This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Without a State Statute, Privacy Claims Fail After Data Breach

Claims regarding potential harm from a data breach at a medical practice have been thrown out by a court in New York. New York, like most states, does not have a privacy statute that protects personal information in a general sense. Thus, the plaintiffs could not allege a statutory violation and had to fall back on common law claims about the possibility of being harmed or defrauded when information from their patient files was accessed via a hack. The court rejected the claims, as did most courts in the pre-privacy law era, because the plaintiffs have not shown any actual (or pending) harm as a result of the breach.  

Why It Matters

It used to be fairly easy to defeat privacy claims in court, because most courts do not like to award monetary damages to plaintiffs who cannot show actual losses when their personal information is hacked from a company database. Today, however, one state (California) has a privacy law in the books that does not necessarily require proof of harm to recover damages; and four more states will have privacy laws taking effect next year. More are expected after that. Not all of them will be as plaintiff-friendly as California's, but there certainly will be more laws in the future that define a data breach itself as a compensable harm, even without any direct financial losses for individuals. That greatly increases the exposure for any affected company that suffers a hack, and makes cyber preparedness all the more critical.  

The plaintiffs argued that they had Article III standing to move forward with their claims for negligence, breach of contract, violation of the New York General Business Law Section 349 and intrusion upon seclusion because they faced "an ongoing imminent risk" of identity theft and fraud given that, unlike payment card data, there is no way to cancel dates of birth, medical history and other personal health information that was swept up by the breach.


insights, hill_mitzi, data security and privacy