This article originally appeared as an “Expert Analysis” in Law360 on March 11, 2020

By Varant Yegparian and Benjamin Cohen

In December 2019, Hackensack Meridian Health, one of New Jersey’s largest health systems, experienced an enormous data breach when it suffered a ransomware attack—a cyberattack that blocks access to a computer system until a sum of money is paid. On February 10, 2020, several individuals whose protected health information had been compromised by the attack filed a class action against Hackensack Meridian.

While the lawsuit outlines the ways in which class members have incurred out-of-pocket expenses, suffered disrupted access to medical services, and lost the value of time spent dealing with fallout from the attack, its main focus is not on actual harm. Instead, class members have centered their claims on “known risks” of personal harm due to the data breach. To that end, the lawsuit alleges that class members’ “sensitive personal information … was compromised and unlawfully accessed,” creating a “known risk” that they will face problems ranging from the filing of fraudulent tax documents to fraudulent loans taken out in class members’ names to patients’ personal information being purchased and falsely given to police during an arrest. Ostensibly, the class members make these allegations because the risks associated with the data breach have the potential to magnify the damages they seek. From a strategic standpoint, the lawsuit’s focus on potential harm makes good sense.

The Hackensack Meridian case is particularly relevant to businesses and individuals in Texas. While the ransomware attack is a useful case study for any of the more than 3,000 Texas hospitals, the distinction between actual vs. potential harm attendant to the data breach is even more significant. That is because Texas federal courts are split as to whether the risk of harm created by a data breach—the main injury alleged by the class members suing Hackensack Meridian—is, by itself, sufficient to support a lawsuit.

Federal courts in Houston and Dallas have held that the risk alone is not enough to create standing to sue. In Peters v. St. Joseph Services Corporation, a Houston federal court analyzed a claim by a hospital patient whose personal information was stolen during a data breach.[1]

Despite unsuccessful attempts to make fraudulent purchases, ultimately the breach caused the plaintiff patient no direct financial loss. Instead, she claimed that her injury lay in the imminent threat of identity theft and fraud caused by the breach. However, the court remained unconvinced, holding that the mere possibility that one’s personal information could be used for fraudulent purposes, by itself, was not a sufficiently concrete harm to recognize and redress. Likewise, a Dallas federal judge held in Dyson v. Sky Chefs, Inc. that mere disclosure of protected information, without some additional showing of deprivation or harm, did not give rise to a claim that could be recognized by the court.[2]

By contrast, a federal court in Austin held that, under certain circumstances, the mere disclosure of protected information could create a claim for legal relief. In Perrill v. Equifax Information Services, LLC, the court held that certain federal laws relating to privacy could support a lawsuit even where a plaintiff had suffered no tangible damages.[3] In other words, and in contrast to the Dyson and Peter decisions, Perrill viewed the disclosure of personal information to be, in itself, a tangible harm. The plaintiff was therefore not required to show any additional harm.

While Peters, Dyson, and Perril were brought under the Federal Credit Reporting Act and analyzed the allegations of harm under that statute’s provisions, they have a broader relevance, particularly regarding the issue of damages. As these cases show, there is a fundamental split among Texas federal courts on the question of whether a data breach is an inherent injury—or whether it must be accompanied by some tangible damage as well.[4] On the one hand, courts in Houston and Dallas hold that a mere unauthorized disclosure of information through a data breach is not a sufficiently concrete injury for the legal system to redress. On the other hand, the court in Austin holds that individuals have a privacy interest in protecting their personal information and that any unauthorized disclosure, whether or not it results in additional harm, creates an injury that may justify legal redress.

The split amongst the federal district courts of Texas mimics a wider split amongst the federal courts of appeal. The Peters decision recognized this split, noting that the Third Circuit requires some showing of actual harm resulting from a data breach to support standing while the Seventh and Ninth Circuits do not. Peters also referenced a US Supreme Court decision—Clapper v. Amnesty International—as authority that ostensibly resolved this split through its articulation of an “impending injury” standard for evaluating standing.[5] However, Clapper did not involve a data breach. Moreover, the Fifth Circuit has not applied Clapper in a data breach case to date.

From a pragmatic standpoint, lawyers may avoid standing issues with respect to their claims by crafting their suits to allege some form of tangible or actual harm. The allegations of disrupted healthcare, out-of-pocket costs, and loss of time in the Hackensack Meridian data breach provide an example. However, plaintiffs may not always be able to make and/or support such allegations. As a result, the potentially fluid nature of harm emanating from a data breach provides defendants with an opportunity to seek dismissal. Indeed, it is not difficult to imagine a defendant quickly moving to dismiss such claims under a Federal Rule of Civil Procedure 12(b) motion for lack of standing. How such motions play out will depend on the facts and circumstances of each breach.

Despite the early indications from Peters, Dyson, and Perril, how Texas courts will address these issues in the future remains unclear. Plaintiffs’ creative use of statutes, such as HIPAA or the Texas Identity Theft Enforcement and Protection Act, may only further complicate this analysis. The split amongst federal courts of appeal along with the lack of guidance from the Fifth Circuit only adds to this uncertainty.

For plaintiffs, given the prominence of the healthcare, financial, and information technology sectors in Texas, as well as the increasing frequency and severity of cyberattacks, the consequences of how courts choose to treat disclosure of personal information will affect the viability of legal claims seeking redress for such breaches. This, in turn, has the potential to affect millions of individuals whose information has become compromised in a data breach. Indeed, the split amongst Texas federal courts shows that, at least in some circumstances, victims of cyber-attacks may be left without remedy. Where individuals have their personal information compromised in such an attack—but have not yet suffered a “tangible” harm, such as identity theft—they may be precluded from obtaining legal relief.

Individuals affected by a data breach may not always have the resources or wherewithal to ascertain the extent to which they have been harmed. The manipulation of personal data—particularly financial information—does not always immediately follow a breach. If victims of a data breach are forced to essentially wait for some tangible harm to develop, they may be entirely denied a legal remedy. It goes without saying that such a result would be inequitable and unjust. Such an outcome should encourage practitioners and courts to update jurisdictional concepts like standing to fit the demands of the 21st century.

1 74 F. Supp.3d 847 (S.D. Tex. 2015).
2 3:16-CV-3155-B, 2017 WL 2618946, at *8 (N.D. Tex. June 16, 2017)
3 205 F. Supp. 3d 869, 874 (W.D. Tex. 2016)
4 74 F. Supp.3d 847 (S.D. Tex. 2015).
5 3:16-CV-3155-B, 2017 WL 2618946, at *8 (N.D. Tex. June 16, 2017)
6 205 F. Supp. 3d 869, 874 (W.D. Tex. 2016)