-data breach investigation.
After suffering a data breach in the summer of 2021, Taft client Christie Business Holdings Co., P.C., d/b/a Christie Clinic contacted federal law enforcement and engaged a leading data forensics firm to conduct an investigation. The investigation revealed that:
- the purpose of the attempted hack was to intercept a business transaction;
- the impacted account MAY have contained patients' private personal information; and
- there was no evidence of actual identity theft or misuse such information.
Upon completing the investigation, Christie Clinic issued a letter to its patients notifying them of the breach, concluding that Christie took the security of the information in its care seriously, and providing them with 12 months of free comprehensive credit monitoring and identity protection services through Experian.
After receiving the letter, Plaintiff Rebecca Petta initiated a class action against Christie Clinic alleging that Christie negligently failed to prevent the data breach, thus exposing her and others' private personal information. In her complaint, Petta alleged that: a loan application was made using her phone number, city, and state; the loan was applied for "in someone else's name;" and she received "multiple phone calls" regarding "loan applications she did not initiate." The complaint did not allege that her name or Social Security number was used in any loan application.
The trial court dismissed Petta's complaint with prejudice and the Illinois Appellate Court, Fifth District, affirmed. The case then reached the Illinois Supreme Court.
The Illinois Supreme Court unanimously held that Petta's allegations of harm were speculative, amounting to only an "increased risk of harm," which by itself cannot confer standing. The Court thus affirmed the lower courts' dismissal of the complaint. The state supreme court's thoughtful and incisive consideration of this issue of first impression provides three important take-aways.
- First, a company's post-data breach investigation is critical.The court's decision relies on Christie Clinic's investigation, which had determined that: private information "may have been exposed;" there was no evidence that the information "was actually acquired by a third party" or used; and the purpose of the hack was to intercept a financial transaction.
- Second,the type of information that is exposed matters. Addressing Petta's allegation about the allegedly fraudulent loan application, the court pointed out that Petta's "private, personally identifiable information" (like Social Security number) was not alleged to have been used, but only her publicly available phone number and city was. And the fact that the loan application was made "in someone else's name" belied any use of Petta's identity or private information.
- Third, it is important for a data breach plaintiff to link the alleged misuse of her information to the data breach at issue. This is especially true in modern times, when data breaches are so rampant. Here, the court determined that the errant loan application could not be fairly traced to the data breach at Christie, given that the loan used information that was otherwise publicly available.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
