In a recent case, the U.S. Court of Appeals for the 11th Circuit weighed in on an issue that has continued to confound courts: Is there an injury caused by a data breach when victims don’t immediately suffer financial fraud? I wrote on this issue in an article with Professor Danielle Citron in 2018, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018). (Danielle and I have just completed a new piece on Privacy Harms ). In the article, Danielle and I examined the inconsistent and messy cases and attempted to set forth a coherent approach.
The most recent case to weigh in on the issue is Tan Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959 (11th Cir. Feb 4., 2021). PDQ, a fast food chicken restaurant chain, had a data breach where hackers accessed customer credit card data for a period of nearly a year. When the breach was announced, the plaintiff cancelled the credit cards he used at PDQ. In doing so, the plaintiff lost access to his preferred accounts, lost points and rewards, and expended time and effort. The Tsao court concluded that because the plaintiff couldn’t demonstrate that he suffered any credit card fraud, he lacked standing to sue.
In federal court, plaintiffs must demonstrate they they suffered a harm (actual or imminent injury) in order to sue. The plaintiff argued that he lost out on benefits when he cancelled his cards, but the court held that this was “manufactured” harm. The Tsao court relied on Clapper v. Amnesty International, 568 U.S. 398 (2013), where the U.S. Supreme Court held that plaintiffs can’t “manufacture” harm by spending money, time, and effort to protect themselves against surveillance that they couldn’t prove was occurring. Clapper‘s view on “manufactured” harm striking me as manufactured itself — a rather poorly-reasoned cooked-up excuse to deny standing. But the case is there, and it must be navigated around.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
