Webb v. Injured Workers Pharmacy, LLC the First Circuit recently reversed a lower court’s dismissal of class action claims brought by former pharmacy patients alleging that their sensitive personal information had been exposed in a data breach affecting more than 75,000 customers. For our analysis of the district court decision, see our prior post. For a discussion of the reasoning underlying the First Circuit’s holding and what to watch for in future litigation, see our recent analysis. The Webb decision will likely heighten class action risks that businesses face after data security incidents and will likely invite an increase in litigation even beyond that context, including consumer data privacy claims.
Webb is not only instructive to the plaintiff’s bar, it also offers guidance to companies and their counsel on how to mitigate litigation exposure in privacy and data breach cases. Importantly, as discussed below, Webb breathes fresh life into the privacy torts in determining whether certain intangible harms are concrete for purposes of establishing Article III standing. Whether plaintiffs can establish that they suffered concrete harm as a result of a data breach is a pivotal issue on which many data breach cases hinge.
Understanding the elements of the privacy torts and the types of harms they seek to redress is critical, as they help inform us about privacy and data security practice norms as well as appropriate factors to consider for incident response. Most states recognize some of or all the privacy torts: public disclosure of private facts, intrusion upon seclusion, false light, appropriation, breach of confidentiality, and defamation. Each of these forms of invasion is distinct and calls for different things by way of proof. They seek to protect different individual and societal interests and provide redress for certain types of intangible injuries, such as emotional and psychological harms, reputational harms, relationship harms, vulnerability harms, and power imbalances.
In Webb, the court held that alleged actual misuse of plaintiff Webb’s personally identifiable information (PII), by itself, is sufficient to establish a concrete injury and that it is not necessary for her to allege the existence of any additional harm resulting from the misuse. The court found that the alleged actual misuse (filing of fraudulent tax return), “is closely related to the tort of invasion of privacy based on appropriation of another’s name or likeness, which ‘protect[s]...the interest of the individual in the exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others.’”
Interestingly, the court pointed out as “also instructive” its decision in Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011), even though it did not concern Article III standing. There the court held that the alleged mitigation costs incurred by plaintiffs in response to a serious data breach, where there was actual (and a real risk of) misuse of personally identifiable information, constituted a cognizable harm under Maine law. The court’s reference in Webb to the latter decision, perhaps made in response to the fact that Injured Workers Pharmacy had not offered to provide, at its own expense, credit monitoring and identity protection services to all affected individuals, may offer a cautionary lesson for potential defendants in data breach cases.
Risk of Future Misuse
Next, the court held that the complaint plausibly alleged a concrete injury in fact based on the material risk of future misuse of plaintiff Charley’s personally identifiable information and a concrete harm caused by exposure to this risk. Based on the “totality of the complaint,” including the allegations about the nature and scope of the data breach itself, specifically, that it was the result of a targeted attack, the stolen PII included patient names and social security numbers, and the hackers remained undetected for almost four months, the court concluded that there was “an imminent and substantial risk of future misuse of the plaintiffs’ PII.”
Further, based on the allegations of the “plaintiffs’ lost time spent taking protective measures that would otherwise have been put to some productive use,” the court found that the complaint had plausibly alleged a “separate concrete, present harm caused ‘by [the plaintiffs] exposure to [this] risk [of future harm].’” In a footnote, the court observed that the complaint did not allege that the plaintiffs purchased identity theft insurance or credit monitoring services or incurred similar mitigation costs.
Breach of Confidence and Invasion of Privacy
Significantly, the court noted that it did not consider the question whether “exposure of [plaintiffs] PII in the breach itself was itself an intangible harm sufficient to confer standing – for example, by analogy to the torts of breach of confidence or invasion of privacy based on public disclosure of private information”, because the plaintiffs did not argue the point. By making this point in its opinion, the court all but invites future plaintiffs to make the argument that certain data breach injuries resulting from unauthorized access to, or acquisition of, sensitive personal information are closely related to intangible harms traditionally recognized as providing a basis for lawsuits, such as reputational harms, disclosure of private information, and intrusion upon seclusion. The court also left for another day the question whether an alleged “diminution [in] value of [plaintiffs’] PII” is sufficient to establish standing, since the plaintiffs had waived this argument.
Privacy & Data Security Lessons for Businesses
Based on the First Circuit’s analysis and the questions it left open, including the renewed vitality bestowed on the privacy torts in the context of Article III standing, companies should consider reevaluating their privacy and data security practices and updating their incident response plans in ways designed to anticipate the arguments of the plaintiffs’ bar and to mitigate their litigation exposure from a cybersecurity incident. As a start, as part of their incident response planning, businesses should consider asking the following questions:
- Has the company timely notified all affected customers in a reasonably accessible manner to ensure that notice was effective and complaint with applicable deadlines?
- How can the company mitigate against the loss of professional and personal time that may be expended by affected customers in response to the incident? How can the means of communication and mitigation measures the company offers to those customers be as streamlined and time-efficient as possible?
- How can the company alleviate customer anxiety concerning any threats posed by the potential or actual misuse of sensitive personal data? Useful measures may include follow-up communications to reassure customers of the company’s engagement and vigilance, as well as free credit monitoring.
- Has the company examined its dispute resolution terms with customers, including terms that could reduce the risk of class action litigation and mass arbitration?
- How can the company predict and preempt injunctive relief that litigants may seek, including curative disclosures, compliance improvements, or remedial measures?
- Has the company established a rigorous record-keeping process for communications with affected customers in the event of later litigation or arbitration? It can be critical to preserve communications with potential litigants, who may assert theories that are inconsistent with their actual dealings.