In an important development in data breach law, on August 6, 2015, an Illinois appellate court dismissed a class action complaint, holding that plaintiffs lacked standing to sue where their data was stolen, but not yet used. In Maglio v. Advocate Health & Hospitals Corp., 2015 IL App (2d) 140782, current and former patients of the Advocate hospital group alleged that their personal data was compromised when a burglar stole four computers from an Advocate office. These computers contained data for four million patients, including their names, addresses, dates of birth, social security numbers, health insurance data, Medicare and Medicaid data, medical diagnoses, diagnosis codes, and medical record numbers. However, there was no indication that the stolen data was ever accessed or used.
The putative class brought claims for negligence, violation of the Personal Information Protection Act, violation of the Consumer Fraud and Deceptive Business Practices Act, and invasion of privacy, alleging that the breach was caused by Advocate’s negligence, and that Advocate failed to timely notify them of the breach. The trial court granted Advocate’s motion to dismiss, holding that the plaintiffs lacked standing because the breach caused no cognizable injury. On appeal, the plaintiffs argued that their injuries were cognizable because of their increased risk of identity theft, and because of their emotional stress related to the breach. The appellate court rejected this reasoning and upheld the trial court’s dismissal, holding that the plaintiffs’ allegations were entirely speculative.
The court’s holding in Maglio is in tension with the Seventh Circuit’s ruling in another recent data breach case, Remijas v. Neiman Marcus Group, LLC, 2015 U.S. App. LEXIS 12487. In Remijas, the district court’s dismissal was reversed on the basis that the plaintiffs had indeed suffered a cognizable injury due to a data breach of their financial information. The Seventh Circuit highlighted the fact that the plaintiffs spent time and money to ensure the monitoring of their credit, making their damages more than speculative. Given that Illinois and federal standing principals are similar, the daylight between Maglio and Remijas is likely to cause confusion in the courts, leaving open the question of whether data breach plaintiffs may sue before it is apparent that their data has been used against them.