June 22, 2021

Volume XI, Number 173

Advertisement

June 21, 2021

Subscribe to Latest Legal News and Analysis

District Court in Third Circuit Confirms That, When it Comes to Data Breaches, Actual Misuse Must be Alleged

Every federal lawsuit requires standing for the court to have subject matter jurisdiction to hear the case, and standing requires an injury-in-fact.  As seen from our coverage this morning out of the Second Circuit.

In Derrick McCray v. John E. Wetzel & President, No. 3:20-cv-139, 2021 U.S. Dist. LEXIS 73782 (W.D. Pa. Apr. 16, 2021), a magistrate judge recommended the court grant a motion to dismiss various claims stemming from an alleged data breach.  The plaintiff, a state prisoner, proceeded pro se against the leaders of the Pennsylvania Department of Corrections and an outside vendor that electronically stored certain inmate data.  The plaintiff filed suit after he received a letter that stated the vendor was the victim of a data breach and that some information regarding inmates, including names and driver’s license numbers, may have been exported by a threat actor.

In the Third Circuit, the case to follow is Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).  In that case, as we recently reported, the court found that the plaintiffs did not have standing in a data breach when, in part, they could not “truthfully allege” that the threat actor actually read their allegedly stolen personal information and intended to misuse it.

Applying Reilly, the McCray court noted the plaintiff did not allege misuse of his personal data.  Instead, the plaintiff alleged harm under the basis that his personal information could “possibly” be misused “down the line in the future.”  This was not enough for the court.  The plaintiff’s breach of privacy claim did not fare any better. At the outset, the court suggested that this claim was made against the wrong defendant.  The plaintiff alleged that it was the vendor’s system that was breached, not a system managed by the Pennsylvania Department of Corrections.  Accordingly, it could be difficult to make the connection when the plaintiff did not allege that the Pennsylvania Department of Corrections shared his personal information with the vendor without his permission.  Finally, the court noted the plaintiff did not allege that the threat actor actually viewed his personal information.  This, the court recognized, was only “an increased risk of identity theft or fraud,” not a successful breach of privacy claim.

For more developments in this area of the law, stay tuned.  

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 117
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Aaron Garavaglia Insurance Litigation Attorney Squire Patton Boggs Washington DC
Associate

Aaron Garavaglia focuses his practice on litigation, including insurance-related matters. As a litigator, he has worked with and addressed employment practices liability insurance policies, mass tort claims, insolvent insurers, captives and complex commercial litigation matters.

While in law school, Aaron interned at the US Department of Justice, US House of Representatives and US Court of Appeals for the Federal Circuit. Additionally, he was Senior Federal Circuit Editor for the American University Law Review.

Prior to law school, Aaron was a paralegal for an...

202-457-6436
Advertisement
Advertisement