InfoBytes Blog
District Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.