May 21, 2022

Volume XII, Number 141

Advertisement
Advertisement

May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

May 18, 2022

Subscribe to Latest Legal News and Analysis

Motion to Dismiss Filed in COVID Contact Tracing Data Breach Lawsuit

In June, we discussed a putative class action filed in the Eastern District of Pennsylvania concerning a data breach involving COVID-contact tracing data.  Following the Plaintiff’s filing of an amended complaint, the remaining Defendant has now moved to dismiss on both standing and substantive grounds.  Read on below.

To recap the alleged facts underlying this litigation: Plaintiff alleges that a contractor was retained by the Pennsylvania Department of Health (“DOH”) in the midst of the COVID pandemic to contact individuals who were either diagnosed with or in close proximity to individuals diagnosed with COVID-19. Plaintiff alleges that notwithstanding representations that all protected health information (“PHI”) “obtained in connection with COVID-19 contact tracing would be kept private and confidential, Defendants (including the contractor and Pennsylvania DOH) failed to take “appropriate or even the most basic steps to protect the PHI of Plaintiff and other class members from being disclosed.”  This included the contractor purportedly having employees who used “unsecure data storage and communications methods,” that resulted in the disclosure of Plaintiff’s and class members’ PHI.

After the original complaint was filed, Plaintiff amended the pleadings to remove the Commonwealth of Pennsylvania as a defendant, leaving only the private company contracted to do contact tracing.  She likewise abandoned her negligence per se claim and added a claim for breach of implied warranty, premised on the theory each person who gave their personally identifying information (“PII”) to the Defendant had an implied agreement and/or warranty from the Defendant to keep that information private.

The Defendant’s motion to dismiss first attacks the complaint on standing.  As readers of CPW are aware, one of the most hotly litigated areas in consumer privacy is standing—namely, the existence of a concrete, particularized injury.  Following the Supreme Court’s decisions in Clapper v. Amnesty International, 568 U.S. 398 (2013), Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) and TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), plaintiffs may no longer predicate liability under privacy laws on the fear of future events or precautionary steps taken to avoid injury.  Instead, they must show that they have actually been harmed by a data event in a cognizable and concrete way.

Plaintiff’s amended complaint alleges a variety of common alleged harms in data breach litigation: time, energy, and money devoted to monitoring accounts, substantial risks of future identity theft, the receipt of unwanted phone calls in messages in the days after the breach occurred, and the diminishment of the value of PII.  And Defendant raises the arguments that have resulted, fairly often, in full dismissal of claims on standing grounds: plaintiffs cannot generate harm for the purposes of standing by relying steps taken to avoid harm, the fear of future harm, or spam communications that cannot be fairly attributed to the breach, and cannot imbue an independent monetary value to information that, presumably, a plaintiff would never actually sell.

Defendant also argues that Plaintiff’s negligence, publicity given to private life, and breach of implied warranty claims fail.  The most interesting of these arguments concerns the breach of implied warranty claim, in which Plaintiff alleges that her provision of PII and Defendant’s acceptance of it creates an implied contract and/or warranty to keep the information private.  Defendant’s primary argument is that the scope of the contract, including the scope of Defendant’s duties, is simply undefined.  Plaintiff’s claim also runs into an issue not normally present in data breach litigation: her PII was submitted for COVID contact tracing, the entire purpose of which is to ensure that the information is shared so that a network of contacts can be established.  If PII given to a contact tracer cannot be shared, it is difficult to see why it was given in the first place.

We’ll keep an eye on future briefing in this case, as well as any resolution issued by the Court.  Stay tuned.  CPW will be there to keep you in the loop.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 260
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jesse Taylor Associate  Columbus complex contract, franchise law, qui tam litigation
Associate

Jesse Taylor practices in state and federal court, with experience in complex contract and franchise law and qui tam litigation.

Prior to joining Squire Patton Boggs, he worked as a litigation associate in another top 20 international law firm. Previously, Jesse served as a law clerk to the Honorable Judith E. Levy, US District Court, Eastern District of Michigan, and to the Honorable James G. Carr, US District Court, Northern District of Ohio. In addition to his law firm experience and clerkships, Jesse worked as the online communications director for the Office of the...

614-365-2714
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement
Advertisement