Christina Lamoureux of Squire Patton Boggs writes:
While many federal courts have weighed in on the issue of what suffices for Article III standing in the context of a data breach litigation, not all state courts have. Last week, the Superior Court of Delaware found that a group of plaintiffs who received a notice that their personal information had been potentially compromised in a data breach had not alleged an injury in fact, and did not have standing to bring suit.
In Abernathy v. Brandywine Urology Consultants, P.A., No. N20C-05-057 MMJ CCLD, 2021 Del. Super. LEXIS 46 (Del. Super. Ct. Jan. 21, 2021), defendant Brandywine Urology Consultants (“Brandywine”) experienced a ransomware attack in January 2020 that blocked access to its computer system and data, including patient records.
Read more on The National Law Review.
So there’s nothing unusual about this outcome, but it makes me wonder:
- What would the court hold if attackers dumped some of the patient information? Would that be enough to confer standing? If so, what does that say about all the breach notification letters that tell people their data “may have been compromised,” but do not tell them that data has already been dumped?
- And what would the court hold if attackers dumped just some of the patient information and announced that they had sold some of the patient data already and would be selling more? Would their claim of sale be enough to confer standing?