Unintended releases of personal information stored on company servers are among the most talked-about and litigated issues in technology law over the past few years. Because privacy is primarily an matter of state, rather than federal, law, however, the standards for evaluating these claims vary widely.
Now my home state of Michigan has entered the debate by articulating an "actual injury" standard in such cases. As a result, data breach cases will be that much harder to win against Michigan businesses going forward.
The December 18, 2014 opinion came out of a class action lawsuit brought by patients of a local health system. As happens in many of these cases, the error that led to the data breach was not committed by the health system itself, but rather by one of its contractors. Here, a contractor provided transcription services for the system's patient records, and that service provider's subcontractor inadvertently placed the records in an unsecured server. As a result, Google's automated web crawler indexed the information, thereby making it possible to find patient information through Google's search engine. This information included the patient's name, medical record number, the date of the patient's visit, the location of the visit, the physician's name and a summary of the visit. In the lead plaintiff's particular case, this information included diagnoses of "cervical dysplasia secondary to HPV (Human Papillomavirus)"—a sexually transmitted disease—and alopecia, i.e., baldness.
Once the health system discovered the error, it took a variety of remedial steps, including removing the data, alerting the patients, and setting up a hotline for reports of identity theft. No one called the hotline, and there was no other evidence that any third party ever saw--much less misused--any of the data. Instead, the plaintiff advanced a theory of "presumed damages," and the only actual losses she identified were the $275 she paid to the "LifeLock" monitoring service for identity theft protection. Nevertheless, the trial court certified a class of 159 plaintiffs.
A three-judge panel of the Court of Appeals unanimously reversed this decision. The first issue it addressed was plaintiff's cause of action. Because the plaintiff did not assert any specific statutory privacy rights, she relied on the common law tort of "invasion of privacy through the disclosure of private facts." Over the many decades that this tort has been available, Michigan courts have treated it as an intentional tort--i.e., one that requires proof of the defendant's intent, rather than mere negligence. Without such evidence, the claim failed.
Plaintiff also asserted claims for negligence and breach of contract. Both causes of action, however, require the plaintiff to demonstrate actual injury. Her proactive decision to purchase LifeLock monitoring services did not count, int he court's view, and there was no other evidence to suggest any other injury for which the court could compensate. Therefore, the court dismissed these claims as well, and de-certified the class action.
This is a published decision, which means that, absent intervention from the Michigan Supreme Court, it is now binding law on all other courts in the state. That, in turn, will help establish clearer guidelines on data privacy law in Michigan.
Nevertheless, companies that maintain sensitive information should not take too much comfort from this decision. The defendants (and plaintiffs, really) in this case were lucky that no harm came of this relatively minor data breach. The parties in the next case may not be so fortunate next time, though. With hacking and identity threat such growth industries across the world, the odds of sensitive data being misused for real mischief gets higher every day.