Data Breach Class Action Not Barred by Lack of Individual Injury in West Virginia

by Carlton Fields
Contact

In a potentially groundbreaking decision, the Supreme Court of Appeals of West Virginia reversed a trial court’s order denying class certification in a data breach class action.  The case, Tabata v. Charleston Area Medical Center, holds that petitioners have standing and meet the requirements for class certification to bring causes of action for breach of confidentiality and invasion of privacy despite no evidence that any named plaintiffs were victims of any actual or attempted identity theft, or for that matter, suffered any actual economic loss.  Tabata v. Charleston Area Med. Ctr., --- S.E.2d ----, 2014 WL 2439961 (W. Va. May 28, 2014)

The West Virginia Case

While the decision is only binding on West Virginia courts, it could have national implications as it will likely be cited as persuasive authority that no evidence of economic damages is needed for a class to have standing and meet the requirements for certification.  However, Tabata should have limited application as it only interprets West Virginia law.  For example, in Florida, actions for breach of confidentiality and invasion of privacy have different elements, but this will likely be tested in an effort to move the law in this new direction.

In Tabata, the named plaintiffs’ personal and medical information contained in a database operated by Charleston Area Medical Center (CAMC) was accidentally placed on the Internet.  The information included names, contact information, Social Security numbers, dates of birth, and basic respiratory care information.  CAMC admitted that the information could have been exposed if “someone were to conduct an advanced Internet search.”  Id.  CAMC notified the plaintiffs of the data breach and offered them a full year of credit monitoring at CAMC’s cost.  The plaintiffs filed an action individually and on behalf of a class alleging various causes of action, including breach of confidentiality and invasion of privacy.  Importantly,

[d]iscovery revealed that the petitioners and respondents are not aware of any unauthorized and malicious users attempting to access or actually accessing their information, and they are not aware of any of the 3,655 affected patients having any actual or attempted identity theft.  Further, the petitioners have not suffered any property injuries or sustained any actual economic losses.  Finally, the petitioners are not aware if any other potential class members have sustained such injuries.  

Id.   

The Supreme Court of Appeals of West Virginia agreed with the trial court that the risk of future identity theft alone did not establish the plaintiffs’ standing.  However, the court held that under West Virginia law, breach of confidentiality and invasion of privacy claims need not allege special damages.  Therefore, the mere fact that the plaintiffs’ confidential data had been made publicly available established an injury in fact with a causal connection to the claims for breach of confidentiality and invasion of privacy, which would likely be redressed through a favorable decision by the court:  the elements of standing.  Id

Moreover, the court held that the class could be certified because the claims were based on the same event and same legal theories (typicality); and most importantly, arose from the same nucleus of operative facts and law (commonality); and individual issues, including those related to damages, were outweighed by the commonality of the claims.  In fact, the court relied on the lack of evidence of damages to find that common questions of law and fact predominated over individual issues; there being no actual economic damages, any individual damages analysis would not ultimately consume the court and subvert the need for judicial economy.  While the court emphasized that its decision was narrow and made “absolutely no determination regarding the merits or the lack thereof” of the causes of action, it has paved the way for the plaintiffs, and future plaintiffs in West Virginia, to state claims following a data breach absent any evidence of actual damages.

Potential Impact in Florida

Though Tabata will likely be cited nationwide to support data breach class actions for data breaches where there is no evidence of actual damages, its application is limited as it hinges on the elements of breach of confidentiality and invasion of privacy claims under West Virginia law.  Though the Tabata plaintiffs had not suffered a “concrete and particularized injury,” under West Virginia law, no such injury is required to state a claim for breach of the duty of confidentiality, nor must special damages be alleged to state a claim for invasion of privacy.  Id.  In Florida, however, the plaintiffs would have likely lacked standing as these causes of action require more to establish an injury-in-fact.

For example, the mere fact that medical information is disclosed to non-authorized individuals does not give rise to a cause of action for breach of confidentiality absent other circumstances. Indeed, there must at least be evidence that the protected information was actually received by a non-authorized individual. See D.E.W. v. Krouse, 41 So. 3d 320, 322 (Fla. 4th DCA 2010).  In Krouse, the plaintiff argued that a doctor’s disclosure of her HIV positive status in front of her daughters gave rise to a claim for medical malpractice based on a breach of confidentiality. Id. at 321.  However, there was no evidence that the plaintiff’s daughters actually heard the doctor, and therefore no actual disclosure of the confidential information could be proven.

If one were to apply the facts of Tabata to this analysis, there having been no evidence of any disclosure of the medical records to anyone, a Florida court would have likely found that no injury-in-fact could have been established.  In fact, claims for emotional damages based on breach of confidentiality can only succeed where there is evidence that highly sensitive confidential information was disclosed.  See Fla. Dep’t of Corr. v. Abril, 969 So. 2d 201 (Fla. 2007) (interpreting section 381.004, Florida Statutes, concerning HIV testing, to create an exception to the impact rule to allow a claim for breach of confidentiality where strictly emotional damages resulted from the negligent disclosure of a patient’s HIV positive status); see also Gracey v. Eaker, 837 So. 2d 348, 350 (Fla. 2002) (finding the impact rule did not bar recovery for emotional damages resulting from a psychotherapist’s breach of confidentiality of plaintiffs’ “very sensitive and personal information.”).

The fact pattern in Tabata would likely face an even tougher challenge to establish standing for an invasion of privacy claim in Florida.  Invasion of privacy is only actionable in Florida if the publication of private records would be “highly offensive to a reasonable person.” Post-Newsweek Stations Orlando, Inc. v. Guetzloe, 968 so 2d 608, 613 (Fla. 5th DCA 2007) (quoting Cape Publ’ns, Inc. v. Hitchner, 549 So. 2d 1374, 1377-78 (Fla. 1989)).  In Guetzloe, which reversed a temporary injunction preventing the publication of medical records, the court opined that in the context of prior restraint, “[a]lthough we can certainly conceive of hypothetical situations when publication of sensitive medical records” might be highly offensive to a reasonable person, the court could only speculate prior to publication. Id.  Most importantly, the court found that “in most instances, an individual’s medical records would not be of public interest.” Id. at 612. 

While the common law might evolve concerning the elements needed to establish an injury following a data breach, and the Tabata decision could well be cited in an attempt to move the law in that direction, its current authority has limited application outside West Virginia.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields | Attorney Advertising

Written by:

Carlton Fields
Contact
more
less

Carlton Fields on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.