Even in Privacy Cases, Risk of Injury Does not Always Equal Injury
Written by Kevin McGinty
It’s an ancient conundrum; if a tree falls in the forest, and no one is there to hear it, does it make a sound? Privacy litigation may well offer the closest jurisprudential equivalent; if data is stolen, but no one does anything with it, has there been an injury? A recent Illinois state court decision is the latest to answer the latter question in the negative.
In Maglio v. Advocate Health & Hospitals Corp., the court dismissed a class action arising from the theft of two unencrypted laptops containing protected medical information about Advocate Health patients. Notwithstanding the theft of the laptops, plaintiffs did not allege that their information had been accessed or disseminated, or that they had suffered identity theft or any other tangible loss as a result of the theft of the laptops. The plaintiffs nonetheless argued that the risk of harm due to the possession of their information by unknown third parties constituted sufficient injury in fact to permit their Illinois state law claims to go forward. The court disagreed. Following Illinois and federal precedent, the court in Maglio ruled that the existence of injury would depend on the thieves who took the laptops “actively disclosing, selling to other criminals, or otherwise misusing the data on the computers.” Plaintiffs made no such allegations and there was “no actual or impending certainty of identity theft.” As such, the court ruled that plaintiffs had not alleged actionable injury, and dismissed their case.
One factor weighing against the plaintiffs in Maglio was the fact that the data breach was incident to theft of laptops. In such cases, the object of the theft is generally the hardware, not the data, weakening any inference that the data is at risk for misuse. Some decisions, such as the First Circuit’s ruling in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011), have distinguished targeted data breaches resulting from activities of hackers who access commercial databases specifically for the purpose of obtaining and using protected information, holding that consumer costs to avoid injury from misuse of data in such cases could constitute actionable injury. The Hannaford decision, however, is an outlier – a majority of decisions still hold the contrary – and is distinguishable from the laptop theft scenario at issue in Maglio. Thus, Maglio provides additional authority weighing against the likelihood of success on a data breach claim premised on theft of computer hardware.