Citing the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, a Maryland District Court judge remanded a putative data breach class action for lack of Article III standing and subject matter jurisdiction. The opinion serves as an early indication of the added hurdles facing prospective data breach class action plaintiffs under Spokeo.
Plaintiff Fardoes Kahn brought her action against Children’s National Health System (“CNHS”), alleging that her personally identifiable information (commonly referred to as “PII”) was exposed when hackers gained access to the email accounts of certain CNHS employees. Judge Theodore D. Chuang held that Kahn had failed to allege a concrete injury in fact.
Quoting Spokeo, Judge Chuang dismissed Kahn’s claims alleging violations of state statutes: “Article III standing requires a concrete injury even in the context of a statutory violation.” Judge Chuang held that under Spokeo, a bare procedural harm under a federal statute, divorced from any concrete harm, would not satisfy the injury in fact requirement. “Here, where Khan alleges violations of state law, she advances no authority for the proposition that a state legislature or court, through a state statute or cause of action, can manufacture Article III standing for a litigant who has not suffered a concrete injury.” Judge Chuang noted that Kahn’s factual allegations fell short of a concrete injury, as there was “no indication that the patients’ personal data was actually viewed, accessed, or copied, or was even the target of the phishing scheme.”
The Spokeo decision is expected to have a significant impact on class action data breach claims predicated on violations of state and federal statutes. As this decision indicates, plaintiffs hoping to survive a jurisdictional challenge under Spokeo must allege a concrete harm, not a mere “bare procedural” statutory harm. See this blog’s further discussion of the Spokeo decision here.