N HE Supreme Court of the United States - law.siu.edu 2018/Team... · i QUESTIONS PRESENTED I. Does...
Transcript of N HE Supreme Court of the United States - law.siu.edu 2018/Team... · i QUESTIONS PRESENTED I. Does...
No. 18-251
IN THE
Supreme Court of the United States
_________
BARKER & TODD, INC.,
Petitioner, v.
ANTHONY HOPE
Respondent. _________
On Writ of Certiorari to the United States Court of Appeals
for the Thirteenth Circuit
_________
BRIEF FOR PETITIONER _________
Team 2725
ATTORNEYS FOR
PETITIONER
i
QUESTIONS PRESENTED
I. Does the mere fact of a data breach, without evidence supporting an
intangible injury, evidence supporting a substantial risk of future injury,
or evidence of actual data misuse, support a concrete injury in fact under
Article III to confer standing?
II. May Respondent create a private right of action under the Health
Insurance Portability and Accountability Act where none exists through
bringing state law negligence claims and circumventing Congress’ intent
and preferred enforcement mechanism for the Act?
ii
TABLE OF CONTENTS
QUESTIONS PRESENTED ...................................................................................... i
TABLE OF AUTHORITIES ..................................................................................... v
OPINIONS BELOW ................................................................................................. 1
STATEMENT OF JURISDICTION ......................................................................... 1
CONSTITUTIONAL PROVISISONS INVOVLED ................................................. 3
STATEMENT OF THE CASE .................................................................................. 4
SUMMARY OF THE ARGUMENT ......................................................................... 7
ARGUMENT AND AUTHORITIES ........................................................................ 9
I. RESPONDENT FAILED TO ESTABLISH AN INJURY IN FACT TO CONFER STANDING
UNDER ARTICLE III WHERE THE SINGLE DATA BREACH DID NOT RESULT IN A
CONCRETE INJURY AND THE HEIGHTENED RISK OF FUTURE INJURY AND
ATTENDANT FEAR IS TOO SPECULATIVE TO SUPPORT STANDING ............................... 9
A. Respondent Has Failed to Meet His Burden to Establish A
Concrete, Actual Harm Because The Mere Fact of A Single Data
Breach Amounts to A Negligible Injury ..................................................... 11
1. Circuits that confer standing based on the mere fact of a data
breach cannot be reconciled with this Court’s precedent, which
requires that a future injury be certainly impending, and that
substantial risk of future injury exists ................................................... 11
2. Federal regulatory guidance affirms that an injury in fact
requires actual data misuse .................................................................... 16
B. Heightened Risk of Future Injury Resulting from An Isolated Data
Breach Is Insufficient to Confer Standing Where Future Data Misuse
Is Not Certainly Impending, Respondent Cannot Manufacture
Standing Through B&T’s Provision of A Free Credit Monitoring
Service, and Intangible Fear of Future Injury Is Too Speculative ........... 19
1. Respondent’s alleged injury in fact is not certainly impending and
does not create a substantial risk that the harm will occur because it
iii
lacks concreteness in both a qualitative and temporal sense and is
dependent on an attenuated chain of possibilities ................................. 20
a. Respondent’s alleged injury in fact relies on a highly
attenuated chain of possibilities ..................................................... 20
b. Respondent’s injury lacks concreteness in either a
qualitative and temporal sense ...................................................... 22
2. B&T’s provision of a free credit monitoring service to Respondent
does not amount to an admission of fault and Respondent cannot
manufacture standing by incurring costs regarding a speculative
future injury ............................................................................................. 24
a. B&T’s provision of a free credit monitoring service does not
imply fault ....................................................................................... 25
b. Respondent cannot manufacture standing by incurring costs
regarding a speculative future injury ............................................ 26
3. Spokeo’s “intangible injury” standing framework is narrowly
tailored to statutory violations, not to Respondent’s negligence
claims and, regardless, Respondent’s alleged intangible injury is not
a harm courts have traditionally recognized .......................................... 26
a. Respondent does not proceed under a right of action
established by Congress.................................................................. 27
b. Respondent’s alleged injury in fact fails under Spokeo’s
common law harm analysis ............................................................ 29
c. Intangible fear of a speculative future injury does not
support standing ............................................................................. 31
II. RESPONDENT FAILED TO STATE A PLAUSIBLE CLAIM FOR RELIEF BECAUSE
HIPAA DOES NOT PROVIDE FOR A PRIVATE RIGHT OF ACTION AND RESPONDENT
CANNOT CIRCUMVENT THIS CLEAR CONGRESSIONAL INTENT THOUGH ALLEGING
STATE LAW NEGLIGENCE ........................................................................................ 34
A. Respondent’s Negligence Per Se And Ordinary Negligence Claims
Fail Because HIPAA Does Not Provide for A Private Right of Action
iv
And Its Preferred Enforcement Mechanism Precludes State Law
Negligence Claims ...................................................................................... 37
1. Respondent’s negligence per se and ordinary negligence claims
fail because they impermissibly attempt to create a private right of
action where none exists ......................................................................... 37
a. Negligence per se under HIPAA fails absent a private right
of action ........................................................................................... 38
b. Ordinary negligence claims using HIPAA to establish the
standard of care fail absent a private right of action .................... 40
2. HIPAA’s preferred enforcement mechanism precludes ad hoc
negligence actions brought by private litigants seeking wide-ranging
relief. ........................................................................................................ 41
3. Expanding the reach of HIPAA to state claims violates principles
of federalism ............................................................................................ 44
B. Respondent’s Negligence Per Se Claim Fails Because Negligence
Per Se Only Applies to State Statutes at Common Law, HIPAA
Protects The General Public, And HIPAA Regulations Are Too
Flexible To Impose Strict Liability. ........................................................... 46
1. Missouriana should not recognize a violation of a federal statute
or regulation as the basis for a negligence per se claim because
negligence per se only applies to state statutes at common law ........... 46
2. HIPPA is not intended to protect a particular class of individuals ... 47
3. HIPAA is too flexible to provide the basis for a negligence per se
claim because it focuses on reasonable and appropriate measures
and includes “addressable” standards, which are not required. ........... 49
C. Respondent Cannot Use HIPAA To Establish The Standard Of
Care In Respondent’s Ordinary Negligence Claim Because B&T Does
Not Owe Respondent A Duty To Protect PHI And, Regardless, B&T
Complied With All State And Federal Regulations................................... 51
v
1. Respondent’s negligence claim fails because Missouriana does not
impose a duty on pharmaceutical companies to protect PHI from
unauthorized disclosure. ......................................................................... 51
2. B&T complied with all applicable state and federal regulations ...... 53
a. B&T complied with Missouriana’s data breach law, which
only requires notification. ............................................................... 53
b. B&T complied with HIPAA’s privacy rule by adopting
“reasonable and appropriate” standards to safeguard the PHI .... 53
vi
TABLE OF AUTHORITIES
Federal Cases
Acara v. Banks, 470 F.3d 569 (5th Cir. 2006)............................................. 6, 29, 33, 38
Alexander v. Sandoval, 532 U.S. 275 (2001) ......................................................... 29, 33
Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046 (E.D. Mo. 2009) ................ 15
Ashcroft v. Iqbal, 556 U.S. 662 (2009) ........................................................................ 28
Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied, 138 S. Ct.
981 (2018).................................................................................................................... 9
Beck v. McDonald, 848 F.3d 262 (4th Cir.) ......................................................... passim
Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) ................................................. 28
Carpenter v. Phillips, 419 Fed. Appx. 658 (7th Cir. 2011) ......................................... 29
Carpenter v. U.S., 138 S. Ct. 2206 (2018) ................................................................... 26
Chambliss v. Carefirst, Inc., 189 F.Supp.3d 564 (D. Md. 2016) ............................ 9, 17
Citizens Bank of Pennsylvania v. Reimbursement Technologies, 609 Fed.
Appx. 88 (2015) ......................................................................................................... 37
City of Los Angeles v. Lyons, 461 U.S. 95 (1983) ....................................................... 16
Clapper v. Amnesty Intern. USA, 568 U.S. 398 (2013) .............................. 8, 14, 18, 20
Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018)............................. 9
Dodd v. Jones, 623 F.3d 563 (8th Cir. 2010) ............................................................... 29
Doe v. Board of Tr. of the Univ. of Ill., 429 F.Supp.2d 930 (N.D. Ill. 2006) ........ 29, 33
Doe v. Chao, 540 U.S. 614 (2004) ................................................................................ 24
E.E.O.C. v. C.R. England, Inc., 644 F.3d 1028 (10th Cir. 2011) ................................ 22
Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384 (6th Cir. 2016) ................... 9
vii
Grable & Sons Metal Products, Inc. v. Darue Engr. & Mfg., 545 U.S. 308
(2005) ........................................................................................................................ 34
Groshek v. Time Warner Cable, Inc., 865 F.3d 884 (7th Cir. 2017), cert.
denied, 138 S. Ct. 740 (2018) ................................................................................... 21
Haywood v. Novartis Pharm. Corp., 298 F. Supp. 3d 1180 (N.D. Ind. 2018),
appeal dismissed, No. 18-1328, 2018 WL 3868755 (7th Cir. May 14, 2018)31, 39, 40, 41
I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo.
June 14, 2011) ..................................................................................................... 30, 36
In re Horizon Healthcare Services Inc. Data Breach Litig., 846 F.3d 625 (3d
Cir. 2017) ........................................................................................................ 7, 10, 19
In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45
F. Supp. 3d 14 (D.D.C. 2014).................................................................................... 24
In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) ............................................... 8, 17
In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154 (D. Minn.
2014) .......................................................................................................................... 10
Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) ............................................... 9, 16
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) ...................................... 10
LabMD, Inc. v. Fed. Trade Commn., 894 F.3d 1221 (11th Cir. 2018) ................. 11, 13
Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) .................................. 7, 11, 14, 15
Marbury v. Madison: 5 U.S. 137 (1803) ...................................................................... 26
Merrell Dow Pharmaceuticals Inc. v. Thompson, 478 U.S. 804 (1986) ..................... 34
Monarch Fire Protec. Dist. Of St. Louis County, Missouri v. Freedom
Consulting & Auditing Services, Inc., 678 F.Supp.2d 927 (E.D. Mo. 2009),
aff'd, 644 F.3d 633 (8th Cir. 2011) ........................................................................... 27
Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010) ................................. 7, 14
O'Donnell v. Blue Cross Blue Shield of Wy., 173 F.Supp.2d 1176 (D. Wyo.
2001) .................................................................................................................... 20, 33
viii
Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) .............................. 15
Polanco v. Omnicell, Inc., 988 F.Supp. 2d 451 (D. N.J. 2013).................................... 38
Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007) .............. 19
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), cert. denied, 132 S. Ct.
2395 (2012) .............................................................................................. 15, 16, 19, 20
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) .............. 10, 19
Seaton v. Mayberg, 610 F.3d 530 (9th Cir. 2010) ....................................................... 29
Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26 (1976) .................................. 7
Steel Co. v. Citizens for Better Env't, 523 U.S. 83 (1998) ............................................ 7
Storino v. Borough of Point Pleasant Beach, 322 F.3d 293 (3d Cir. 2003) ................ 15
Storm v. Paytime, Inc., 90 F. Supp. 3d 359 (M.D. Pa. 2015) ..................................... 17
Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334 (2014) ........................................ 8
Valley Forge Christian Coll. v. Americans United for Separation of Church &
State, Inc., 454 U.S. 464 (1982) ................................................................................. 8
Weinberg v. Advanced Data Processing, Inc., 147 F. Supp. 3d 1359 (S.D. Fla.
2015) .......................................................................................................................... 30
Whalen v. Michaels Stores, Inc., 689 Fed. Appx. 89 (2d Cir. 2017) ............................. 9
Whitmore v. Arkansas, 495 U.S. 149 (1990) ............................................................... 14
Wilkerson v. Shinseki, 606 F.3d 1256 (10th Cir. 2010).............................................. 29
Wood v. Moss, 134 S. Ct. 2056 (2014) ......................................................................... 28
State Cases
Abdale v. N. Shore Long Island Jewish Health Sys., Inc., 19 N.Y.S.3d 8506
(N.Y. Sup. Ct. 2015) .................................................................................................. 30
Bratt v. International Business Machines Corp., 392 Mass. 508 (1984) ................... 22
ix
Busse v. Motorola, Inc., 813 N.E.2d 1013 (2004) .................................................. 22, 23
Byrne v. Avery Ctr. for Obstetrics and Gynecology, 314 Conn. 433 (Conn.
2014) .................................................................................................................... 35, 39
Cooney v. Chicago Pub. Schools, 943 N.E.2d 23 (Ill. App. 1st Dist. 2010) .......... 22, 25
Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812 (Del. Super. 2009) .... 30, 40
Hanson v. Jones Medical Ctr., 199 Mis. 2d 321 (2002) .............................................. 23
Sheldon v. Kettering Health Network, 40 N.E.3d 661 (Ohio App. 2d Dist.
2015) ........................................................................................................ 29, 30, 31, 38
Young v. Curran, 289 S.W.3d at 586 (Ky. Ct. App. 2008) .................................... 30, 36
Federal Statutes
15 U.S.C. § 45 (Federal Trade Commission Act) ........................................................ 11
42 U.S.C. § 1320d (2012) (Health Insurance Portability and Accountability
Act) .......................................................................................................... 27, 28, 33, 38
45 C.F.R. §§ 160, 164, subpart A, E (HIPAA Privacy Rule and Security Rule). passim
State Statutes
302 M.C.S. § 3/22-104 .................................................................................................. 37
410 M.C.S § 22/46-101(a) (2005) ........................................................................... 41, 42
Ky. Rev. Stat. Ann. § 446.070...................................................................................... 37
Government Reports
Food and Drug Administration Guidance titled: “Postmarket Management of
Cybersecurity in Medical Devices” (Dec. 28, 2016), available at
https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Guidan
ceDocuments/UCM482022 ....................................................................................... 12
U.S. Gov’t Accountability Off., Personal Information: Data Breaches are
Frequent, but Evidence of Resulting Identity Theft is Limited; However,
the Full Extent is Unknown (2007), GAO-07-737, available at
http://www.gao.gov/assets/270/262899.pdf .............................................................. 17
x
Secondary Sources
Aaron Smith, Americans & Cybersecurity, PEW RES. CTR., (Jan. 2017) at
http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/ ................. 24
Antonin Scalia, The Doctrine of Standing as an Essential Element of the
Separation of Powers, 17 SUFFOLK U. L. REV. 881 (1983) ......................................... 7
Elizabeth Pritzker, Making the Intangible Concrete: Litigating Intangible
Privacy Harms in A Post-Spokeo World, 26 COMPETITION: J. ANTI., UCL &
PRIVACY SEC. ST. B. CAL. 1 (2017) ............................................................................ 21
Gordon Gantt, Hacking Health Care: Authentication Security in the Age of
Meaningful Use, 27 J.L. & Health 232 (2014) ........................................................ 26
Jeffrey Neuburger et al, Trends in Privacy and Data Security: 2016, Practical
Law Article w-005-3868, (Mar. 3, 2016) .................................................................. 11
Jonathan Molot, Reexamining Marbury in the Administrative State: A
Structural and Institutional Defense of Judicial Power over Statutory
Interpretation, 96 NW. U. L. REV. 1239 (2002)...................................................... 26
Megan Dowty, Life is Short. Go to Court: Establishing Article III Standing in
Data Breach Cases, 90 S. CAL. L. REV. 683 (2017) .................................................... 6
Reece Hirsch, et al, Digital Health Privacy: Old Laws Meet New
Technologies, 27 COMPETITION: J. ANTI., UCL & PRIVACY SEC. CAL. L. ASSOC.
21 (2018).................................................................................................................... 27
Restatement (Second) of Torts § 652 .......................................................................... 22
Robert S. Mueller III, Director, FBI, Remarks at RSA Cyber Security
Conference (Mar. 1, 2012) .......................................................................................... 6
1
TO THE HONORABLE SUPREME COURT OF THE UNITED STATES:
Petitioner, Barker & Todd, Inc., respondent in the Thirteenth Circuit Court
of Appeals, and defendant in the United States District Court for the District of
Missouriana, submits this brief in support of its request that this Court reverse the
judgment of the Thirteenth Circuit Court of Appeals.
OPINIONS BELOW
The opinion of the Thirteenth Circuit Court of Appeals is unreported as
Anthony Hope v. Barker & Todd, Inc., No. 17-1450 (13th Cir. Dec. 22, 2017), and
appears on pages 15-24 of the record. The opinion of the United States District
Court for the District of Missouriana is unreported as Anthony Hope v. Barker &
Todd, Inc., No. AM-16-410-CV (D. Mis. April 30, 2016), and appears on pages 1-14 of
the record.
STATEMENT OF JURISDICTION
The judgment of the Thirteenth Circuit Court of Appeals was entered on
December 22, 2017. (R. 15). The petition for writ of certiorari was granted on July
16, 2018. (R. 25). This Court has appellate jurisdiction pursuant to the grant of writ
of certiorari as required by 28 U.S.C. § 1254(1) (2012). This case is properly before
this Court pursuant to diversity jurisdiction under 28 U.S.C. § 1332(d)(2) (2012).
2
3
CONSTITUTIONAL PROVISISONS INVOVLED
This case involves Article III to the United States Constitution, which
provides: The judicial Power shall extend to all Cases, in Law and Equity, arising
under this Constitution, the Laws of the United States, and Treaties made, or
which shall be made, under their Authority … to Controversies … between Citizens
of different States….” U.S. Const. art. III, § 2.
4
STATEMENT OF THE CASE
This case arises from a data breach involving Defendant’s prescription drug
assistance program. (R. 1-2). Defendant-Petitioner Barker & Todd, Inc. (B&T) is a
pharmaceutical manufacturer that offers a prescription assistance program for
eligible, low-income participants. (R. 2). Through this program, B&T offers
participants a three or six-month supply of the drug at no cost. (Id.) To enroll in the
program, participants must complete an application form, which asks for personal
information including income, date of birth, social security number, medical
insurance policy numbers, and medical history regarding the prescribed medication.
(Id.)
B&T takes steps to safeguard this data. B&T stores patient’s information
electronically in encrypted form, and further restricts access to the data by
requiring authorized users to sign into the secure devices with a password. (Id.)
Unfortunately, despite these precautions, hackers exploited a vulnerability in
B&T’s cloud servers. (R. 2-3). On October 26, 2015, B&T began an upgrade of its
technology that involved moving its data from local servers to new private cloud-
based servers, which it had purchased from an outside vendor. (R. 2). The vendor
discovered an exploit that allowed unauthorized users to access its cloud servers
without needing the decryption key. (R. 2-3). Further, a B&T IT employee working
on the data transfer failed to check for server updates prior to starting the transfer.
(R. 2). This exposed the servers to “zero-day” and “n-day” exploits. (Id.)
5
“Zero-day” exploits are holes in a server’s security that are discovered and
exploited by attackers before developers become aware of the problem and can issue
a patch. (Id.) Once the security vulnerability becomes known, attackers write
exploits that target servers that have not been updated since the patch was released
(called “n-day” exploits, “n” being the number of days between when the exploit is
discovered, and the security patch is installed). (Id.) In this case, the vendor issued
a patch shortly after B&T purchased the servers. (R. 2-3). However, since B&T did
not install the patch for 8 hours, some data from one local server had already been
transferred to an un-patched cloud server. (Id.) This resulted in an “n-day” exploit
lasting one third of one day. (R. 3). That data breach included the files of 426
participants in the prescription drug access program for B&T’s newest arthritis
drug, Flexacor. (R. 3).
As required under HIPAA and Missouriana’s Data Breach Notification Act,
B&T sent out a notification on November 8, 2015, about a potential electronic
protected health information (“ePHI”) breach to the involved participants. (R. 3).
Further, to address the possible risk of identity theft, B&T offered the affected
participants a year of free credit monitoring. (Id.) Plaintiff Anthony Hope
(“Respondent”) immediately signed up for the credit monitoring B&T offered. (R. 3).
As a result, he learned that his B&T account user name and password, his date of
birth, and his social security number had been downloaded hundreds of times on
the dark web. (Id.) However, no actual data misuse had occurred. (Id.)
6
The district court noted that as of April 30, 2016, six months after the data
breach, Plaintiff had still not experienced any fraudulent credit charges or any
other incidents suggesting someone has appropriated his identity. (R. 3-4). The
Thirteenth Circuit found no allegations that there had been any fraudulent credit
charges or incidents of unauthorized use of the any of the class member’s identities.
(R. 16). To this day, Respondent has not amended his complaint to allege actual
data misuse. (See R. 2-4, 16-17). Rather, Plaintiff alleges he has experienced fear
and anxiety over the mere prospect of identity theft. (R. 3-4).
Hope filed this class action suit against B&T on February 15, 2016, on behalf
of himself and other consumers whose ePHI was similarly found on the dark web.
7
SUMMARY OF THE ARGUMENT
This case presents allegations of negligence without duty, standard of care, or
injury. The first issue deals with whether the mere fact of a data breach without a
single allegation of actual data misuse confers a concrete injury in fact under Article
III of the U.S. Constitution. The second issue concerns Respondent’s attempt to
bootstrap a federal statute with no private right of action and a clear enforcement
mechanism limited to public enforcement to state negligence claims. Both issues
implicate waste of judicial resources and fundamental federalism concerns. Either
issue is sufficient to dismiss this action.
I.
This Court should enforce its standing doctrine, enshrined in Article III of the
U.S. Constitution, and find that Respondent has failed to allege an injury in fact
where the risk of future injury resulting from an isolated data breach is neither
substantial nor certainly impending. Respondent alleges that a negligible exploit of
his personal data creates a substantial risk of future injury when none of the 426-
member putative class action members have suffered actual data misuse in the
years since the breach occurred. No data misuse has occurred during the pendency
of this litigation and the risk of such injury continues to fade every day. B&T
provided a free credit monitoring service as a goodwill gesture. Neither B&T’s
foresight nor prophylactic measures taken by Respondent substitute for an actual
injury or substantial risk. Finally, Respondent’s empty allegations of fear and
8
anxiety are no less speculative than his hypothetical concerns of future data misuse
by unknown individuals with unknown abilities and intent.
II.
Respondent’s attempt to bootstrap HIPAA to state negligence per se and
ordinary negligence claims is equally unavailing. As a threshold matter, B&T deals
directly with its customers and is not a business associate within the meaning of
HIPAA. Moreover, Respondent’s reliance on HIPPA fails because HIPAA does not
provide for a private right of action. The critical inquiry is whether Congress
intended to create a private right of action, and here, Congress unequivocally did
not. Allowing such claims to proceed would create a private right of action where
none exists. Respondent’s negligence per se and ordinary negligence claims suffer
from additional deficiencies. As a matter of first impression, Missouriana should not
recognize violations of a federal statute as the basis for a negligence per se claim,
and even if this Court finds that it does, HIPAA’s implementing specifications are
too flexible to impose strict liability. Respondent’s ordinary negligence claim fails
because Missouriana does not impose a duty on pharmaceutical companies like
B&T to protect personal health information (PHI). Finally, even if this Court finds
an underlying duty, B&T implemented “reasonable and appropriate” standards to
substantially comply with a HIPPA-based standard of care.
9
ARGUMENT AND AUTHORITIES
This Court reviews de novo a decision to dismiss for lack of standing. Beck v.
McDonald, 848 F.3d 262, 269 (4th Cir.). Whether or not HIPAA provides for a
private cause of action is a question of statutory interpretation subject to de novo
review. Acara v. Banks, 470 F.3d 569, 570–71 (5th Cir. 2006).
I. RESPONDENT FAILED TO ESTABLISH AN INJURY IN FACT TO CONFER STANDING
UNDER ARTICLE III WHERE THE SINGLE DATA BREACH DID NOT RESULT IN A
CONCRETE INJURY AND THE HEIGHTENED RISK OF FUTURE INJURY AND
ATTENDANT FEAR IS TOO SPECULATIVE TO SUPPORT STANDING
In 2016, more than 75% of American companies suffered at least one data
breach. Megan Dowty, Life is Short. Go to Court: Establishing Article III Standing
in Data Breach Cases, 90 S. CAL. L. REV. 683, 685 (2017). As then FBI Director,
Robert Mueller, observed in 2012, “[t]here are only two types of companies: those
that have been hacked, and those that will be.” Robert S. Mueller III, Director, FBI,
Remarks at RSA Cyber Security Conference (Mar. 1, 2012).1 Given the prevalence of
data breaches and inevitable class actions that follow, this Court should enforce
Article III’s standing requirement in data breach cases by requiring actual data
misuse.2
The standing doctrine limits the category of litigants empowered to maintain
a lawsuit in federal court. Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), as
1 available at https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-
outsmarting-terrorists-hackers-and-spies.
2 In this brief, “actual data misuse” means “identify theft or some other form of data misuse.”
10
revised (May 24, 2016). In this way, Article III standing serves to prevent the
judicial process from being used to usurp the powers of the political branches. Id.
Standing, put simply, is having a stake in the litigation. Antonin Scalia, The
Doctrine of Standing as an Essential Element of the Separation of Powers, 17
SUFFOLK U. L. REV. 881, 882 (1983). It is the plaintiff’s burden, at the pleading
stage, to establish standing. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 561
(1992).
Standing requires an injury in fact, fairly traceable to the challenged action,
and redressable by a favorable ruling. Monsanto Co. v. Geertson Seed Farms, 561
U.S. 139, 149 (2010). This case involves the injury in fact component, which is the
“[f]irst and foremost” element of standing. Steel Co. v. Citizens for Better Env't, 523
U.S. 83, 103 (1998). An injury in fact is “an invasion of a legally protected interest
which is (a) concrete and particularized, and (b) actual or imminent, not conjectural
or hypothetical.” Lujan, 504 U.S. at 560 (citations omitted).
In the class action context, the standing requirements are the same as they
are for individual plaintiffs. See, e.g., Simon v. Eastern Ky. Welfare Rights Org.,
426 U.S. 26, 40 n.20 (1976) (citation omitted) (“That a suit may be a class action …
adds nothing to the question of standing, for even named plaintiffs who represent a
class must allege and show that they personally have been injured.”; see also In re
Horizon Healthcare Services Inc. Data Breach Litig., 846 F.3d 625, 634 (3d Cir.
2017).
11
The single data breach at issue in this lawsuit affected the personal data of
426 participants in B&T’s drug assistance program. (R. 3). Due to the personal
nature of this data, which included participants’ income, date of birth, social
security number, medical insurance policy numbers, and prescribed medication
history, B&T does not contest the particularity requirement. (R. 2). However,
Respondent’s alleged injury is neither concrete nor certainly impending. Rather, it
is a negligible exploit that has not resulted in any actual harm. Moreover,
Respondent’s allegation of future harm and attendant fear and anxiety relies on a
speculative chain of possibilities dependent on the skill, knowledge, and intent of
unknown third parties.
A. Respondent Has Failed to Meet His Burden to Establish A Concrete,
Actual Harm Because The Mere Fact of A Single Data Breach Amounts to
A Negligible Injury
Concreteness is quite different from particularization. Spokeo, 136 S. Ct. at
1548. A “concrete” injury must be de facto; that is, it must actually exist, and not
merely in an abstract sence. Id. (citing Black's Law Dictionary 479 (9th ed. 2009));
see Valley Forge Christian Coll. v. Americans United for Separation of Church &
State, Inc., 454 U.S. 464, 472 (1982) (The actual injury requirement serves “implicit
policies embodied in Article III.”)
1. Circuits that confer standing based on the mere fact of a data breach
cannot be reconciled with this Court’s precedent, which requires that a
future injury be certainly impending, and that substantial risk of future
injury exists
12
Circuits holding that the mere fact of a data breach supports standing ignore
this Court’s recent precedent. This Court has recently clarified that where a
plaintiff seeks to establish standing by alleging that he will suffer injury in the
future, that injury must be “imminent,” i.e., “not conjectural or hypothetical.”
Spokeo, 136 S. Ct. at 1548. The injury must be “certainly impending,” Clapper v.
Amnesty Intern. USA, 568 U.S. 398, 410-14 (2013), meaning there exists a
“substantial risk” that it actually “will occur.” Susan B. Anthony List v. Driehaus,
134 S. Ct. 2334, 2341 (2014). Eight circuits have addressed whether the risk of
future injury resulting from a data breach, absent actual data misuse, is sufficient
to confer standing. The circuits are split down the middle.
Four circuits correctly refuse to recognize standing where plaintiffs fail to
plead actual data misuse. In re SuperValu, Inc., 870 F.3d 763, 771 (8th Cir. 2017)
(noting that “several circuits have applied Clapper to determine whether an
increased risk of future identity theft constitutes an injury in fact); Beck v.
McDonald, 848 F.3d 262, 273 (4th Cir. 2017) (observing that the “circuits are
divided on whether a plaintiff may establish an Article III injury in fact based on an
increased risk of future identity theft”); Whalen v. Michaels Stores, Inc., 689 Fed.
Appx. 89, 91 (2d Cir. 2017); Katz v. Pershing, LLC, 672 F.3d 64, 79 (1st Cir. 2012)
(noting that plaintiff’s “cause of action rests entirely on the hypothesis that at some
point an unauthorized, as-yet unidentified, third party might access her data and
then attempt to purloin her identity”).
13
Conversely, four circuits hold that the mere existence of a data breach,
without allegations of actual data misuse, constitutes an injury in fact. In re
Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018), petition for cert. filed, 2018
WL 4035532 (Aug. 20, 2018) (No. 18-225) (finding standing in class action brought
on behalf of 24 million plaintiffs, none of whom suffered actual data misuse); Attias
v. Carefirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017), cert. denied, 138 S. Ct. 981
(2018) (finding that standing exists where an unauthorized party has accessed
personally identifying data because it is “plausible ... to infer that this party has
both the intent and the ability to use that data for ill”); Galaria v. Nationwide Mut.
Ins. Co., 663 Fed.Appx. 384, 388 (6th Cir. 2016) (“Where a data breach targets
personal information, a reasonable inference can be drawn that the hackers will use
the victims’ data for the fraudulent purposes alleged in Plaintiffs' complaints.”);
Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826, 828 (7th Cir. 2018).
It bears repeating that four circuits support standing in class actions fueled
entirely on speculation of future injury. In Remijas v. Neiman Marcus Group, LLC,
the court found that plaintiffs who had not experienced fraudulent charges
following a breach of Neiman Marcus stores had standing because those plaintiffs
knew, from the numerous cards already used fraudulently, that their personal
information had been stolen by individuals who intended to misuse it. 794 F.3d 688,
693–94 (7th Cir. 2015); see Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43
(9th Cir. 2010) (holding that employees faced “a credible threat of harm” from the
theft of the laptop after one of the employees alleged that someone tried to open a
14
bank account in his name); In re Horizon Healthcare Services Inc. Data Breach
Litig., 846 F.3d 625, 630 (3d Cir. 2017) (One plaintiff in 839,000 member class was
“denied retail credit because his social security number has been associated with
identity theft.”). Thus, in Krottner, Remijas, and In re Horizon, the allegations
included actual examples of the use of the fruits of the data breach for identity
theft, even if involving victims other than the named plaintiffs. See In re Target
Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1157–59 (D. Minn. 2014) (holding
that “unlawful charges, restricted or blocked access to bank accounts, inability to
pay other bills, and late payment charges or new card fees” supported Article III
standing in 110 million-member class action). Accordingly, cases that support
standing where at least some plaintiffs alleged actual data misuse are inapposite to
the present case.
Here, Respondent, who has not suffered actual data misuse, seeks to
represent 425 similarly situated participants in B&T’s drug assistance program. (R.
3-4). Respondent does not allege there have been any fraudulent credit charges or
actual incidents of the class members’ identities being used for unauthorized
purposes. (R. 16). The district court found the putative class lacked standing
because no member of the class had shown any concrete harm from the breach that
occurred at the clinic. (R. 17). As Paul Clement recently argued in a petition for writ
of certiorari, “[t]he mere possibility that information stored in a breached database
may someday be misused is manifestly insufficient to satisfy [this Court’s certainly
impending or substantial risk] standard.” Petition for Writ of Certiorari,
15
Zappos.com, Inc. v. Stevens, (No. 18-225), 2018 WL 4035532, at *2. Respondent’s
case theory is a classic example of a “conjectural or hypothetical” injury. See Lujan,
504 U.S. at 560. Respondent’s failure to allege a single incident of actual data
misuse to his detriment or to the detriment of any other class members, renders his
claims outside the scope of justiciable cases and controversies.
16
2. Federal regulatory guidance affirms that an injury in fact requires actual
data misuse
The Federal Trade Commission (FTC) is the primary federal agency
regulating consumer privacy and data security and derives its authority to protect
consumers from unfair or deceptive trade practices from Section 5 of the Federal
Trade Commission Act, 15 U.S.C. § 45 (FTC Act). Jeffrey Neuburger et al, Trends in
Privacy and Data Security: 2016, Practical Law Article w-005-3868, (Mar. 3, 2016)
(also referencing Health and Human Services and Food and Drug Administration
guidance on privacy and data security). In August 2013, the FTC brought action
against LabMD, a pharmaceutical company, alleging that it violated Section 5 of the
FTC Act by failing to reasonably safeguard customer’s data. LabMD, Inc. v. Fed.
Trade Commn., 894 F.3d 1221, 1224 (11th Cir. 2018). LabMD had employed a data-
security program to comply with HIPAA regulations. Id. In August 2018, the
Eleventh Circuit held that the FTC's enforcement order issued to LabMD was
insufficiently specific and thus unenforceable. Id. at 1229. The court reasoned that
FTC enforcement actions for unfair practices cannot be based just on consumer
injury, even “substantial” injury. See Id. n.24 (“We do not take [Section 5(n)] to
mean that the Commission may bring suit purely on the basis of substantial
consumer injury. The act or practice alleged to have caused the injury must still be
unfair under a well-established legal standard, whether grounded in statute, the
common law, or the Constitution.”). Thus, FTC enforcement actions must be rooted
17
in a “well-established legal standard,” not just an inadvertent compromise of
consumer privacy. See Id.
FDA Guidance affirms that the mere fact of a data breach is a negligible
harm. See Food and Drug Administration Guidance titled: “Postmarket
Management of Cybersecurity in Medical Devices” (Dec. 28, 2016).3 The FDA
Guidance applies to medical devices that contain software or programmable logic
and software that is a medical device including mobile medical applications. Id. at
*8. The definition of “patient harm” under the FDA appropriately considers
“physical injury or damage to the health of people, or damage to property or the
environment” but excludes, “[o]ther harms, such as loss of confidential information,
including compromise of protected health information (PHI).” Id. at *10. Applying
this definition of patient harm, the FDA Guidance assesses whether the risk of
patient harm is sufficiently controlled or uncontrolled based on an evaluation of the
likelihood of exploit, the impact of exploitation on the device’s safety and essential
performance, and the severity of patient harm if exploited. Id. at *9-12, 19-21.
The distinction between “controlled” and “uncontrolled” is important because
a controlled risk represents a sufficiently low (acceptable) residual risk of patient
harm due to the vulnerability that does not require additional risk control
measures. Id. To help assess the severity of patient harm following an exploit, the
FDA provides five qualitative severity levels: negligible, minor, serious, critical, and
3 Available at https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM48202
18
catastrophic. Id. at *17. Negligible harm results in inconvenience or temporary
discomfort, while minor harm results in temporary injury or impairment. Id.
Negligible harms are considered “controlled” (and not requiring remedial measures),
even where there is a high level of exploitability. Id. at 18. Thus, the definitions of
“patient harm” and “negligible” severity demonstrate the FDA’s view that a mere
breach of ePHI does not constitute a harm requiring remedial measures.
Federal agencies regulating cybersecuity demonstrate that the mere fact of a
data breach is insufficient to support an injury in fact. Under LabMD, the FTC –
the agency charged with protecting consumers from unfair or deceptive trade
practices in the realm of cybersecurity – must show actual, substantial data misuse
to support a negligence action. See Id. Respondent should not be held to a lesser
standard in federal court. While the FTC may bring a negligence claim based on a
“substantial injury” under a well-established legal standard, Respondent’s alleged
future injury falls far short of that threshold. The circumstances of the data breach
in this case do not support an exception to the FTC’s standards. In LabMD, the
personal information4 of 9,300 consumers were accessed by two to five million
people compared with 426 affected individuals in the present case whose data has
been downloaded hundreds of times. (R. 7). Thus, even if Respondent proceeded
4 The personal information compromised in LabMD was essentially the same as the ePHI at issue in
this case. The information included names, dates of birth, social security numbers, laboratory test
codes, and, for some, health insurance company names, addresses, and policy numbers. Id. at 1224.
19
under a well-established legal standard, the magnitude of the data breach in
LabMD dwarfs the minor incident at issue here.
Under FDA Guidance, Respondent alleges a negligible injury for which no
remedial action on behalf of B&T is required. The data breach has not resulted in
actual data misuse in the years following the breach, indicating a low level of
exploitability. (R. 2-4, 16-17). However, even if there was a high level of
exploitability, negligible harms like inconvenience or temporary discomfort do not
rise to an actionable level of harm. Accordingly, by taking immediate action to end
the vulnerability and offering Respondent a free credit monitoring service, B&T has
gone beyond what the FDA would require. (R. 3). Absent actual data misuse, the
mere fact of a data breach is a negligible injury that does not confer Article III
standing.
B. Heightened Risk of Future Injury Resulting from An Isolated Data Breach
Is Insufficient to Confer Standing Where Future Data Misuse Is Not
Certainly Impending, Respondent Cannot Manufacture Standing Through
B&T’s Provision of A Free Credit Monitoring Service, and Intangible Fear
of Future Injury Is Too Speculative
Allegations of “possible future injury” are insufficient to satisfy Article III.
Whitmore, 495 U.S. at 158. A plaintiff therefore lacks standing if his “injury” stems
from an indefinite risk of future harm inflicted by unknown third parties. See
Lujan, 504 U.S. at 564. Plaintiffs need not demonstrate that it is “literally certain”
that they will suffer harm. Clapper, 568 U.S. at 414, n.5. In some instances,
standing exists based on a “substantial risk” that the harm will occur. Id. (quoting
Monsanto, 561 U.S. at 153-54.
20
An injury in fact “must be concrete in both a qualitative and temporal sense.
Whitmore v. Arkansas, 495 U.S. 149, 155 (1990). Although imminence is concededly
a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to
ensure that the alleged injury is not too speculative for Article III purposes—that
the injury is certainly impending.” Clapper, 568 U.S. at 409. This Court rejected the
use of an “objectively reasonable likelihood” standard for Article III standing as
inconsistent with the Court’s long-established requirement that “threatened injury
must be certainly impending to constitute injury in fact.” Id.
This Court should announce a bright line rule that mere heighted risk of
future injury stemming from a data breach is insufficient to confer standing.
1. Respondent’s alleged injury in fact is not certainly impending and does
not create a substantial risk that the harm will occur because it lacks
concreteness in both a qualitative and temporal sense and is dependent on
an attenuated chain of possibilities
Absent actual data misuse, allegations of future injury are speculative and
dependent on the skill and intent of unknown third parties. See Reilly v. Ceridian
Corp., 664 F.3d 38, 42 (3d Cir. 2011), cert. denied, 132 S. Ct. 2395 (2012); Pisciotta
v. Old National Bancorp, 499 F.3d 629, 639 (7th Cir. 2007) (“Without more than
allegations of increased risk of future identity theft, the plaintiffs have not suffered
a harm that the law is prepared to remedy”.). Respondent’s allegation that
hundreds of individuals have downloaded his data on the dark web fails to plausibly
show that an injury is certainly impending.
a. Respondent’s alleged injury in fact relies on a highly attenuated chain
of possibilities
21
Standing is conspicuously absent where plaintiffs cannot describe how they
will be injured without beginning the explanation with the word “if.” Storino v.
Borough of Point Pleasant Beach, 322 F.3d 293, 297–98 (3d Cir. 2003); see Amburgy
v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1053 (E.D. Mo. 2009) (“For plaintiff
to suffer the injury and harm he alleges here, many “ifs” would have to come to
pass.”). In Amburgy, the court emphasized plaintiffs’ speculative chain of
possibilities and concluded that the multiple “ifs” squarely place plaintiff's claimed
injury in the realm of the hypothetical. 671 F. Supp. 2d at 1053.
A highly attenuated chain of possibilities dependent on the future actions of
third parties does not satisfy the requirement that threatened injury must be
certainly impending. In Reilly, the court rejected appellants’ contentions that relied
on speculation that the hacker: (1) read, copied, and understood their personal
information; (2) intends to commit future criminal acts by misusing the information;
and (3) is able to use such information to the detriment of Appellants by making
unauthorized transactions in Appellants' names. 664 F.3d 38, 42 (3d Cir. 2011). The
court found these contentions even less tenable that the plaintiffs’ claim in Lujan
that “some day” they would visit the threatened species’ habitat sites. While in
Lujan the acts necessary to make the injury “imminent” were within plaintiffs’ own
control, in the case of a data breach, appellants’ alleged increased risk of future
injury is dependent on entirely speculative, future actions of an unknown third-
party. Id.; see Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (dismissing
case where “cause of action rests entirely on the hypothesis that at some point an
22
unauthorized, as-yet unidentified, third party might access her data and attempt to
purloin her identity”). This Court has rejected standing claims dependent on the
action of third parties even where those third parties have harmed plaintiffs in the
past. See City of Los Angeles v. Lyons, 461 U.S. 95, 105-06 (1983) (holding that a
plaintiff lacked standing to enjoin the LAPD from using a controversial chokehold
technique on arrestees).
Respondent’s allegations of future harm depend on too many unknown
variables to support standing. As in Reilly, Respondent’s negligence alleged injury
depends on speculation that the hacker or those who downloaded his data (1) read,
copied, and understood Respondent’s personal information; (2) intend to commit
future criminal acts by misusing the information; and (3) can use such information
to the detriment of Respondent by making unauthorized transactions in
Respondent’s names. If all these conditions – none of which are within Respondent’s
control – were met, then Respondent could show that harm is certainly impending.
This is simply not the case: Respondent did not allege that the breach resulted in
actual harm or that the unknown third-party hackers have harmed Respondent in
the past. (R. 2-4). Therefore, this Court should dismiss Respondent’s case where his
claims are dependent on entirely speculative, future actions of an unknown third-
party.
b. Respondent’s injury lacks concreteness in either a qualitative and
temporal sense
23
Risk of future injury is especially speculative where no injury emerges during
the pendency of litigation alleging risk of future injury. See Storm v. Paytime, Inc.,
90 F. Supp. 3d 359, 366-67 (M.D. Pa. 2015) (noting that a lapse of time undermines
the concept of “imminent”); Beck, 848 F.3d at 275 (“[A]s the breaches fade further
into the past,” the Plaintiffs’ threatened injuries become more and more
speculative.) (quoting Chambliss v. Carefirst, Inc., 189 F.Supp.3d 564, 570 (D. Md.
2016)); In re Zappos.com, 108 F.Supp.3d 949, 958 (D. Nev. 2015) (“[T]he passage of
time without a single report from Plaintiffs that they in fact suffered the harm they
fear must mean something.”). Quite simply, the passage of over a year since a data
breach means that the alleged future injury is not imminent or certainly impending,
and there is not a substantial risk that such an injury will ever occur.
Allegations of heighted risk of injury ignore the fact that most data breaches
do not result in identity theft. The U.S. Government Accountability Office issued a
report in 2007 that found that although there are some cases in which a data breach
appears to have resulted in identity theft, “most breaches have not resulted in
detected incidents of identity theft.” See U.S. Gov’t Accountability Off., Personal
Information: Data Breaches are Frequent, but Evidence of Resulting Identity Theft
is Limited; However, the Full Extent is Unknown (2007), GAO-07-737, available at
http://www.gao.gov/assets/270/262899.pdf. Citing this report, the Eighth Circuit
reasoned that defendants’ data breaches do not create a substantial risk that
plaintiffs will suffer credit or debit card fraud. In re SuperValu, Inc., 870 F.3d at
771; see Beck, 848 F.3d at 268 (“The plaintiffs’ calculations that 33% of those
24
affected by the laptop theft would have their identities stolen and that all affected
would be 9.5 times more likely to experience identity theft “d[id] not suffice to show
a substantial risk of identity theft.”). Until data breaches are practically certain to
result in actual data misuse, the default rule should be no standing.
Respondent has failed to allege a concrete injury in either a qualitative or
temporal sense. Respondent did not allege actual data misuse when he filed suit or
when the district court dismissed his case, and, to this day, Respondent has not
amended his complaint to allege actual data misuse. (R. 3-4). To the extent
Respondent ever faced a real threat of injury, that threat has faded into speculation
with the passage of time. B&T’s quick response in stopping the vulnerability after a
mere eight hours eliminated any substantial risk of identity theft. (R. 3). Unable to
demonstrate a substantial risk of future harm, Respondent and similarly situated
plaintiffs are left with unwarranted fear and anxiety based on a speculative risk.
Respondent’s standing theory rests on a speculative chain of possibilities that
lacks the requisite imminence to support standing. Such imminence is further
undermined by the lack of actual data misuse during the pendency of this ligation
and the low likelihood of actual data misuse in data breaches overall.
2. B&T’s provision of a free credit monitoring service to Respondent does not
amount to an admission of fault and Respondent cannot manufacture
standing by incurring costs regarding a speculative future injury
Plaintiffs cannot manufacture standing merely by inflicting harm on
themselves based on their fears of hypothetical future harm that is not certainly
impending. Clapper, 568 U.S. at 416. If the law were otherwise, an enterprising
25
plaintiff would be able to secure a lower standard for Article III standing simply by
making an expenditure based on a nonparanoid fear. Id. Likewise, this Court
should not permit an enterprising plaintiff to manufacture an injury based on the
provision of a free credit monitoring service.
a. B&T’s provision of a free credit monitoring service does not imply fault
While some courts have an offer of free credit monitoring services in the wake
of a data breach to be an admission of possible harm, this holding advances bad
policy and discourages mitigation efforts. See e.g. Remijas 794 F.3d at 696. Other
circuits have declined to follow this counterproductive approach, holding that
adopting the presumption would discourage organizations from offering credit
monitoring services as a goodwill gesture. Beck, 848 F.3d at 276 (4th Cir.); In re
Horizon Healthcare, 846 F.3d at 634 (reasoning that such an assumption would
disincentivize companies from offering credit or other monitoring services in the
wake of a breach).
B&T’s provision of a free credit monitoring service does not imply fault or
indicate the level of risk of future harm. B&T provided Respondent with the free
service “[i]n order to address the possible risk of identity theft[.]” (R. 3). Moreover,
the credit monitoring service alerted respondent that his information had been
found on the dark web. (Id.) Far from an admission of fault, B&T’s provision of a
free credit monitoring service informed Respondent of the extend to which his data
had been compromised and offered Respondent peace of mind.
26
b. Respondent cannot manufacture standing by incurring costs regarding
a speculative future injury
In the data breach context, any alleged time and money expenditures a
plaintiff spends monitoring his financial information does not establish standing.
Reilly, 664 F.3d at 46. Costs incurred to watch for a speculative chain of future
events based on hypothetical future criminal acts are no more “actual” injuries than
the alleged “increased risk of injury” which forms the basis for Respondent’s claims.
Id.; Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C. 2007)
(“[E]xpenditure of time and money was not the result of any present injury, but
rather the anticipation of future injury that has not materialized.”).
Here, Respondent has not alleged that he incurred out-of-pocket expenses
related to actual data misuse. (R. 2-4). Respondent may prophylactically spend
money to ease fears of future third-party criminality, but such misuse remains only
speculative—not imminent. See Reilly, 664 F.3d at 46. To the extent Respondent
incurs such costs in the future, he cannot manufacture standing through such
speculative expenditures.
3. Spokeo’s “intangible injury” standing framework is narrowly tailored to
statutory violations, not to Respondent’s negligence claims and,
regardless, Respondent’s alleged intangible injury is not a harm courts
have traditionally recognized
Nothing in Spokeo suggested a retreat from Clapper’s rule that “threatened
injury must be certainly impending to constitute injury in fact.” Spokeo, 136 S. Ct.
at 1544. To the contrary, Spokeo cited Clapper favorably. Id. In determining
whether an intangible harm constitutes injury in fact, both history and the
27
judgment of Congress play important roles. Spokeo, 136 S. Ct. at 1549. Justice Alito
identified two factors to consider: (1) whether the alleged intangible harm has “a
close relationship to a harm that has traditionally been regarded as providing a
basis for a lawsuit in English or American courts (historical precedent factor), and
(2) whether Congress identified the intangible harm “as one that meets minimum
Article III requirements” (congressional identification factor). Id.; see also id. at
1554 (Thomas, J concurring) (noting that plaintiff alleged actual harm to his
employment prospects).
Moreover, nothing in Spokeo suggested its holding applied to cases other
than those proceeding under statutory rights of action. Here, HIPAA does not
provide an express or implied right of action, see, e.g., O'Donnell v. Blue Cross Blue
Shield of Wy., 173 F.Supp.2d 1176, 1179 (D. Wyo. 2001), so, to the extent Spokeo
applies, Respondent must rely on the historical precedent factor and show that a
similar claim at common law would support standing. See Spokeo, 136 S. Ct. at
1549 (noting that the common law permitted suit in libel and slander cases even
though those harms may be difficult to prove or measure).
a. Respondent does not proceed under a right of action established by
Congress.
Spokeo reemphasized that Congress “has the power to define injuries . . .that
were previously inadequate in law.” 136 S.Ct. at 1549 (citation and internal
quotation marks omitted). The Court cautioned, however, that congressional power
to elevate intangible harms into concrete injuries is not without limits. Id. A “bare
28
procedural violation, divorced from any concrete harm,” is not enough. Id.; see
Groshek v. Time Warner Cable, Inc., 865 F.3d 884, 887 (7th Cir. 2017), cert. denied,
138 S. Ct. 740 (2018) (Fair Credit Reporting Act (FCRA) disclosure form contained
extraneous information). By way of example, the Court noted that a consumer
reporting agency could fail to provide the required notice to a user of the agency’s
consumer information yet still provide accurate information. Spokeo, 136 S.Ct. at
1549. Likewise, dissemination of an incorrect zip code would not present any
material risk of harm. Id.
While Spokeo clarified what may constitute an injury in fact where plaintiff
alleges a statutory violation, it said nothing about negligence actions. The Court
noted that, within the context of the FCRA, “not all inaccuracies cause harm or
present a[ ] material risk of harm.” Id. at 1550 (emphasis added). In the context of
statutory violations, Congress is “well positioned to identify intangible harms that
meet minimum Article III requirements, [and] its judgment is ... instructive and
important.” Id. Therefore, Spokeo addressed issues of Article III standing for
statutory violations – in this instance, a class claim alleging violations of the FCRA.
Elizabeth Pritzker, Making the Intangible Concrete: Litigating Intangible Privacy
Harms in A Post-Spokeo World, 26 COMPETITION: J. ANTI., UCL & PRIVACY SEC. ST.
B. CAL. 1, 2 (2017).
Respondent brings two negligence claims purportedly founded on violations of
HIPAA. However, since Respondent does not bring a claim under a federal statute,
29
Spokeo’s intangible injury framework does not apply to Respondent’s alleged injury.
Even under Spokeo’s framework, Respondent’s alleged injury is insufficient.
b. Respondent’s alleged injury in fact fails under Spokeo’s common law
harm analysis
Mitigating the risk of fraudulent charges is not an intangible harm
recognized at common law in English or American courts. State courts recognize
four common law causes of action for invasion of privacy: “(1) intrusion upon the
seclusion of another; (2) appropriation of another's name or likeness; (3) public
disclosure of private facts; and (4) publicity placing another in a false light.” See e.g.
Busse v. Motorola, Inc., 813 N.E.2d 1013, 1017 (2004).
Data breach harms are most similar to the common law right against public
disclosure of private facts. To state a claim, there must be private facts which are
given publicity or widespread disclosure. Bratt v. International Business Machines
Corp., 392 Mass. 508, 524 (1984). The matter made public must be one that would
be highly offensive and objectionable to reasonable person of ordinary sensibilities.
E.E.O.C. v. C.R. England, Inc., 644 F.3d 1028, 1054 (10th Cir. 2011). Such a claim
requires at least an allegation of “publicity”—specifically, “making ... public, by
communicating it to the public at large, or to so many persons that the matter must
be regarded as substantially certain to become one of public knowledge.” Comments
to Restatement (Second) of Torts § 652.
Social security numbers are not “private facts,” and thus do not give rise to
an invasion of privacy claim, based on either intrusion into the seclusion of another
30
or public disclosure of private facts. Cooney v. Chicago Pub. Schools, 943 N.E.2d 23,
27 (Ill. App. 1st Dist. 2010). In Cooney, plaintiffs brought suit for violation of their
common law right to privacy, after Chicago Public Schools inadvertently disclosed a
list to all 1750 plaintiffs containing each individual plaintiff’s address, social
security number, marital status, medical and dental insurer and health insurance
plan information. Id. at 27. The court noted that “[i]n the absence of an Illinois law
defining social security numbers as private information, we cannot say that
defendants' use of this number fulfills the privacy element necessary to plead
intrusion upon seclusion.” Id. at 32 (citing Busse, 813 N.E.2d at 1018) (noting that
matters of public record such as names and dates of birth have also not been held to
be private facts). Accordingly, the court found that private facts are distinct from
personal information and consist of facts that are facially embarrassing and highly
offensive if disclosed. Id.
Missouriana, like Illinois, does not have a state law defining social security
numbers as private information. Missouriana case law does not hold differently. See
Hanson v. Jones Medical Ctr., 199 Mis. 2d 321, 333 (2002) (holding medical center
liable for public disclosure of private facts when it disclosed results of wife’s
pregnancy test to her estranged husband without her consent). In Hanson, the
medical center clearly violated the wife’s privacy rights when it disclosed the
facially embarrassing and highly offensive results of her pregnancy test to her
estranged husband. See Id. Unlike private facts, the Respondent’s compromised
data were merely personal information including social security numbers, income,
31
birth dates, medical insurance policy numbers, and medical history regarding the
prescribed arthritis medication. (R. 2). Such information is neither facially
embarrassing nor highly offensive if disclosed.
Moreover, Respondent’s ePHI was not “publicly” disclosed under the
analogous common law privacy action. Respondent alleged that his B&T account
user name and password, his date of birth, and his social security number were
available on the dark web, and had been downloaded hundreds of times. (R. 3).
Unlike in Hanson, where the medical center disclosed the wife’s private fact to the
last person with whom the wife wished to share that information – her estranged
husband, Respondent has not alleged that he knew any of the hundreds of
individuals who downloaded his information on the dark web or that those
individuals specifically targeted Respondent. (R. 3). This limited disclosure is not
substantially certain to become public knowledge and does not show that
Respondent is any more likely to suffer future harm than the next American. See
Aaron Smith, Americans & Cybersecurity, PEW RES. CTR., (Jan. 2017) at
http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/ (noting that
roughly two-thirds of American adults “have personally experienced a major data
breach”).
c. Intangible fear of a speculative future injury does not support standing
Fear and anxiety based on speculative future injury does not provide an
independent basis for standing. In Beck, the court rejected plaintiffs’ claim that
“emotional upset” and “fear [of] identity theft and financial fraud” resulting from
32
the data breaches are “adverse effects” sufficient to confer Article III standing. 848
F.3d at 272. This is especially true where plaintiff fails to present corroborating
evidence of the alleged fear or anxiety. See Id. (citing Doe v. Chao, 540 U.S. 614
(2004). As one court noted:
[I]t is reasonable to fear the worst in the wake of such a theft, and it is
understandably frustrating to know that the safety of your most
personal information could be in danger. The Supreme Court, however,
has held that an “objectively reasonable likelihood” of harm is not
enough to create standing, even if it is enough to engender some
anxiety. Plaintiffs thus do not have standing based on risk alone, even
if their fears are rational.
In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45
F. Supp. 3d 14, 26 (D.D.C. 2014) (citations omitted). Accordingly, a data breach
victim cannot create standing by asserting, without corroborating evidence, fear and
anxiety.
Acknowledging that he has not suffered an actual harm from the data breach,
Respondent turns his focus to the abstract notion that he has “experienced a
considerable amount of fear and anxiety about the prospect of his identity being
stolen, especially since he is getting married soon and he and his new husband will
be combining their finances.”5 (R. 4). Such harm is too speculative to support
standing. Respondent’s empty assertions of fear and anxiety cannot replace an
5 If Respondent’s fear is dependent on his wedding, his concern is moot, assuming the wedding took
place within two years of Respondent’s filing of his complaint. See Murphy v. Hunt, 455 U.S. 478
(1982) (holding that an action becomes moot when the issues presented are no longer live or the
parties lack a legally cognizable interest in the outcome).
33
actual injury. This conclusory allegation, absent corroborating evidence does not
support a justified fear of future injury.
Finally, Plaintiff’s choice not to bring a claim for negligent infliction of
emotional distress is telling. The court in Cooney rejected plaintiffs’ claim for
negligent infliction of emotional distress for lack of a duty Chicago Public Schools
owed to its former employees. 943 N.E.2d at 27. Likewise, here, B&T does not owe a
duty to prospective customers of its prescription drug assistance program. The lack
of a harm recognized at common law for privacy torts like the data breach at issue
shows that Respondent has failed to allege a plausible injury in fact.
34
II. RESPONDENT FAILED TO STATE A PLAUSIBLE CLAIM FOR RELIEF BECAUSE HIPAA
DOES NOT PROVIDE FOR A PRIVATE RIGHT OF ACTION AND RESPONDENT CANNOT
CIRCUMVENT THIS CLEAR CONGRESSIONAL INTENT THROUGH ALLEGING STATE
LAW NEGLIGENCE
As society has progressed and grown to new digital heights, it has also
become more vulnerable to unwanted intrusions of privacy. Gordon Gantt, Hacking
Health Care: Authentication Security in the Age of Meaningful Use, 27 J.L. &
Health 232, 234-35 (2014). This leap into the digital age has prompted the judiciary
to determine how new technology and its consequences fit into old laws. See
Carpenter v. U.S., 138 S. Ct. 2206, 2224 (2018) (“[T]he Cyber Age has vast potential
both to expand and restrict individual freedoms in dimensions not contemplated in
earlier times.). Given the complexities of privacy rights in the “Cyber Age,” courts
must exercise restraint from creating ad hoc rights and remedies and respect
Congress’s role.
As Chief Justice John Marshall held in Marbury v. Madison: “It is
emphatically the province and duty of the judicial department to say what the law
is.” 5 U.S. 137, 177 (1803). The legitimacy of any particular exercise in statutory
interpretation is often judged by how well it carries out Congress’s will. Jonathan
Molot, Reexamining Marbury in the Administrative State: A Structural and
Institutional Defense of Judicial Power over Statutory Interpretation, 96 NW. U. L.
REV. 1239, 1251-52 (2002) (“The legitimacy of judicial power over statutory
interpretation has long been thought to flow from this assumption that judges
would implement Congress’s decisions.”). Congress’s decision to utilize public, not
35
private, enforcement of the Health Insurance Portability and Accountability Act
(HIPAA) is paramount.
A violation of HIPAA occurs where a covered entity or business associate
discloses individually identifiable health information without the consent of the
patient, absent a court order or proper subpoena. 42 U.S.C. § 1320d. HIPAA’s
Privacy Rule requires covered entities and business associates to ensure the
confidentiality, integrity, and availability of all protected health information (“PHI”)
the covered entity or business associate creates, receives, maintains or transmits.
45 C.F.R. §§ 160, 164, subpart A, E.
As a threshold matter, B&T is not a covered entity or a business associate for
purposes of implementing HIPAA. Covered entities under HIPAA generally include
health-care providers, health plans, and health-care clearinghouses and their
business associates. 42 U.S.C. § 1320d (2012). Under HIPAA, a business associate is
a person or entity acting on behalf of a covered entity that creates, receives,
maintains, or transmits PHI for a function or activity regulated by HIPAA (i.e., a
covered entity function). See 45 C.F.R. § 160.103 (2014). If a pharmaceutical
company provides a service directly to the consumer, then it is not a business
associate because it does not act on behalf of a covered entity. Reece Hirsch, et al,
Digital Health Privacy: Old Laws Meet New Technologies, 27 COMPETITION: J.
ANTI., UCL & PRIVACY SEC. CAL. L. ASSOC. 21, 22 (2018). B&T directly collects PHI
from applicants to its prescription assistance program. (R. 2). Additionally, HIPAA
requires health care plans and providers to enter into business associate
36
agreements – contracts obligating third parties to abide by HIPAA’s restrictions on
PHI disclosures. Monarch Fire Protec. Dist. Of St. Louis County, Missouri v.
Freedom Consulting & Auditing Services, Inc., 678 F.Supp.2d 927, 932 (E.D. Mo.
2009), aff'd, 644 F.3d 633 (8th Cir. 2011). Respondent does not allege that B&T
breached a business associate agreement, or that one exists. (R. 2-4). Therefore,
B&T is not a business associate and has no obligations under HIPAA.
Even if B&T has obligations under HIPAA, HIPAA’s enforcement powers rest
exclusively with the Secretary of the Department of Health and Human Services
(HHS) and state attorneys generals. 42 U.S.C. §1320d (2009). HIPAA does not
expressly or impliedly authorize a private right of action. This Court should reject
any attempt to bypass Congress’s clear legislative intent by allowing Respondent to
enforce HIPAA through state negligence claims. Accordingly, this Court should
dismiss Respondent’s claims. Further, Respondent’s negligence per se claim fails for
lack of applicability to federal statutes and impermissible flexibility. Respondent’s
ordinary negligence claim fails because B&T does not owe Respondent a duty to
protect PHI. Moreover, B&T reasonably and appropriately complied with HIPAA
and, therefore, did not breach a standard of care founded on HIPAA.
A motion to dismiss pursuant Rule 12(b)(6) tests the legal sufficiency of a
party’s claim for relief. Fed. Rul. Civ. Proc. 12(b)(6). In ruling on a motion to dismiss
for failure to state a claim, the court must take all factual allegations in the
complaint as true but is not bound by a legal conclusion couched as a factual
allegation. Id.; see Wood v. Moss, 134 S. Ct. 2056, 2065 (2014). A 12(b)(6) motion is
37
successful when the legal theory presented by the plaintiff is “not cognizable as a
matter of law.” Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 and 570 (2007).
Additionally, plaintiffs must allege enough facts to raise their claims beyond the
level of speculation, Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), and must “nudge[]
their claims across the line from conceivable to plausible.” Twombly, 550 U.S. at
570. Here, Respondent does not state a claim upon which relief may be granted.
A. Respondent’s Negligence Per Se And Ordinary Negligence Claims Fail
Because HIPAA Does Not Provide for A Private Right of Action And Its
Preferred Enforcement Mechanism Precludes State Law Negligence
Claims
The HHS Office for Civil Rights (“OCR”) is responsible for enforcing the
HIPAA Privacy Rules. 45 C.F.R. §§ 160-64. Because HIPAA specifically delegates
enforcement, Congress intended to preclude private enforcement. Acara v. Banks,
470 F.3d 569, 571 (5th Cir. 2006); see Alexander v. Sandoval, 532 U.S. 275, 286–87
(2001) (“The express provision of one method of enforcing [a statute] suggests
Congress intended to preclude others.”).
1. Respondent’s negligence per se and ordinary negligence claims fail
because they impermissibly attempt to create a private right of action
where none exists
It is beyond dispute that HIPAA does not create an express or implied private
right of action for violations of its provisions. Sheldon v. Kettering Health Network,
40 N.E.3d 661, 670 (Ohio App. 2d Dist. 2015) (“Congress did not create a private,
statutory right of action to enforce HIPAA's terms.”); see Dodd v. Jones, 623 F.3d
563, 569 (8th Cir. 2010) (“There is no dispute that HIPAA does not create a private
38
right of action through an implied right of action.”); see e.g. Carpenter v. Phillips,
419 Fed. Appx. 658, 659 (7th Cir. 2011) (collecting cases); Doe v. Board of Tr. of the
Univ. of Ill., 429 F.Supp.2d 930, 944 (N.D. Ill. 2006) (“Every court to have
considered the issue ... has concluded that HIPAA does not authorize a private right
of action”); see also Acara v. Banks, 470 F.3d 569, 570–72 (5th Cir. 2006); Dodd v.
Jones, 623 F.3d 563, 569 (8th Cir. 2010); Seaton v. Mayberg, 610 F.3d 530, 533 (9th
Cir. 2010); Wilkerson v. Shinseki, 606 F.3d 1256, 1267 n. 4 (10th Cir. 2010). The
cases supporting this holding are legion. Sheldon, 40 N.E.3d at 670.
a. Negligence per se under HIPAA fails absent a private right of action
Absent an express or implied right of action, negligence per se claims based
on alleged violations of HIPAA fail. In Abdale v. N. Shore Long Island Jewish
Health Sys., Inc., plaintiff brought five causes of action, including negligence per se
based on violations of various state and federal laws after a third party stole her
confidential personal and medical information. 19 N.Y.S.3d 850, 855-856 (N.Y. Sup.
Ct. 2015). The court dismissed plaintiff’s negligence per se claims based on
violations of HIPAA and the Health Information Technology for Economic and
Clinical Health (HITECH) Act, reasoning that neither HIPAA nor HITECH, nor
their governing regulations, create a private right of action. Id. at 859. In Sheldon,
the court reasoned that permitting plaintiff to bring negligence per se claims based
on violations of HIPAA would in and of itself create a private action where none
exists. 40 N.E.3d at 674 (“To the extent that HIPAA universally has been held not
to authorize a private right of action, to permit HIPAA regulations to define per se
39
the duty and liability of breach is no less than a private right of action to enforce
HIPAA, which is precluded.”); see Fanean v. Rite Aid Corp. of Delaware, Inc., 984
A.2d 812, 823 (Del. Super. 2009) (concluding that claim of negligence per se could
not be premised on HIPAA violation); Young v. Curran, 289 S.W.3d at 586, 588-589
(Ky. Ct. App. 2008) (rejecting plaintiff's attempt to use HIPAA as foundation for
damages claim under state negligence per se statute); Weinberg v. Advanced Data
Processing, Inc., 147 F. Supp. 3d 1359, 1365 (S.D. Fla. 2015) (refusing to recognize
negligence per se claim based on HIPPA and noting that “Florida courts have
refused to recognize a private right of action for negligence per se based on an
alleged violation of a federal statute that does not provide for a private right of
action.”) Accordingly, courts reject negligence per se claims founded on HIPAA.
Respondent cannot salvage his negligence per se claim by relying on I.S. v.
Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585 at *1 (E.D. Mo. June 14,
2011). I.S. dealt with a procedural issue and never addressed the substantive
negligence per se claim. Id. at *1-5. The sole issue before the court was whether or
not plaintiffs’ state negligence action based on a violation of HIPAA conferred
federal question jurisdiction. Id. The Court held it did not and reasoned this was a
state law question for which the federal court lacked jurisdiction. Id. at *5. The
court concluded, “[p]laintiff's claims are better suited for a state court to address.”
Id. Consequently, I.S. never held that HIPAA could properly form the basis for a
negligence per se claim.
40
b. Ordinary negligence claims using HIPAA to establish the standard of
care fail absent a private right of action
Courts apply the same reasoning behind disallowing negligence per se claims
based on HIPAA to reject ordinary negligence claims: HIPAA does not create a
private right of action and courts must refrain from artificially creating one.
Haywood v. Novartis Pharm. Corp., 298 F. Supp. 3d 1180, 1191 (N.D. Ind. 2018),
appeal dismissed, No. 18-1328, 2018 WL 3868755 (7th Cir. May 14, 2018) (“Indiana
state law claims that rely on HIPPA as the basis for establishing negligence are not
cognizable because utilizing them in such a way would circumvent HIPPA’s
enforcement mechanisms.”); see also Sheldon, 40 N.E.3d at 672 (stating that “in our
view utilization of HIPAA as an ordinary negligence ‘standard of care’ is
tantamount to authorizing a prohibited private right of action for violation of
HIPAA itself”). Accordingly, basing the standard of care for an ordinary negligence
claim on HIPAA would impermissibly create a private right of action where none
exists.
Respondent’s negligence claim rests on an impermissible conclusion that
B&T breached the standard of care established by HIPAA in failing to adequately
protect Respondent’s data in its prescription assistance program. In Haywood, a
consumer seeking to enroll in a co-pay assistance program administered by
Novartis, a drug manufacturer, asserted negligence claims based on Novartis’
alleged disclosure of the consumer’s information to his employer. 298 F.Supp.3d
1180 (2018). The court held that HIPAA does not provide for a private right of
41
action and HIPPA claims may not be shoehorned into a negligence action. Id. at
1190. Likewise, Respondent’s ordinary negligence claim impermissibly attempts to
shoehorn a HIPAA claim into an ordinary negligence claim. Thus, Respondent’s
ordinary negligence claims fails.
2. HIPAA’s preferred enforcement mechanism precludes ad hoc negligence
actions brought by private litigants seeking wide-ranging relief.
Congress provided HHS with the means to enforce HIPAA violations through
filing a complaint. 45 C.F.R. § 160.306. The implementing regulations state that an
individual “who believes a covered entity or business associate is not complying
with the administrative simplification provisions may file a complaint with the
Secretary.” 45 C.F.R. § 160.306(a). Further, the Secretary “will investigate any
complaint filed under this section when a preliminary review of the facts indicates a
possible violation due to willful neglect.” 45 C.F.R. § 160.306(c)(1). The regulations
suggest that if HIPAA intended to allow private actions, a party can still only bring
a complaint after the Secretary finds that a breach occurred.
According to the HHS summary of the HITECH amendment to HIPAA, the
purpose of the amendment is to strengthen the privacy and security protection for
individuals’ health information; modify the Breach Notification Rule; and to
improve their workability and effectiveness and to increase flexibility for and
decrease burden on the regulated entities. “Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach Notification Rules Under the Health
Information Technology for Economic and Clinical Health Act and the Genetic
42
Information Nondiscrimination Act; Other Modifications to the HIPAA,” FEDERAL
REGISTER, Vol. 78, No. 17 at *1 (January 25, 2013).
Permitting private parties to bring negligence claims under HIPAA would
violate Congressional intent and open the floodgates to private HIPAA litigation.
Because HIPAA specifically delegates enforcement, Congress intended to preclude
private enforcement. Acara, 470 F.3d at 571; see Sandoval, 532 U.S. at 286–87
(“The express provision of one method of enforcing [a statute] suggests Congress
intended to preclude others.”). Therefore, HIPPA regulations do not expressly or
implicitly confer a private right of action on an individual. O'Donnell, 173 F.Supp.2d
at 1179.
Congress’s choice not to include a private right of action under HIPPAA
avoids conflict between the goals and outcomes of private and public enforcement of
the regulations. HIPAA provides civil and criminal penalties for improper
disclosures of medical information, but it does not create a private cause of action,
leaving enforcement to the DHHS alone. 45 C.F.R. §§ 160-64; Doe v. Bd. of Trustees
of U. of Illinois, 429 F. Supp. 2d at 944. If this Court were to subvert this process
with its own ruling, HHS would be caught between valid agency direction and valid
judicial opinion. HIPAA’s inclusion of both civil and criminal penalties for improper
disclosures of medical information illustrates this point. See 42 U.S.C. §§ 1320d–5,
d–6. If courts allow private actions based on a violation of HIPAA, the defendant
faces potential penalties and damages from the state and private parties. Congress
43
intended that HHS enforce HIPPA through use of specific civil and criminal
penalties, not through ad hoc damages suits brought by private parties.
HIPAA grants the HHS sufficient authority to enforce its regulations.
Further litigation is unnecessary and would waste strained judicial resources.
Respondent never filed a complaint with the HHS Secretary, though he had the
right. (R. 2-4). Thus, there was never an investigation. Expanding Missouriana’s
common law to include HIPPA’s privacy standards will unnecessarily increase
litigation, waste judicial resources, and potentially expose pharmaceutical
companies, like B&T, to double penalties/sanctions. Moreover, without an
established HIPPA violation, even if Respondent were to demonstrate that a
violation of HIPAA could constitute evidence of breach of the standard of care, he
would be unable to make out a cause of action.
The purpose of HIPAA as stated in the HITECH amendment is incompatible
with private actions seeking damages for violations of HIPAA. Data breach victims,
for example, are not concerned with strengthening privacy and security protection –
a showing that a company took adequate steps to ensure the privacy and security of
plaintiff’s information would weaken his claims. These private suits do not further
an interest in improving the workability and effectiveness of regulated entities.
Rather, data breach plaintiffs thrive on exploiting system failures of regulated
entities. While private suits may indirectly push companies towards greater
compliance with HIPAA regulations, they do so in an unsystematic, inefficient
manner – precisely the opposite of what HIPPA intends. While such suits are
44
unlikely to decrease the burden on regulated entities, they certainly increase the
burden on the judicial system through voluminous class actions and multi-district
litigation.
3. Expanding the reach of HIPAA to state claims violates principles of
federalism
Consistent with its limits on federal question jurisdiction, this Court should
avoid extending the reach of federal statutes to state law claims. This Court held
that federal jurisdiction is unavailable for a state tort claim resting in part on the
allegation that the defendant drug company violated a federal misbranding
prohibition. Merrell Dow Pharmaceuticals Inc. v. Thompson, 478 U.S. 804, 804-05
(1986). Grable & Sons Metal Products, Inc. v. Darue Engr. & Mfg. interpreted
Merrell Dow to reject a general rule of exercising federal jurisdiction over state
claims resting on statutory violations. 545 U.S. 308, 318-19 (2005). Such a rule
would have heralded a potentially enormous shift of traditionally state cases into
federal courts. Id. Although this Court’s decision in Grable & Sons recognized the
general possibility that the breach of federal statutes may support negligence per se
claims in state tort proceedings, it does not stand for the proposition that HIPPA
itself is one of those statutes. Id. Therefore, this Court should refrain from
extending the reach of HIPAA to state negligence per se claims.
Absent an exception to the preemption rule in HIPAA, HIPAA preempts
contrary state law, and HIPAA’s lack of a private right of action controls. When it
comes to the protection of health information, HIPAA preempts state law to the
45
extent that state law is less stringent. 42 U.S.C §1320d-7(a)(1)-(2) and 45 C.F.R
§160.203(b). The trial court in Byrne v. Avery Ctr. for Obstetrics and Gynecology
held, “to the extent that common-law negligence permits a private right of action for
claims that amount to HIPAA violations, it is a contrary provision of law and
subject to HIPAA’s preemption rule. Because it is not more stringent, according to
the definition of 45 C.F.R. § 160.202, the preemption exception does not apply.” 314
Conn. 433, 441–42 (Conn. 2014). Therefore, ordinary negligence claims based on
HIPAA are preempted.
This Court’s restraint in extending federal question jurisdiction to state law
claims based on federal statutes reflects its recognition of federalism concerns
inherent in extending the reach of the federal government to the detriment of the
states. Accordingly, Respondent may base his state negligence claim on a state-
created standard of care, but not on a federal statute. Further, the lack of
preemption in this case reinforces the impropriety of extending HIPAA to state law
claims. Respondent proceeds solely under HIPAA’s Privacy Rule, “not some
independent state law that may supply a contrary set of substantive standards.” (R.
13). Respondent cannot show an independent state law basis for finding that B&T
owed Respondent a duty to encrypt Respondent’s data. (Id.). Consequently,
permitting HIPAA to supply that duty would invade Missouriana’s legislative
province.
Respondent’s HIPAA based negligence per se and ordinary negligence claims
would require this court to extend Missouriana’s statute beyond its plain meaning.
46
It would invent a class of protected individuals under a statute that has no private
right of action and protects the public generally. And it would invade the province of
states to regulate their own conduct when not precluded by the federal government.
B. Respondent’s Negligence Per Se Claim Fails Because Negligence Per Se
Only Applies to State Statutes at Common Law, HIPAA Protects The
General Public, And HIPAA Regulations Are Too Flexible To Impose
Strict Liability.
To establish negligence per se in Missouriana, a plaintiff must show that,
without excuse, (1) the actor violates a statute (2) that is designed to protect against
the type of accident the actor’s conduct causes, and (3) if the accident victim is
within the class of persons the statute is designed to protect. 302 M.C.S. § 3/22-104
(2014). The elements of a claim for “negligence per se” under Missouri law are
identical to Missouriana except that Missouri includes an addition element that
“the violation of the statute or ordinance was the proximate cause of the injury.”
I.S., 2011 WL 2433585, at *3. Missouriana has not yet ruled on whether it would
recognize the violation of a federal statute or regulation as the basis of a negligence
per se claim. (R. 10).
1. Missouriana should not recognize a violation of a federal statute or
regulation as the basis for a negligence per se claim because negligence
per se only applies to state statutes at common law
Negligence per se statutes that codify the common law right of action do not
extend to federal statutes. In Young v. Curran, the Kentucky Court of Appeals
analyzed the common law doctrine of negligence per se. 289 S.W.3d at 588-589. The
court reasoned that the “General Assembly did not intend the statute to embrace
47
federal laws and thereby confer a private remedy for such a vast array of
violations.” Id. Courts are not required to find negligence per se from a violation of a
federal statute, particularly where the violation would not give rise to liability
under state common law. Id. Therefore, since federal statutes were not recognized
under the negligence per se action at common law, a negligence per se statute
codifying the common law action likewise does not apply to federal statutes.
Respondent’s negligence per se claim fails because Missouriana’s common
law negligence per se doctrine precludes reference to a federal statute. In
Missouriana, “an actor is negligent if…the actor violates a statute….” 302 M.C.S. §
3/22-104 (emphasis added). Like Kentucky’s negligence per se statute,
Missouriana’s statute codified the common law doctrine of negligence per se. Ky.
Rev. Stat. Ann. § 446.070; (R. 9-10). In Young v. Curron, the court affirmed
dismissal of plaintiff's HIPAA claim based on negligence per se because the state
legislature did not intend the statute to embrace federal laws. 289 S.W.3d at 589.
Accordingly, this Court should hold that Respondent may only use Missouriana’s
negligence per se statute as the legislature intended – for violations of state law.
2. HIPPA is not intended to protect a particular class of individuals
HIPAA regulations were not designed to protect a specific class of
individuals; rather, they protect the general public. To proceed under negligence per
se, a plaintiff must show that the purpose of the statute relied upon is, at least in
part, to protect the interest of the plaintiff individually, as opposed to the public
interest. Citizens Bank of Pennsylvania v. Reimbursement Technologies, 609 Fed.
48
Appx. 88, 93-94 (2015) (reasoning that defendant was not liable for negligence per
se under state law based on its alleged violation of HIPAA stemming from a data
breach, which resulted in theft of personal banking information from medical
patients, since HIPAA was not intended to protect patients’ banks from possible
financial fraud). Therefore, a plaintiff cannot bring a negligence per se claim for a
HIPAA violation stemming from financial harm (or the possibility of future
financial harm).
Respondent’s attempt to use HIPAA to craft a personal remedy runs counter
to HIPAA’s purpose. HIPAA provides specific remedies designed to enforce its
uniform privacy rules, not to create ad hoc personal remedies. 42 U.S.C. §§ 1302d-5,
1302d-6. Since HIPAA protects the privacy interests of all individuals and is not
limited to any specific class of individuals, the lack of a private right of action is
dispositive. Congress did not intend that private parties enforce HIPAA through
negligence per se or otherwise. See generally, Sheldon, 40 N.E.3d at 670 (“Congress
did not create a private, statutory right of action to enforce HIPAA’s terms.”);
Polanco v. Omnicell, Inc., 988 F.Supp. 2d 451, 469 (D. N.J. 2013) (“The ability to
bring an enforcement action to remedy HIPAA violations and ensure that a [covered
entity] is HIPAA compliant, lies within the exclusive province of the Secretary of
[HHS], not the hands of private citizens”) (citing Acara, 470 F.3d at 571).
Respondent’s claim that HIPAA protects him individually fails because his
injury is dependent on financial harm. To the extent Respondent’s alleged harm
stems solely from the disclosure of his health history regarding a single arthritis
49
drug, such injury is not cognizable under Article III. (R. 2-4). Accordingly, this
Court should reject Respondent’s attempt to bring his individual, financial
grievance under the purview of a statute intended to protect the general public.
3. HIPAA is too flexible to provide the basis for a negligence per se claim
because it focuses on reasonable and appropriate measures and includes
“addressable” standards, which are not required.
Section 164.306 of HIPAA’s implementing regulations, titled “flexibility of
approach,” state that “[c]overed entities or business associates may use any security
measures that allow such covered entity or business associate to reasonably and
appropriately implement the standard and implementation specifications.” 45
C.F.R. § 164.306(b)(1) (emphasis added). This “reasonable and appropriate”
standard for protecting ePHI is reiterated in § 164.306(d)(3)(i). HIPAA regulations
are flexibly designed to accommodate the vast array of medical providers. Sheldon,
40 N.E.3d at 674. Therefore, the regulations do not set forth “a positive and definite
standard of care whereby a jury may determine whether there has been a violation
thereof by finding a single issue of fact.” Id.
HIPAA’s “reasonable and appropriate” standards are too flexible to support a
negligence per se claim. HIPAA’s implementing regulations distinguish between
standards that require certain steps and those which identify only “addressable”
issues. 45 C.F.R. §§ 164.306(d)(1-3), 164.308, 164.310, and 164.312. The flexibility
stems from its implementing specifications. For example, the regulations require
the covered entity or its business associate to have a “unique user identification,” 45
C.F.R. § 164.312(a)(2)(i), while “encryption and decryption” is only addressable for a
50
covered entity or its business associate, 45 C.F.R. § 164.312(a)(2)(iv). Furthermore,
when instructing a covered entity or a business associate to adopt an addressable
implementation specification, the regulations take a discretionary approach, asking
a covered entity or business associate to “assess whether each implementation
specification is reasonable and appropriate in its environment….” 45 C.F.R. §
164.306(d)(3)(i). Such flexibility is fatal to Respondent’s negligence per se claim.
51
C. Respondent Cannot Use HIPAA To Establish The Standard Of Care In
Respondent’s Ordinary Negligence Claim Because B&T Does Not Owe
Respondent A Duty To Protect PHI And, Regardless, B&T Complied With
All State And Federal Regulations.
To state a claim for negligence, plaintiff must prove “three elements: (1) a
duty on the part of defendant in relation to the plaintiff; (2) the defendant’s breach
of that duty; and (3) an injury to the plaintiff resulting from that failure.” Haywood,
298 F. Supp. 3d at 1186. Respondent has not submitted plausible allegations for any
of these elements.
1. Respondent’s negligence claim fails because Missouriana does not impose
a duty on pharmaceutical companies to protect PHI from unauthorized
disclosure.
Some courts have looked to HIPAA to inform the standard of care, but in
those cases there was underlying state law recognizing the defendant’s duty. Byrne,
314 Conn. at 439-42 (“[T]o the extent that Connecticut's common law provides a
remedy for a health care provider’s breach of its duty of confidentiality[,] . . .
regulations . . . implementing HIPAA may inform the applicable standard of
care[.]”; Fanean, 984 A.2d at 823 (noting that negligence claim was supported by
allegations that pharmacy voluntarily undertook a duty to customer when it be
decided to be her pharmacy). Consequently, absent underlying state law recognizing
the defendant’s duty, HIPAA cannot inform the standard of care.
In cases where a statutory duty has not been established, courts look to the
relationship between the parties, the reasonable foreseeability of harm, and public
policy concerns to determine whether a duty should be imposed at common law.
52
Haywood, 298 F.Supp.3d at 1191. While it is well-settled that the law recognizes a
duty-bound relationship between a pharmacist and a customer, that duty is
premised upon a unique patient-oriented health care connection. Id. at 1191-92.
Unlike the relationship between a pharmacist and a customer, the relationship
between a pharmaceutical corporation and a person seeking assistance with their
co-payments wholly lacks the direct contact, expertise, reliance, and counseling
aspects of the relationship that establish a duty. See Id.
The Haywood court’s finding regarding the absence of a state law duty
dictates the result in the present case. Like B&T, Novartis Patient Assistance NOW
Oncology, a division of Novartis, administers a Co-Pay Assistance Program in which
eligible patients are given a Co-Pay Card to help offset the costs of their
prescription medication. Id. at 1184. And like the data breach of B&T’s prescription
assistance program, Novartis disclosed plaintiff’s social security number, date of
birth, income, Medicare number, and information about her disease, treatment, and
medical providers. Id. Finally, as in the present case, although plaintiff described
Novartis as a “provider of pharmaceuticals,” she did not allege, nor is it reasonable
to infer, that Novartis was a pharmacist or pharmacy that directly provided her
with pharmaceutical drugs, medical care, treatment, counseling, or the like. Id.
Moreover, Respondent’s failure to bring a breach of contract claim is telling.
As in Haywood, Respondent does not allege that he was in a contractual
relationship with B&T; that B&T entered into a business associate agreement with
a provider; or that Respondent had even begun receiving or relying on the benefits
53
provided by the prescription assistance program. (R. 2-4). As in Haywood, the
relationship between B&T, a pharmaceutical company, and Respondent, a person
seeking assistance with his co-payments, is not close enough to that of pharmacist
and customer to justify imposing a duty on B&T.
2. B&T complied with all applicable state and federal regulations
B&T complied with Missouriana law by providing notification to Respondent
immediately following the breach. (R. 3). To the extent that HIPAA imposes
obligations on B&T, B&T complied by reasonably and appropriately protecting the
privacy of Respondent’s data according to HIPAA implementation specifications.
See generally 45 C.F.R. §§ 164.306, et. seq.
a. B&T complied with Missouriana’s data breach law, which only
requires notification.
The Missouriana Data Breach Notification Act (“MDBNA”), which applies to
“[an] individual or a commercial entity that conducts business in Missouriana and
that owns or licenses computerized data that includes personally identifiable
information about a resident of Missouriana,” 410 M.C.S § 22/46-101(a) (2005), only
requires that the entity “conduct in good faith a reasonable and prompt
investigation to determine the source of the breach,” id. § 22/46-103(a), and “give
notice as soon as possible to the affected Missouriana resident,” id. § 22/46-103(b).
B&T complied with Missouriana’s data breach law by notifying Respondent
and similarly situated plaintiffs of the data breach. (R. 3). Missouriana only
requires B&T to act in “good faith,” to engage in a “reasonable and prompt
54
investigation,” and to “give notice.” 410 M.S.C. § 22/46-103. B&T acted in good faith
by immediately notifying the 426 class members of the breach. (R. 3). B&T initiated
a reasonable and prompt investigation into the data breach which continued after
the notification was given. (Id.). Finally, B&T gave notice as required under
Missouriana’s statute. (Id.). Therefore, Respondent has not identified a plausible
claim for relief under Missouriana law.
b. B&T complied with HIPAA’s privacy rule by adopting “reasonable and
appropriate” standards to safeguard the PHI
The HIPAA Privacy Rule protects PHI held or transmitted by a covered
entity or its business associate, in any form or media. 45 C.F.R. § 160.103. The
HIPAA Security Rule protects a subset of PHI covered by the Privacy Rule that a
covered entity or its business associate creates, receives, maintains or transmits in
electronic form. Id. The Security Rule calls this information “electronic protected
health information” (ePHI). Id.
The Security Rule requires covered entities to maintain reasonable and
appropriate safeguards for protecting ePHI. Specifically, covered entities must:
(1) ensure the confidentiality, integrity, and availability of all ePHI
they create, receive, maintain or transmit; (2) identify and protect
against reasonably anticipated threats to the security or integrity of
the information; (3) protect against reasonably anticipated,
impermissible uses or disclosures; and (4) ensure compliance by their
workforce. 45 C.F.R. § 164.306(a).
The Security Rule also imposes “technical safeguards” on a covered entity. 45
C.F.R. § 164.312. For example, a covered entity must implement technical policies
and procedures that allow only authorized persons to access ePHI. 45 C.F.R. §
55
164.312(a). A covered entity also must implement technical security measures that
guard against unauthorized access to ePHI that is being transmitted over an
electronic network. § 164.312(e).
Additionally, HIPAA’s regulations require the covered entity or its business
associate to have a “unique user identification, 45 C.F.R. § 164.312(a)(2)(i), while
“encryption and decryption” is only addressable for a covered entity or its business
associate, 45 C.F.R. § 164.312(a)(2)(iv). Furthermore, when instructing a covered
entity or a business associate to adopt an addressable implementation specification,
the regulations use a discretionary approach, asking a covered entity or business
associate to “assess whether each implementation specification is reasonable and
appropriate in its environment….” 45 C.F.R. § 164.306(d)(3)(i).
B&T substantially complied with HIPAA’s Privacy and Security Rules, as
well as its implementing regulations. B&T ensures the confidentiality, integrity,
and availability of all PHI it received by storing the information electronically in
encrypted form. (R.2); 45 C.F.R. § 164.306(a). This encryption allowed only devices
with a proper decryption key to access data on the server, protecting against
reasonably anticipated, impermissible uses or disclosures. (R. 2); 45 C.F.R. §
164.306(a). B&T further restricted access to the data by requiring users to sign into
the authorized devices with a password. Id. By encrypting the ePHI and ensuring
only those with authorized access and passwords had access to the ePHI, B&T
anticipated threats to the security or integrity of the ePHI. (R. 2). Thus, B&T
56
utilized two-factor encryption to ensure the confidentiality, integrity, and
availability of all ePHI it received.
Further, by issuing a patch a mere eight hours after the servers were hacked,
B&T took reasonable and appropriate steps to ensure that its workforce complied
with the Security Rule. (R. 2). The mere fact that a hacker accessed B&T’s servers
without the use of a decryption key does not render B&T’s security safeguards
“unreasonable.” (R. 2). B&T employed a reasonably and appropriate standard that
substantially complied with HIPAA to protect the ePHI and to ensure its
confidentiality and integrity. Consequently, even if Respondent could show that
HIPAA informs the standard of care in his Missouriana negligence claim and that
B&T owed Respondent a duty of care, Respondent cannot show that B&T breached
that duty.
CONCLUSION
Petitioner therefore asks that this Court to find that Respondent lacks
standing and has failed to state a claim, and that the Court reverse the Thirteenth
Circuit.
Respectfully submitted,
ATTORNEYS FOR PETITIONER