The law can be funny. Not in a comedic way, but in a way that defies expectations about what is needed to bring a cause of action. Sometimes this is manifested in the quantum of evidence needed to bring an action and survive a pre-answer motion to dismiss. Other times, it is manifested in the capacity or standing of the plaintiff to commence the action. In Greco v. Syracuse ASC, LLC, 2023 N.Y. Slip Op. 03987 (4th Dept., July 28, 2023) (here), the Appellate Division, Fourth Department addressed the latter scenario in the context of a computer hack; in particular, in connection with the unauthorized access to certain personal information belonging to plaintiff and others, which was stored on defendant’s computer system.

The Rules Concerning Standing

Standing is a threshold determination, resting in part on policy considerations, that a person should be allowed access to the courts to adjudicate the merits of a particular dispute.[1] Without standing, a person cannot bring a lawsuit. Whether a person seeking relief is a proper party to request an adjudication is an aspect of justiciability which, when challenged, must be considered at the beginning of litigation.

In order to have standing to sue, a plaintiff must allege the existence of an injury-in-fact that ensures that s/he has some concrete interest prosecuting the action.[2] The injury-in-fact requirement necessitates a showing that the party has “an actual legal stake in the matter being adjudicated”[3] and that the party has suffered a cognizable harm that is not “‘tenuous,’ ‘ephemeral,’ or ‘conjectural,’” but is, instead, “sufficiently concrete and particularized to warrant judicial intervention.”[4] Notably, an alleged injury will not confer standing if it is based on speculation about what might occur in the future or what future harm might be incurred.[5]

Background

Plaintiff, a former patient of defendant, Syracuse ASC d/b/a Special Surgery Center of CNY (“SSC”), alleged that SSC failed to safeguard and protect her confidential information as well as that of class members, including private health information protected under HIPAA and sensitive personal information. Plaintiff alleged that a data breach occurred on March 31, 2021, whereby cybercriminals were able to gain access to approximately 24,891 class members’ sensitive information.

Defendant moved to dismiss, claiming, among other things, plaintiff lacked standing to bring the action. Defendant argued that plaintiff failed to offer any facts to support the claim that the potential for misuse of information sufficed to confer standing. Defendant contended that general allegations that individuals whose confidential information had been exposed during a data breach were more likely to experience future identity theft were conclusory and speculative.

The motion court denied the motion.

The motion court held that the risk of harm from the cyberattack satisfied the injury-in-fact requirement. The motion court explained that the risk of imminent future harm arising from the theft of plaintiff’s personal and sensitive information by cybercriminals was sufficiently concrete to confer standing on her.[6] Indeed, noted the motion court, “[c]ourts have found that victims of targeted data breaches have standing based on an imminent risk of threat to seek redress from a defendant[’s] negligence, notably including where the stolen data has not yet been used.”[7]

Defendant appealed. The Fourth Department “unanimously reversed.”[8]

The Fourth Department’s Decision

The Court held, after considering “all relevant circumstances,” that plaintiff failed to allege “an injury-in-fact and thus lack[ed] standing.”[9] “[I]mportantly,” explained the Court, “plaintiff ha[d] not alleged that any of the information purportedly accessed by the unknown third party ha[d] actually been misused.”[10] Similarly, the Court noted that “Plaintiff ha[d] not alleged that her own information ha[d] been misused or that the data of any similarly situated person ha[d] been misused in the over one-year period between the alleged data breach and the issuance of the trial court’s decision.”[11] The absence of such allegations, held the Court, was fatal to the survival of the pleading.

Further, the Court noted that, according to the complaint, only health information was accessed by a third-party.[12] The complaint did not, said the Court, “allege that a third party accessed data more readily used for financial crimes such as dates of birth, credit card numbers, or social security numbers.”[13] In sum, the Court found that plaintiff merely expressed “a general concern that certain of [her] health information may have been illegally accessed by a third party”; she did not “allege any direct harm flowing from the breach of defendant’s electronic system.”[14]

As a result, the Court concluded that “plaintiff failed to allege an injury-in-fact inasmuch as the potential for future misuse of her data and possible economic harm [was] too ‘conjectural, tenuous [and] hypothesized’ to constitute an interest that [was] sufficiently concrete to confer standing.”[15]

Finally, the Court rejected plaintiff’s argument that she “established an injury-in-fact by virtue of the cost of identity protection and other mitigation efforts.”[16] In doing so, the Court “conclude[d] that such mitigation efforts cannot confer standing absent a sufficiently concrete injury-in-fact legitimizing or warranting such efforts.”[17] A plaintiff “‘cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending,’” said the Court.[18]

Takeaway

Greco is an important decision because it represents the first decision of an appellate court in the state system to address standing “in a case brought by an individual whose information was involved in a larger electronic data breach or whose personal data was otherwise involved in the unauthorized access of electronic files stored on a computer system.”[19]

In deciding the issue of standing, the Court took great pains to recognize the tension between modern harms and traditional notions of standing, concluding that the law can adapt to the new issues that impact our modern lives:

Although the rise of unauthorized access to secure electronic systems, resulting in third parties obtaining the information stored thereon, is a relatively modern issue, the injury-in-fact requirement recognized in other contexts applies equally here. Thus, the novel issue presented is simply what circumstances, specific to this context, create an injury that is “sufficiently concrete” and non-speculative to constitute an injury-in-fact.[20]

The Court’s observation about adaptation makes sense. In a modern society, social, political and economic circumstances change. The risks and harms that people face in their daily lives are many. One risk –identity theft – affects far too many people. Readers of this Blog would be hard-pressed to read a newspaper or magazine and not find an article discussing a data breach or some other cyberattack. Greco shows that the risk of harm resulting from a cyberattack on a third-party that controls one’s personal and sensitive information is not, by itself, sufficient to confer standing to sue the third-party for relief. “[A]llegations of possible future injury” or even an “objectively reasonable likelihood” of future injury are insufficient to confer standing.[21] The injury must be concrete and particularized to warrant judicial intervention.[22] Greco makes this point clear.