District Court in Third Circuit Confirms That, When it Comes to Data Breaches, Actual Misuse Must be Alleged
Every federal lawsuit requires standing for the court to have subject matter jurisdiction to hear the case, and standing requires an injury-in-fact. As seen from our coverage this morning out of the Second Circuit.
In Derrick McCray v. John E. Wetzel & President, No. 3:20-cv-139, 2021 U.S. Dist. LEXIS 73782 (W.D. Pa. Apr. 16, 2021), a magistrate judge recommended the court grant a motion to dismiss various claims stemming from an alleged data breach. The plaintiff, a state prisoner, proceeded pro se against the leaders of the Pennsylvania Department of Corrections and an outside vendor that electronically stored certain inmate data. The plaintiff filed suit after he received a letter that stated the vendor was the victim of a data breach and that some information regarding inmates, including names and driver’s license numbers, may have been exported by a threat actor.
In the Third Circuit, the case to follow is Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). In that case, as we recently reported, the court found that the plaintiffs did not have standing in a data breach when, in part, they could not “truthfully allege” that the threat actor actually read their allegedly stolen personal information and intended to misuse it.
Applying Reilly, the McCray court noted the plaintiff did not allege misuse of his personal data. Instead, the plaintiff alleged harm under the basis that his personal information could “possibly” be misused “down the line in the future.” This was not enough for the court. The plaintiff’s breach of privacy claim did not fare any better. At the outset, the court suggested that this claim was made against the wrong defendant. The plaintiff alleged that it was the vendor’s system that was breached, not a system managed by the Pennsylvania Department of Corrections. Accordingly, it could be difficult to make the connection when the plaintiff did not allege that the Pennsylvania Department of Corrections shared his personal information with the vendor without his permission. Finally, the court noted the plaintiff did not allege that the threat actor actually viewed his personal information. This, the court recognized, was only “an increased risk of identity theft or fraud,” not a successful breach of privacy claim.
For more developments in this area of the law, stay tuned.