Opinion
Case No: 8:17-cv-1540-T-30AEP
08-30-2017
JANIE STAPLETON, on her own behalf and on behalf of her minor child, C.P., DAVID PACKEN, on his own behalf and on behalf of his minor child, D.J., and CARMELO ALVAREZ, JR. on his own behalf and on behalf of his minor child, K.R.A., Plaintiffs, v. TAMPA BAY SURGERY CENTER, INC., Defendant.
ORDER
Plaintiffs C.P., D.J., and K.R.A. are patients of Tampa Bay Surgery Center, Inc. ("TBSCI"), whose parents provided sensitive information about them to TBSCI. TBSCI's patient database was hacked, and C.P., D.J., and K.R.A.'s information was briefly posted online, along with the information of more than 142,000 other patients. Although no patient has had their information misused as a result of the data breach, Plaintiffs are suing TBSCI. The Court concludes the action should be dismissed because Plaintiffs have not suffered an injury in fact and, thus, lack standing to sue.
FACTUAL BACKGROUND
C.P., D.J., and K.R.A. are minor children who were patients at TBSCI. (Doc. 4, ¶ 4). As patients, the children's parents were required to provide information to TBSCI, including the children's names, dates of birth, home addresses, and social security numbers (the "Sensitive Information"). (Doc. 4, ¶ 5). TBSCI stored this Sensitive Information electronically in a patient database. (See Doc. 4, ¶ 36).
In May 2017, a hacker breached TBSCI's database and published C.P., D.J., and K.R.A.'s Sensitive Information on a public file-sharing website, along with the Sensitive Information of more than 142,000 other TBSCI patients. (Doc. 4, ¶ 4). Plaintiffs do not allege that any of the Sensitive Information has been used. Instead, Plaintiffs allege they are at an increased risk of having their identity stolen and are compelled to incur the costs of credit monitoring/identity theft protection. (Doc. 4, ¶ 10). At least one Plaintiff, C.P.'s mother Janice Stapleton, purchased identity theft protection. (Doc. 4, ¶ 8).
TBSCI admits that the data breach occurred and that the Sensitive Information was briefly posted online before being removed. (Doc. 12). After the data breach, TBSCI provided free identity protection services to Plaintiffs and other potentially affected patients. (Doc. 12, p. 3-4). The identity theft protection services TBSCI provided locks the affected patient's credit file to prevent access and sends an alert if someone attempts to use the patient's information to open a new line of credit. (Doc. 12, p. 3 n.3).
The Court construes TBSCI's motion as a factual challenge to subject-matter jurisdiction and considers the exhibits provided in its response. See Houston v. Marod Supermarkets, Inc., 733 F.3d 1323, 1336 (11th Cir. 2013) (explaining, "[I]n a factual challenge to subject matter jurisdiction, a district court can 'consider extrinsic evidence such as deposition testimony and affidavits.'").
In June 2017, Plaintiffs sued TBSCI in a putative class action suit for negligence, breach of fiduciary duty, and invasion of privacy, all under Florida law. TBSCI now moves to dismiss arguing the Court has no jurisdiction because Plaintiffs lack standing.
While not raised by TBSCI, the Court is also concerned about whether Plaintiffs sufficiently alleged subject-matter jurisdiction under 28 U.S.C. § 1332(d)(2). Under this subsection, Plaintiffs bear the burden of demonstrating minimal diversity—that at least one proposed class member is diverse from TBSCI, a citizen of Florida. Handforth v. Stenotype Inst. of Jacksonville, Inc., No. 309-CV-361-J-32MCR, 2010 WL 55578, at *2 (M.D. Fla. Jan. 4, 2010) (quoting Lowery v. Ala. Power Co., 483 F.3d 1184, 1194 n. 24 (11th Cir.2007)). All Plaintiffs allege is that "at least one member of the putative class is a citizen of a state different from Defendant." (Doc. 4, ¶ 14). This conclusion is not supported by any factual allegation. If Plaintiffs choose to file an amended complaint, the Court cautions them to consider whether their jurisdictional allegations are sufficient.
LEGAL STANDARD
Federal Rule of Civil Procedure 12(b)(1) allows a complaint to be dismissed for lack of subject-matter jurisdiction. A district court has subject-matter jurisdiction if the claims present a case or controversy under the Constitution and there is standing. Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012). A plaintiff bears the burden of proving standing, which requires a showing that "(1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Id. (quoting Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81, 120 S.Ct. 693, 704, 145 L.Ed.2d 610 (2000)).
At the pleading stage, the injury element can be satisfied by "general factual allegations of injury resulting from the defendant's conduct." Lujan v. Defs. of Wildlife, 504 U.S. 555, 561, 112 S. Ct. 2130, 2137, 119 L. Ed. 2d 351 (1992). An allegation of imminent injury may suffice if the threatened injury is "certainly impending," or there is a "'substantial risk' that the harm will occur." Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n. 5, 133 S. Ct. 1138, 1150 n. 5, 185 L. Ed. 2d 264 (2013). But "'[a]llegations of possible future injury' are not sufficient." Id. at 409 (quoting Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S. Ct. 1717, 1724, 109 L. Ed. 2d 135 (1990)). So a future injury will not confer standing if it relies on an "attenuated chain of inferences necessary to find harm." Id. at 414 n. 5; see also Lujan, 504 U.S. at 564, ("Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly impending.").
DISCUSSION
The issue of whether a data breach on its own is an "injury in fact" is novel for this Court and has not been addressed by the Eleventh Circuit. Other circuit courts have reached conflicting conclusions, with the Sixth, Seventh, Ninth, and D.C. Circuits holding data breach victims have standing because they are at a substantial risk of injury, and the First, Second, Third, and Fourth Circuits holding data breach victims lacked standing. So there is no clear consensus as to how the issue should be resolved. Considering the arguments on both sides, the Court agrees with TBSCI that Plaintiffs did not alleged an injury in fact.
Compare Attias v. Carefirst, Inc., No. 16-7108, 2017 WL 3254941, at *6 (D.C. Cir. Aug. 1, 2017) (holding, "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.); Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 663 Fed. Appx. 384, 387-89, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016) (plaintiff-customers' increased risk of future identity theft theory established injury-in-fact after hackers breached Nationwide Mutual Insurance Company's computer network and stole their sensitive personal information, because "[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals"); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694-95 (7th Cir. 2015) (plaintiff-customers' increased risk of future fraudulent charges and identity theft theory established "certainly impending" injury-in-fact and "substantial risk of harm" after hackers attacked Neiman Marcus with malware to steal credit card numbers, because "[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities"); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (plaintiff-employees' increased risk of future identity theft theory a "credible threat of harm" for Article III purposes after theft of a laptop containing the unencrypted names, addresses, and social security numbers of 97,000 Starbucks employees); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 632-34 (7th Cir. 2007) (banking services applicants' increased risk of harm theory satisfied Article III injury-in-fact requirement after "sophisticated, intentional and malicious" security breach of bank website compromised their information); with Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (brokerage account-holder's increased risk of unauthorized access and identity theft theory insufficient to constitute "actual or impending injury" after defendant failed to properly maintain an electronic platform containing her account information, because plaintiff failed to "identify any incident in which her data has ever been accessed by an unauthorized person"); Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011) (plaintiff-employees' increased risk of identity theft theory too hypothetical and speculative to establish "certainly impending" injury-in-fact after unknown hacker penetrated payroll system firewall, because it was "not known whether the hacker read, copied, or understood" the system's information and no evidence suggested past or future misuse of employee data or that the "intrusion was intentional or malicious"); Beck v. McDonald, 848 F.3d 262, 275 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017) ("Indeed, for the Plaintiffs to suffer the harm of identity theft that they fear, we must engage with the same "attenuated chain of possibilities" rejected by the Court in Clapper. 133 S.Ct. at 1147-48. In both cases, we must assume that the thief targeted the stolen items for the personal information they contained. And in both cases, the thieves must then select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities. This "attenuated chain" cannot confer standing.); Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116, at *1 (2d Cir. May 2, 2017) (concluding a customer who had her card information stolen had not suffered an injury in fact because she changed her card information so there was no threat of future harm).
To satisfy standing, Plaintiffs must prove an imminent injury. While Plaintiffs allege two categories of harm—(1) their risk of being victims of identity theft as a result of the data breach and (2) the costs Plaintiff Stapleton has incurred and others may incur for credit monitoring/identity theft protection—both categories require Plaintiffs to show there is at least a substantial risk their Sensitive Information will be used in a harmful manner. That is because the second category—Plaintiff Stapleton's payment for credit monitoring and identity theft protection—would not be an actual injury unless there was already a substantial risk of identity theft. Clapper, 568 U.S. at 416 (holding, "respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending."). So Plaintiffs only have standing if their alleged injury is certainly impending or if there is a substantial risk of injury.
The Court concludes Plaintiffs' allegations are insufficient to show that an injury is certainly impending or that they have a substantial risk of imminent injury. First, Plaintiffs are unable to identify a single proposed class member who has had their Sensitive Information misused as a result of the data breach. See Torres v. Wendy's Co., 195 F. Supp. 3d 1278, 1283 (M.D. Fla. 2016) (discussing the number of plaintiffs who have experienced fraudulent charges as an "influential factor" in determining whether future harm is "certainly impending"). The lack of a single, identifiable instance of identity theft out of the more than 142,000 patients indicates that there is no substantial risk of imminent injury.
Second, TBSCI has also lessened Plaintiffs' risks of imminent injury by providing free credit monitoring to all of those potentially affected by the data breach. Because the protection locks the credit reports of the affected patients, TBSCI mitigated the risk of Plaintiffs having their Sensitive Information misused in a way that causes them harm.
Finally, Plaintiffs allegations rely on a chain of inferences that is too attenuated to constitute imminent harm. Plaintiffs' argument requires the following chain of events before they would suffer harm: (1) that their Sensitive Information was viewed when made available online for a short period of time, (2) that someone downloaded that Sensitive Information while it was available online, (3) that someone will use the Sensitive Information, and (4) that the protection provided by TBSCI would be inadequate to prevent the misuse of the Sensitive Information. Absent additional allegations indicating the events in the chain are likely to occur, the Court cannot conclude an injury is certainly impending.
CONCLUSION
For these reasons, the Court concludes Plaintiffs' allegations of harm are too speculative to constitute an imminent injury. While Plaintiffs argue that the mere fact that there was data breach is sufficient to constitute an imminent injury, the Court cannot agree with that sort of ipse dixit reasoning. Something more than the mere data breach must be alleged before Plaintiffs can show they have a substantial risk of injury. Lacking any allegations that would show any harm is certainly impending, Plaintiffs failed to demonstrate standing, and this Court lacks jurisdiction over their claims.
TBSCI raises several other arguments in its Motion that the Court declines to address given the conclusion that Plaintiffs did not allege an injury in fact. --------
Accordingly, it is ORDERED AND ADJUDGED that:
1. Defendant's Motion to Dismiss Plaintiffs' First Amended Class Action Complaint (Doc. 12) is GRANTED.
2. The Amended Complaint (Doc. 4) is DISMISSED WITHOUT PREJUDICE. Plaintiffs have thirty (30) days to file an amended complaint that alleges an injury in fact if Plaintiffs are able to do so. Failure to file an amended complaint within thirty (30) days will result in this case being closed without further notice.
3. Plaintiffs' Motion for Class Certification (Doc. 11) is DENIED WITHOUT PREJUDICE as moot.
DONE and ORDERED in Tampa, Florida, this 30th day of August, 2017.
/s/ _________
JAMES S. MOODY, JR.
UNITED STATES DISTRICT JUDGE Copies furnished to:
Counsel/Parties of Record