Recent Data Breach Class Actions Dismissed

A District Court in California recently dismissed a class action against IBM and Health Net of California after determining plaintiffs lacked standing because they failed to allege "injury in fact" stemming from a data breach. Defendants lost server drives containing personal and medical information of more than 800,000 California residents; however, the Court concluded that named plaintiffs failed to allege a "particularized, real and immediate harm" stemming from the data loss. The court distinguished this case from those where data breach was the result of a theft – cases where plaintiffs were found to have standing – and determined that the risk of identity theft from data loss was insufficient to allege standing to sue under California's Confidentiality of Medical Information Act and Customer Records Act. In a similar case, the First Circuit affirmed a lower court decision to dismiss a case where the plaintiff had alleged that National Planning Corporation had failed to protect nonpublic information on its online brokerage platform. In the case, the plaintiff alleged that NPC had failed to adhere to Massachusetts' data security provisions, although she did not allege that any breach had occurred as a result, only that a breach could occur.  

TIP: These cases suggest that companies may be able to overcome class actions filed in the aftermath of a data breach. One of the factors that can help in minimizing risk is to consider taking steps to mitigate any potential harms that a plaintiff could allege.