Ill. Supreme Court Rules Injury Must be Alleged to Have Standing in Data Breach Incidents
The Illinois Supreme Court ruled Friday that a plaintiff didn't allege actual injury in a class-action suit that claimed medical services group Christie Business Holdings negligently failed to protect its patients’ private personal data when an unknown third party gained unauthorized access to one of the business's emails.
Sign up for a free preview to unlock the rest of this article
“Viewing the letter in the light most favorable to [the plaintiff], the primary factual allegation of the complaint is that [plaintiff Rebecca] Petta and the other members of the putative class faced only an increased risk that their private personal data was accessed by an unauthorized third party,” wrote Justice Joy Cunningham in the unanimous ruling that dismissed the complaint. “In a complaint seeking monetary damages, such an allegation of an increased risk of harm is insufficient to confer standing.”
“As alleged in Petta’s complaint, the wrongful act committed by Christie was the failure to adequately prevent Petta’s private personal data from being disclosed to an unauthorized third party,” wrote Cunningham. “Critically, however, Petta’s complaint does not allege that any of her private, personally identifiable information, such as her Social Security number, was used in the loan application. Instead, Petta alleges only that her publicly available phone number and city were used in an application that was made ‘in someone else’s name.’ The allegation regarding the loan application is therefore not, in fact, an instance of someone stealing Petta’s identity or an indication that an unauthorized third party had acquired Petta’s private, personally identifiable information.”
Petta had filed a class-action complaint against Christie for allegedly failing to protect personal data, including social security numbers and health insurance information, from exposure when an unknown third party hacked into the company’s business email accounts. Christie filed a motion to dismiss the complaint, alleging that Petta lacked standing and failed to state a valid claim.
While the trial court found Petta’s allegation that her phone number and part of her address were used in an unauthorized loan application gave her standing, she failed to state a claim, wrote Cunningham. The trial court dismissed her complaint because of this, which the appellate court affirmed on appeal, the ruling said. The appellate court, however, dismissed Petta’s complaint because she had not alleged that her private personal data was used in any unauthorized loan applications, so the “increased risk of identity theft” were “too speculative” for standing, which the supreme court agreed with in its ruling.