Claims regarding potential harm from a data breach at a medical practice have been thrown out by a court in New York. New York, like most states, does not have a privacy statute that protects personal information in a general sense. Thus, the plaintiffs could not allege a statutory violation and had to fall back on common law claims about the possibility of being harmed or defrauded when information from their patient files was accessed via a hack. The court rejected the claims, as did most courts in the pre-privacy law era, because the plaintiffs have not shown any actual (or pending) harm as a result of the breach.
Why It Matters
It used to be fairly easy to defeat privacy claims in court, because most courts do not like to award monetary damages to plaintiffs who cannot show actual losses when their personal information is hacked from a company database. Today, however, one state (California) has a privacy law in the books that does not necessarily require proof of harm to recover damages; and four more states will have privacy laws taking effect next year. More are expected after that. Not all of them will be as plaintiff-friendly as California's, but there certainly will be more laws in the future that define a data breach itself as a compensable harm, even without any direct financial losses for individuals. That greatly increases the exposure for any affected company that suffers a hack, and makes cyber preparedness all the more critical.