Pension & Benefits News Injuries from phishing-related health plan breach not ‘certainly impending’; no standing
Thursday, October 24, 2019

Injuries from phishing-related health plan breach not ‘certainly impending’; no standing

By Pension and Benefits Editorial Staff

Husband and wife participants in his employer’s health benefits plan lacked standing to bring a putative class action following a security breach of the employer’s health plan because they had not alleged a concrete injury, or that one was certainly impending, a federal district court in North Carolina determined. The two individuals, out of approximately 18,000 whose personally identifiable information (PII) had been exposed, failed to allege a sufficient factual basis that their hacked PII had actually been used, or will be used, in identity theft or fraud.

Like other employer health plan participants, the husband and wife provided sensitive personal information to the plan when they joined, including name, address, birth date, and Social Security numbers, as well as the husband’s checking account information. When certain employees’ email accounts (through which the health plan’s database was accessible) were hacked through a phishing scheme, plan participants’ PII was potentially exposed. The employer notified employees, said it would pay for identity monitoring services, and urged employees to take additional steps to protect themselves. As a result, the husband stopped making 401(k) contributions, and 18 months later, his wife was notified of five unauthorized credit inquiries with banking institutions in four different states.

Fourth Circuit precedent. After the two brought a putative class action under North Carolina law, the court tossed their suit for lack of Article III standing, agreeing with the employer defendants that it lacked subject matter jurisdiction. Discussing applicable Fourth Circuit precedent, the court noted that asserted injuries like "increased risk of future identity theft" and "costs of protecting against" identity theft, standing alone, were not enough because they did not show individuals’ data were actually used nor allege enough plausible facts to show that threatened future harms were "certainly impending." The "mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft," concluded the court.

Credit inquiries plus phishing? Here, the only factual allegation suggesting that their stolen PII had actually been used, or was likely to be used, was based on the credit inquiries, yet the couple admitted that credit inquiries were not an independent injury-in-fact. Could the credit inquiries, together with the fact that the breach was a result of a targeted phishing scheme, be a sufficient factual basis to find a "certainly impending risk" of identity theft? Not here, where the complaint did not allege any facts connecting the credit inquiries to the hack of the employer, which occurred 18 months earlier. The connection between the two was too speculative, reasoned the court.

Injuries speculative or self-imposed. The court took the time to address all of the couple’s asserted injuries. The first three (loss of control, diminution in value, and compromise, publication and/or theft of PII) were not injury-in-fact. All victims of security breaches suffer loss of control of their PII, a diminution of its value—if and when the PII gets sold—and a compromise of their PII. But controlling Fourth Circuit precedent said the mere compromise of personal information, without more, fails to satisfy the injury-in-fact element. (The same was true about their general claim of anxiety and emotional distress as a basis for Article III standing.)

Nor were their out-of-pocket costs and efforts to remediate enough to satisfy the injury requirement because, "although they are concrete expenditures of time and resources, they are ‘self-imposed harms’ in response to a speculative threat," reasoned the court. That applied to the husband’s increased taxes from increased taxable income as a result of discontinuing his 401(k) deferrals, as well as their claimed future costs and effort to protect themselves from the breach.

Finally, the remaining injuries the couple alleged (delayed tax refunds, unauthorized use. of stolen PII, and continued risk to their PII) were again, purely speculative future injuries because they did not allege their tax refunds actually were delayed or that their stolen data actually had been used as a result of the hack. The court was not unsympathetic: It noted that their speculation about future harms resulting from the data breach was "understandable, even objectively reasonable"—yet they had not alleged facts to support concluding that the injuries were "certainly impending."

SOURCE: Kimbriel v. ABB, Inc., (E.D.N.C.) No. 5:19-CV-215-BO, October 1, 2019.

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More