Data Breach Class Action Not Barred by Lack of Individual Injury in West Virginia
In a potentially groundbreaking decision, the Supreme Court of Appeals of West Virginia reversed a trial court’s order denying class certification in a data breach class action. The case, Tabata v. Charleston Area Medical Center, holds that petitioners have standing and meet the requirements for class certification to bring causes of action for breach of confidentiality and invasion of privacy despite no evidence that any named plaintiffs were victims of any actual or attempted identity theft, or for that matter, suffered any actual economic loss. Tabata v. Charleston Area Med. Ctr., --- S.E.2d ----, 2014 WL 2439961 (W. Va. May 28, 2014).
The West Virginia Case
While the decision is only binding on West Virginia courts, it could have national implications as it will likely be cited as persuasive authority that no evidence of economic damages is needed for a class to have standing and meet the requirements for certification. However, Tabata should have limited application as it only interprets West Virginia law. For example, in Florida, actions for breach of confidentiality and invasion of privacy have different elements, but this will likely be tested in an effort to move the law in this new direction.
In Tabata, the named plaintiffs’ personal and medical information contained in a database operated by Charleston Area Medical Center (CAMC) was accidentally placed on the Internet. The information included names, contact information, Social Security numbers, dates of birth, and basic respiratory care information. CAMC admitted that the information could have been exposed if “someone were to conduct an advanced Internet search.” Id. CAMC notified the plaintiffs of the data breach and offered them a full year of credit monitoring at CAMC’s cost. The plaintiffs filed an action individually and on behalf of a class alleging various causes of action, including breach of confidentiality and invasion of privacy. Importantly,
[d]iscovery revealed that the petitioners and respondents are not aware of any unauthorized and malicious users attempting to access or actually accessing their information, and they are not aware of any of the 3,655 affected patients having any actual or attempted identity theft. Further, the petitioners have not suffered any property injuries or sustained any actual economic losses. Finally, the petitioners are not aware if any other potential class members have sustained such injuries.
Id.
The Supreme Court of Appeals of West Virginia agreed with the trial court that the risk of future identity theft alone did not establish the plaintiffs’ standing. However, the court held that under West Virginia law, breach of confidentiality and invasion of privacy claims need not allege special damages. Therefore, the mere fact that the plaintiffs’ confidential data had been made publicly available established an injury in fact with a causal connection to the claims for breach of confidentiality and invasion of privacy, which would likely be redressed through a favorable decision by the court: the elements of standing. Id.
Moreover, the court held that the class could be certified because the claims were based on the same event and same legal theories (typicality); and most importantly, arose from the same nucleus of operative facts and law (commonality); and individual issues, including those related to damages, were outweighed by the commonality of the claims. In fact, the court relied on the lack of evidence of damages to find that common questions of law and fact predominated over individual issues; there being no actual economic damages, any individual damages analysis would not ultimately consume the court and subvert the need for judicial economy. While the court emphasized that its decision was narrow and made “absolutely no determination regarding the merits or the lack thereof” of the causes of action, it has paved the way for the plaintiffs, and future plaintiffs in West Virginia, to state claims following a data breach absent any evidence of actual damages.
Potential Impact in Florida
Though Tabata will likely be cited nationwide to support data breach class actions for data breaches where there is no evidence of actual damages, its application is limited as it hinges on the elements of breach of confidentiality and invasion of privacy claims under West Virginia law. Though the Tabata plaintiffs had not suffered a “concrete and particularized injury,” under West Virginia law, no such injury is required to state a claim for breach of the duty of confidentiality, nor must special damages be alleged to state a claim for invasion of privacy. Id. In Florida, however, the plaintiffs would have likely lacked standing as these causes of action require more to establish an injury-in-fact.
For example, the mere fact that medical information is disclosed to non-authorized individuals does not give rise to a cause of action for breach of confidentiality absent other circumstances. Indeed, there must at least be evidence that the protected information was actually received by a non-authorized individual. See D.E.W. v. Krouse, 41 So. 3d 320, 322 (Fla. 4th DCA 2010). In Krouse, the plaintiff argued that a doctor’s disclosure of her HIV positive status in front of her daughters gave rise to a claim for medical malpractice based on a breach of confidentiality. Id. at 321. However, there was no evidence that the plaintiff’s daughters actually heard the doctor, and therefore no actual disclosure of the confidential information could be proven.
If one were to apply the facts of Tabata to this analysis, there having been no evidence of any disclosure of the medical records to anyone, a Florida court would have likely found that no injury-in-fact could have been established. In fact, claims for emotional damages based on breach of confidentiality can only succeed where there is evidence that highly sensitive confidential information was disclosed. See Fla. Dep’t of Corr. v. Abril, 969 So. 2d 201 (Fla. 2007) (interpreting section 381.004, Florida Statutes, concerning HIV testing, to create an exception to the impact rule to allow a claim for breach of confidentiality where strictly emotional damages resulted from the negligent disclosure of a patient’s HIV positive status); see also Gracey v. Eaker, 837 So. 2d 348, 350 (Fla. 2002) (finding the impact rule did not bar recovery for emotional damages resulting from a psychotherapist’s breach of confidentiality of plaintiffs’ “very sensitive and personal information.”).
The fact pattern in Tabata would likely face an even tougher challenge to establish standing for an invasion of privacy claim in Florida. Invasion of privacy is only actionable in Florida if the publication of private records would be “highly offensive to a reasonable person.” Post-Newsweek Stations Orlando, Inc. v. Guetzloe, 968 so 2d 608, 613 (Fla. 5th DCA 2007) (quoting Cape Publ’ns, Inc. v. Hitchner, 549 So. 2d 1374, 1377-78 (Fla. 1989)). In Guetzloe, which reversed a temporary injunction preventing the publication of medical records, the court opined that in the context of prior restraint, “[a]lthough we can certainly conceive of hypothetical situations when publication of sensitive medical records” might be highly offensive to a reasonable person, the court could only speculate prior to publication. Id. Most importantly, the court found that “in most instances, an individual’s medical records would not be of public interest.” Id. at 612.
While the common law might evolve concerning the elements needed to establish an injury following a data breach, and the Tabata decision could well be cited in an attempt to move the law in that direction, its current authority has limited application outside West Virginia.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.