DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The plaintiffs have standing to sue — court. No, they don’t — appeals court.

Posted on August 1, 2023 by Dissent

Here’s yet one more case to note about standing and how cases may get dismissed before they even really get started. This case involved Syracuse ASC, LLC. In 2021, they experienced a cyberattack and notified 24,891 patients. A copy of their notification was posted to the Vermont Attorney General’s website at the time.

In due course, a patient sued, seeking potential class-action status (Greco v. Syracuse ASC LLC).

As Jeffrey Haber of Freiberger Haber LLP reminds us, in order to have Article III standing to sue, a plaintiff must allege the existence of an injury-in-fact that ensures that s/he has some concrete interest prosecuting the action.  That

necessitates a showing that the party has “an actual legal stake in the matter being adjudicated”[3] and that the party has suffered a cognizable harm that is not “‘tenuous,’ ‘ephemeral,’ or ‘conjectural,’” but is, instead, “sufficiently concrete and particularized to warrant judicial intervention.”[4] Notably, an alleged injury will not confer standing if it is based on speculation about what might occur in the future or what future harm might be incurred.[5]

Somewhat surprisingly, the motion court denied the defendant’s motion to dismiss for lack of standing, finding that the plaintiff had established a risk of imminent future harm.

The defendant appealed and the Fourth Department “unanimously reversed.”

The Court held, after considering “all relevant circumstances,” that plaintiff failed to allege “an injury-in-fact and thus lack[ed] standing.” [9] “[I]mportantly,” explained the Court, “plaintiff ha[d] not alleged that any of the information purportedly accessed by the unknown third party ha[d] actually been misused.”[10] Similarly, the Court noted that “Plaintiff ha[d] not alleged that her own information ha[d] been misused or that the data of any similarly situated person ha[d] been misused in the over one-year period between the alleged data breach and the issuance of the trial court’s decision.”[11] The absence of such allegations, held the Court, was fatal to the survival of the pleading.

Further, the Court noted that, according to the complaint, only health information was accessed by a third-party.[12] The complaint did not, said the Court, “allege that a third party accessed data more readily used for financial crimes such as dates of birth, credit card numbers, or social security numbers.”[13]

Read more at JDSupra.

Here’s a Thought

So a data breach by itself, without any evidence of misuse of data, does not demonstrate “injury-in-fact”  or imminent risk of harm, and so does not confer standing?

Would a court agree that criminals leaking the data on the dark web changes the risk of imminent harm or injury?

If so, then, the failure of entities to notify those affected that their data is on the dark web or any leak site or forum is essentially withholding information that would likely give people standing to sue.

DataBreaches has been a vocal proponent for transparency in disclosing leaks or listing breached data on the dark web or clear net. And maybe it’s time all law firms that are in the business of suing over data breaches should make a point of checking this site and other sites that expose these leaks before filing any complaint so that an argument can be made that the leak of the data makes the risk of harm imminent or more imminent, and the entity’s failure to disclose that to victims is an attempt to cover up the risk of harm the incident has caused.

Just a thought…

Related posts:

  • Fla. Courts Require Actual Injury to Demonstrate Standing in Data Breach Cases
  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • OH: Potential class action against Health Recovery Services survives motion to dismiss
  • Plaintiffs Use Privacy Pledge Against Insurer in Data Breach Claim
Category: Breach IncidentsCommentaries and AnalysesU.S.

Post navigation

← Cyber attack on Montclair Township led to $450K ransom payment
B.C. health-care workers’ private information subject to data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.