This post examines an opinion from the U.S. District Court for the District of Maryland: Khan v. Children’s National Health System,
2016 WL 2946165 (2016). The judge begins the opinion by explaining that
Khan receives treatment at Children's
Hospital in Washington, D.C., a hospital operated by CNHS. Khan provided CNHS
with personally identifiable information such as her date of birth, Social
Security number, address, and telephone number. CNHS also maintains records
containing Khan's private health care information such as diagnoses, treatment
records, and health insurance information.
On or about July 26, 2014, hackers
gained access to the email accounts of certain CNHS employees when those
employees responded to `phishing' emails. The hackers' infiltration was not detected until December 26, 2015. During the five intervening months, the `email
accounts had been potentially exposed in a way that may have allowed hackers to
access information contained in those email accounts.’ Compl. ¶ 13.
The email accounts contained certain
patient information, such as names, addresses, dates of birth, Social Security
numbers, and telephone numbers, as well as private health care information. On
February 26, 2015, CNHS sent a letter to approximately 18,000 patients,
including Khan, notifying them that their personal data may have been contained
in these email accounts. CNHS stated that the data breach did not extend
to its electronic medical records system or patient charts and professed to
have `no evidence that the information in the emails has been misused or even
accessed.’ Def.'s Motion to Dismiss Ex. A, Data Breach Letter.
Khan v. Children’s
National Health System, supra.
The opinion goes on to note that Khan
alleges that her sensitive personal
information was `compromised, viewed, and/or stolen’ because CNHS did not take
sufficient steps to protect it through encryption, passwords, or other
measures. Complaint ¶¶ 20-21; 109. Upon learning of the breach, she placed
passwords on her bank and credit card accounts. She remains concerned that her
personal information will be misused, but she does not claim that she or anyone
else affected by the data breach has learned of any misuse to date.
Khan v. Children’s
National Health System, supra.
The judge explained that Khan originally
filed suit in the Circuit Court for
Montgomery County, Maryland on June 1, 2015, alleging violations of the
Maryland Consumer Protection Act, Md. Code Ann., Com. Law §§
13–301 to 13–501 (2013), and the District of Columbia Consumer Protection Procedures Act, D.C. Code Ann., §§ 28–3901 to 28–3913
(2013), as well as negligence, breach of implied contract, and unjust
enrichment.
On July 21, 2015, CNHS removed the case
to this Court under the Class Action Fairness Act, 28 U.S.C. § 1332(d)
(2012). On September 8, 2015, CNHS filed a Motion to Dismiss. On October 16,
2015, Khan submitted an Opposition to the Motion. . . .
Khan v. Children’s
National Health System, supra. As
Wikipedia explains, in the United States, removal jurisdiction
refers to the right of
a defendant to move a lawsuit filed in state
court to the federal district court for the federal judicial
district in which the state court sits. This is a general exception to the
usual American rule giving the plaintiff the right to make the
decision on the proper forum. Removal occurs when a defendant files a `notice
of removal’ in the state court where the lawsuit is filed and the federal court
to which the defendant would like to remove the case.
Removal is governed
by statute, 28 U.S. Code § 1441 et seq. With
rare exceptions, a case may be removed only if, at the time of the initial
filing, the case could have been filed in federal court. Removal requires an
independent ground for subject-matter jurisdiction such as diversity
jurisdiction or federal question jurisdiction. A case must be removed
to the federal district court that encompasses the state court where the action
was initiated.
And as Wikipedia also explains, in U.S. law, a “motion is a procedural
device for decision. It is a request to the judge (or judges) to
make a decision about the case.”
Khan responded to CNHS’s motion to dismiss by filing an “Opposition to
the Motion”, to which CNHS “filed a Reply.”
Khan v. Children’s National Health
System, supra.
The judge began his analysis of the issues raised by the
motion to dismiss and Khan’s opposition to the motion by explaining that CNHS
argues that the Complaint should be
dismissed for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1) because Khan lacks standing, or, in the alternative,
for failure to state a claim under Rule 12(b)(6). Because the Court finds,
for the reasons stated below, that Khan lacks standing and that the Court thus
lacks subject matter jurisdiction, it does not address the merits of Khan's claims.
See Steel Co. v. Citizens for a Better Environment, 523 U.S. 83 (1998).
Khan v. Children’s
National Health System, supra.
The judge began his analysis motion by explaining that
[i]t is the plaintiff's burden to show
that subject matter jurisdiction exists. Evans v. B.F. Perkins Co., Div.
of Standex Int'l Corp., 166 F.3d 642, 647 (U.S. Court of Appeals for the 4th Circuit 1999). Federal Rule of Civil Procedure 12(b)(1) allows a defendant
to move for dismissal based upon the belief that the plaintiff has failed to
make that showing. When, as in this case, a defendant asserts that the
plaintiff has failed to allege facts sufficient to establish subject matter
jurisdiction, the allegations in the complaint are assumed to be true under the
same standard as in a Rule 12(b)(6) motion, and `the motion must be denied
if the complaint alleges sufficient facts to invoke subject matter
jurisdiction.’ Kerns v. United States, 585 F.3d 187 (U.S. Court of
Appeals for the 4th Circuit 2009).
Khan v. Children’s
National Health System, supra.
He goes on to explain that
Article III of the Constitution limits
the judicial power of the federal courts to actual `Cases’ and `Controversies.’ U.S.
Const. art. III, § 2, cl. 1. To invoke this power, a litigant must have
standing. Hollingsworth v. Perry, 133 S.Ct. 2652 (2013). The plaintiff
bears the burden of proving standing. Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992). A plaintiff must establish (1) an injury in fact (2)
fairly traceable to the challenged conduct (3) that is likely to be `redressed
by a favorable judicial decision.’ Hollingsworth
v. Perry, supra. In a class action,
the court analyzes the injuries alleged by the named plaintiffs, not unnamed
members of the potential class, to determine whether the plaintiffs have Article
III standing. Warth v. Seldin, 422 U.S. 490 (1975); O'Shea
v. Littleton, 414 U.S. 488 (1974).
Khan v. Children’s
National Health System, supra.
The judge also pointed out that
CNHS limits its attack on Khan's
standing to the first element: injury in fact. An injury in fact requires `an
invasion of a legally protected interest which is (a) concrete and
particularized, and (b) actual or imminent, not conjectural or
hypothetical.” Lujan v. Defenders of Wildlife, supra. . . . The
United States Supreme Court articulated the standard for a future injury
qualifying as an injury in fact in Clapper v. Amnesty International USA,133 S.Ct. 1138, (2013), a case in which the Court held that attorneys and human
rights, labor, legal, and media organizations lacked standing to challenge a
foreign intelligence surveillance program based on possible future interception
of their phone calls, because the plaintiffs' alleged injury depended upon an `attenuated
chain of possibilities’: the government would have to select the plaintiffs'
clients and sources for surveillance, the Foreign Intelligence Surveillance
Court would have to approve the proposed surveillance, and the plaintiffs'
communications would actually have to be intercepted. Clapper v.
Amnesty International USA, supra. The Court held that a threatened future
injury `must be certainly impending to constitute an injury in
fact” and that allegations of “possible future injury are not
sufficient.’ Clapper v. Amnesty International USA, supra (emphasis
in original).
The Court noted, however, that
plaintiffs need not demonstrate that it is `literally certain’ that they will
suffer harm, and it acknowledged that `we have found standing based on a
‘substantial risk’ that the harm will occur.’ Clapper v. Amnesty International
USA, supra (quoting Monsanto Co. v. Geertson Seed Farms, 561U.S. 139 (2010)). Thus, `[a]n allegation of future injury may suffice if the
threatened injury is certainly impending, or there is a substantial risk that
the harm will occur.’ Susan B. Anthony List v. Driehaus, 134 S.Ct.2334 (2014) (quoting Clapper v. Amnesty International USA, supra).
Khan v. Children’s
National Health System, supra.
The opinion notes that “Khan alleges several injuries that
she contends establish Article III standing”, the first of which was that “she
faces an imminent threat of identity theft”. Khan v. Children’s National Health System, supra. The judge began his analysis of this issue as
a basis for Article III standing, explaining that
Khan's most promising argument that she
has an injury in fact to support Article III standing is that the data breach
has placed her at an increased risk of identity theft. Neither the United
States Court of Appeals for the Fourth Circuit nor any district court within
the Fourth Circuit has addressed the standing of data breach victims. The
issue, however, has been frequently litigated in federal courts in recent
years, with different results. Two circuits, the United States Courts of
Appeals for the Seventh and Ninth Circuits, have found standing for victims of
data breaches based on the increased risk of identity theft.
In Krottner v. Starbucks Corp.,
628 F.3d 1139 (U.S. Court of Appeals for the 9th Circuit 2010), a
case predating Clapper, a thief stole a laptop computer containing
the unencrypted names, addresses, and Social Security numbers of 97,000
Starbucks employees, which led Starbucks to notify those employees of the theft
and offer credit monitoring services, even though there had been `no indication
that the private information has been misused.' Krottner v. Starbucks
Corp., supra. One named plaintiff, however, alleged that in the month
following the theft someone used his Social Security number to attempt to open
a bank account. Krottner v. Starbucks Corp., supra. The court, noting
that `the possibility of future injury may be sufficient to confer standing on
plaintiffs,' held that the increased risk of identity theft was an injury in
fact because the plaintiffs had alleged `a credible threat of real and
immediate harm stemming from the theft of the laptop.’ Krottner v.
Starbucks Corp., supra.
Khan v. Children’s
National Health System, supra.
The opinion goes on to explain that,
[f]ollowing Clapper, the
Seventh Circuit found standing stemming from hackers' use of malware to collect
credit card data from up to 350,000 credit card customers of Neiman Marcus, a
luxury department store. Remijas v. Neiman Marcus Group, LLC, 794
F.3d 688 (U.S. Court of Appeals for the 7th Circuit 2015). In Remijas,
Neiman Marcus learned that some of its customers had already found fraudulent
charges on their credit cards before alerting the public about the data
breach. Remijas v. Neiman Marcus Group, LLC, supra. Approximately
9,200 of those cards were known to have been used fraudulently in the wake of
the breach. Remijas v. Neiman Marcus Group, LLC, supra. The court
found that plaintiffs who alleged fraudulent charges on their credit cards had
standing based on the time and expense necessary to resolve those
charges. Remijas v. Neiman Marcus Group, LLC, supra.
Acknowledging that Clapper v.
Amnesty International USA, supra requires a `certainly impending’
future injury, or at least a `substantial risk’ of injury, the court found that
plaintiffs who had not experienced fraudulent charges also had standing because
those plaintiffs knew, from the numerous cards already used fraudulently, that
their personal information had been stolen by individuals who intended to
misuse it. Remijas v. Neiman Marcus Group, LLC, supra (questioning
why the hackers would `break into a store's database’ other than `to make
fraudulent charges or assume those consumers' identities); see also Lewert
v. P.F. Chang's China Bistro, Inc., 2016 WL 1459226 (U.S. Court of Appeals
for the 7th Circuit 2016) (following Remijas and holding
that where hackers stole customer credit card and debit card data from a
restaurant chain, and a named plaintiff had already received a fraudulent
charge, plaintiffs had standing to sue).
Khan v. Children’s
National Health System, supra.
He went on to explain that, in in Reilly v.
Ceridian Corp., 664 F.3d 38 (U.S. Court of Appeals for the Third 3dCircuit 2011), the U.S. Court of Appeals for the 3rd Circuit
held that plaintiffs alleging an injury
in fact from an increased risk of identity theft lacked standing.
In Reilly, hackers `potentially gained access to personal and
financial information’ of 27,000 individuals stored on the computer system of a
payroll processing company. . . . It was unclear `whether the hacker read,
copied, or understood’ the plaintiffs' data. Reilly v. Ceridian Corp.,
supra. After determining what information the hacker “may have accessed,”
the company sent letters to the potential identity theft victims informing them
of the breach and offering to provide one year of free credit monitoring and
identity theft protection. Reilly v. Ceridian Corp., supra.
Although Reilly predated Clapper,
the Third Circuit applied the same standard later endorsed in Clapper,
that the `threatened injury must be ‘”certainly impending”’ in order to support
standing. Reilly v. Ceridian Corp., supra (quoting Whitmore v. Arkansas, 495 U.S. 149 (1990)). The court found that the increased risk
of identity theft was “too speculative” to establish standing. Reilly
v. Ceridian Corp., supra. Distinguishing Krottner v. Starbucks
Corp., supra, in which someone had already attempted to open a bank account
using stolen personal information, the court noted that there was no indication
that the personal data had been or ever would be misused. Reilly v. Ceridian Corp., supra. Rather, the threat of future injury was
premised on the `speculation’ that the hackers had (1) `read, copied, and
understood’ the personal information; (2) intended `to commit future criminal acts
by misusing the information’; and (3) were able to use that information to the
detriment of the plaintiffs. Reilly v. Ceridian Corp., supra. The
court thus found that this `string of hypothetical injuries’ did not establish
an `actual or imminent’ injury necessary to confer standing. Reilly v.
Ceridian Corp., supra.
Khan v. Children’s
National Health System, supra.
The judge concluded
his analysis of this issue by explaining that
[a]lthough these courts reached
conflicting results, the difference appears to arise not from the application
of a different legal standard, but rather from crucial distinctions in the
underlying facts. In Krottner and Remijas, the
allegations included either actual examples of the use of the fruits of the
data breach for identity theft, even if involving victims other than the named
plaintiffs, or a clear indication that the data breach was for the purpose of
using the plaintiffs' personal data to engage in identity fraud. In Krottner,
one of the plaintiff's credit card numbers had been fraudulently used. . .
. In Remijas, the cyberattack involved malware that specifically
sought to collect customer credit card data, and 9,200 credit card numbers had
already been used fraudulently. . . . By contrast, in Reilly,
neither of these factors was present. `A firewall was penetrated,’ and hackers
had `potentially gained access to personal and financial information,’ but it
was not known if the hackers `read, copied, or understood the data.’ Reilly
v. Ceridian Corp., supra.
Khan v. Children’s
National Health System, supra.
The District Court Judge therefore found that
in the data breach context, plaintiffs
have properly alleged an injury in fact arising from increased risk of identity
theft if they put forth facts that provide either (1) actual examples of the
use of the fruits of the data breach for identity theft, even if involving
other victims; or (2) a clear indication that the data breach was for the
purpose of using the plaintiffs' personal data to engage in identity fraud.
Under this framework, Khan's allegations fall short. Unlike in Krottner or Remijas,
Khan alleges no facts indicating that the hackers have attempted to engage in
any misuse of CNHS patients' personal information since the breach was
discovered. She alleges no suspicious activity: no unauthorized bank accounts
or credit cards, no medical fraud or identity theft, and no targeted
solicitations for health care products or services.
Nor do the circumstances of the data
breach clearly indicate that the hackers' purpose was to use patients' personal
data to engage in identity fraud. Unlike in Remijas, where malware
was deployed on Neiman Marcus's computer system in an attempt to collect credit
card data, . . . here the data breach consisted of the use of phishing
emails to gain access to the email accounts of certain CNHS employees, not its
electronic medical records system or some other centralized database of
personal data. Although these email accounts contained some patients' personal
information, there is no indication that the patients' personal data was
actually viewed, accessed, or copied, or was even the target of the phishing
scheme.
Tellingly, Khan, although at times
referring to the data as `stolen,’ alleges only that hackers had `unauthorized
access’ to the email accounts, that the accounts were `potentially exposed
in a way that may have allowed hackers to access information contained
in those email accounts,’ and that the data was `readily able to be copied.’
Complaint ¶¶ 13-22 (emphases added).
Thus, the allegations are more akin to
those in Reilly, where the hackers `potentially gained access to
personal and financial information,’ but it was unclear `whether the hacker
read, copied, or understood’ the plaintiffs' personal data, and there was no
indication of actual misuse. Reilly, supra. . . .
Khan's more general allegations—that
data breach victims are 9.5 times more likely to suffer identity theft and that
19 percent of data breach victims become victims of identity theft—do not alter
this conclusion. These specific statistics, which are cited in numerous other
cases, do not by themselves establish that there is `certainly impending’ harm
under the specific facts of a given case. See, e.g., Strautins
v. Trustwave Holdings, Inc., 27 F.Supp.3d 871, 877 (U.S. District Court for the Northern District of Illinois 2014). . . . Because the Complaint does not
allege either actual misuse of the personal data or facts indicating a clear
intent to engage in such misuse with plaintiffs' data, the Court finds that
Khan has not alleged a `certainly impending’ injury or `substantial risk’ of
imminent injury sufficient to establish Article III standing. See Clapper
v. Amnesty International USA, 133 S.Ct. 1138 (2013). . . .
Khan v. Children’s
National Health System, supra.
The District Court Judge therefore held that
CNHS's Motion to Dismiss is GRANTED IN PART and DENIED IN PART. The Court finds that Khan lacks standing, but it does not dismiss her claims. Instead, the case is REMANDED to state court.
Khan v. Children’s
National Health System, supra.
No comments:
Post a Comment