Illinois Supreme Court Affirms Dismissal of Data Breach Class Action for Lack of Standing
Authors
Peter Berk , Mason N. Floyd
On Jan. 24, the Illinois Supreme Court, in Petta v. Christie Business Holdings Company, PC, affirmed the dismissal of a putative class action following an alleged data breach because the named plaintiff failed to allege any actual injury resulting from the alleged breach.
Plaintiff’s Allegations
The plaintiff was a patient of Christie Clinic. In connection with the services Christie Clinic provided, plaintiff provided it with personal information including her “name, address, date of birth, Social Security number, medical history, and medical insurance information.” In March 2022, the plaintiff received a letter from Christie Clinic notifying her that a threat actor had obtained unauthorized access to one of Christie Clinic’s business email accounts in an effort to intercept a business transaction. The letter further explained that, while Christie Clinic could not determine whether or which specific emails were viewed or accessed, the account “may” have contained the plaintiff’s Social Security number and medical insurance information. Christie Clinic also stated that it had no evidence that any of the plaintiff’s personal information was misused or that her identity had been stolen.
With respect to the impact of the incident on her, the plaintiff alleged that she noticed suspicious behavior relating to her address and phone number. Specifically, the plaintiff claimed that her “phone number, city, and state” were used on a loan application at a bank in Ohio under someone else’s name.
As a result, the plaintiff brought a putative class action claiming that Christie Clinic committed negligence and negligence per se by failing to provide “reasonable security” and protect her personal information, and violated Illinois’ Personal Information Protection Act.
The Ruling
The Illinois Supreme Court affirmed the appellate court’s dismissal of the lawsuit because the plaintiff lacked standing to bring her claims. The court noted the Illinois requirements for standing:
In Illinois, standing requires only some injury in fact to a legally cognizable interest. More precisely, the claimed injury, whether actual or threatened, must be: (1) distinct and palpable; (2) fairly traceable to the defendant’s actions; and (3) substantially likely to be prevented or redressed by the grant of the requested relief.
The Court further noted that allegations of a “purely speculative” future injury are insufficient to establish standing.
Turning to the plaintiff’s complaint, the court first analyzed the letter from Christie Clinic. Viewing that letter in a light most favorable to the plaintiff, the court found that it only suggested that the plaintiff and the class members faced an “increased risk” that their personal data was accessed by a third party. The court ruled that such increased risk of harm was insufficient to establish standing to seek monetary damages.
The court next reviewed the plaintiff’s allegation that some of her information was used in a loan application made under another person’s name. The court found that this allegation also failed to establish standing. Despite the plaintiff’s complaint alleging that Christie Clinic failed to prevent unauthorized disclosure of the plaintiff’s private information, the Court pointed out that the loan application only utilized the plaintiff’s publicly available information: phone number, city, and state. Therefore, the loan application did not show theft of the plaintiff’s identity or that a third party had acquired her private information. Moreover, the court noted that the information listed in the loan application – the plaintiff’s phone number, city, and state – was information that could be easily found in a public phone directory. As a result, the misuse of that information could not be traced to Christie Clinic’s alleged failure to protect the plaintiff’s private information.
Why Is This Important?
Lack of standing is one of the primary defenses that companies and organizations may raise to attack putative class actions that follow virtually all alleged data breach incidents today. The question that arises is whether the plaintiff has alleged sufficient actual harm that is “fairly traceable” to the alleged incident. Here, the Illinois Supreme Court confirmed that Illinois, like numerous other jurisdictions, requires more than a mere increased risk of harm to establish standing. Moreover, the Illinois Supreme Court’s ruling illustrates to lower courts the need to review a named plaintiff’s specific allegations and analyze whether the alleged harm a plaintiff relies on indicates actual identity theft or actual misuse of the private information that may have been impacted in the alleged data breach incident.
Companies facing putative class actions following cyber incidents should consult their legal advisors regarding their options, and the strength (or lack thereof) of the claims. Clark Hill’s team of attorneys have experience in these matters and stand ready to assist.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.