Team 2704
Docket No. 18-251
In The
Supreme Court of the United States
October Term 2018
BARKER & TODD, INC.,
Petitioner,
v.
ANTHONY HOPE,
Respondent.
On Writ of Certiorari to the
Thirteenth Circuit Court of Appeals
BRIEF FOR RESPONDENT
Attorneys for Respondent
September 20, 2018
i
QUESTIONS PRESENTED
I. Does the dissemination of an individual’s personal information on
the dark web and the subsequent download of his information
hundreds of times, in addition to the preventative measures he must
now take in order to guard against identity theft, constitute a
concrete, particularized, and actual or imminent injury in fact
sufficient to confer Article III standing?
II. Under Missouriana law, can a person bring state negligence claims
against a pharmaceutical company by establishing a standard of care
based on the requirements of the Health Insurance Portability and
Accountability Act (HIPAA), when the pharmaceutical company
failed to comply with the federal regulation, data was breached, and
neither Missouriana nor federal law preclude HIPAA’s consideration
in establishing a standard of care?
ii
TABLE OF CONTENTS
QUESTIONS PRESENTED ........................................................................................... i
TABLE OF CONTENTS ................................................................................. ii
TABLE OF AUTHORITIES .......................................................................................... v
OPINIONS BELOW ....................................................................................................... 2
CONSTITUTIONAL PROVISIONS .............................................................................. 3
STATUTORY PROVISIONS ......................................................................................... 3
RULES & REGULATIONS ........................................................................................... 3
STATEMENT OF THE CASE ....................................................................................... 3
Factual Background ............................................................................................ 3
Procedural History .............................................................................................. 7
SUMMARY OF THE ARGUMENT ............................................................................... 8
STANDARD OF REVIEW ........................................................................................... 13
ARGUMENT ................................................................................................................ 14
I. Hope and the putative class have Article III standing because they
established that they suffered an injury in fact. ................................................... 14
A. The doctrine of standing is unsuitably invoked in this case
because Hope seeks to enforce a private, not a public, right ........................... 16
B. Hope has established standing because his injury in fact is
concrete, particularized, and actual or imminent ............................................ 20
iii
1. The presence of Hope’s personal information on the dark
web, the fact that the information has been downloaded
hundreds of times, and the preventative measures he will now
have to take to protect his identity are concrete injuries ........................... 21
i. Intangible injuries, such as the dissemination of
personal information on the dark web, can be
concrete injuries in fact .......................................................................... 22
ii. The increased risk of identity theft to which Hope
is exposed is a concrete injury in and of itself. ...................................... 24
iii. The preventative measures Hope will need to take to protect
his identity, whether or not his identity is stolen, constitute a
concrete injury because he will spend money he would not
have had to otherwise. ............................................................................ 26
2. The exposure of Hope’s personal information to the
dark web is a particularized injury because he has
a personal stake in whether his identity is stolen ...................................... 29
3. Even if Hope has yet to experience an actual injury, the
hundreds of downloads of Hope’s information from the
dark web foretells an imminent, not hypothetical, injury ......................... 32
C. The Court should recognize, as lower courts have, the innate
harm that an increased risk of identity theft poses ......................................... 34
II. Hope and the putative class adequately pleaded state negligence
claims because HIPAA may be used as a legislatively
imposed standard for negligence per se and to inform upon
general negligence .................................................................................................. 41
A. Hope’s negligence per se claim may be based on a violation of
standards established in HIPAA because neither HIPAA nor
Missouriana’s statutes preclude it .................................................................... 45
1. The Missouriana negligence per se statute does not, in and
of itself, preclude HIPAA as a basis for a valid cause of action .................... 45
iv
2. Missouriana’s lack of binding case law restricting the scope
of negligence per se illustrates the jurisdiction’s compatibility
with HIPAA.. ................................................................................................... 49
B. HIPAA is particularly useful to inform on the reasonableness
of care for the purposes of general negligence because it
outlines a clear and already applicable standard. ........................................... 54
CONCLUSION ............................................................................................................. 59
CERTIFICATE OF SERVICE ..................................................................................... 61
APPENDIX A: Constitutional Provisions ............................................................. Tab A
APPENDIX B: Statutory Provisions ..................................................................... Tab B
APPENDIX C: Regulations .................................................................................... Tab C
APPENDIX D: Rules Provisions ............................................................................ Tab D
v
TABLE OF AUTHORITIES
Page(s)
Cases
Adams v. Eureka Fire Prot. Dist.,
352 Fed. Appx. 137 (8th Cir. 2009) ......................................................... 43
Allen v. Wright,
468 U.S. 737 (1984) ................................................................................. 21
Arbaugh v. Y&H Corp.,
546 U.S. 500 (2006) ................................................................................ 13
Ashcroft v. Iqbal,
556 U.S. 662 (2009) ................................................................................ 14
Babbitt v. Farm Workers,
442 U.S. 289 (1979) ................................................................................ 32
Beck v. McDonald,
848 F.3d 262 (4th Cir. 2017) ............................................................ 37, 40
Bell Atl. Corp. v. Twombly,
550 U.S. 544 (2007) ................................................................................ 14
Bell v. City of Country Club Hills,
841 F.3d 713 (7th Cir. 2016) .................................................................. 13
Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C.,
102 A.3d 32 (Conn. 2014) ..................................................... 44, 51, 52, 54
Chambers v. St. Mary’s School,
697 N.E.2d 198 (Ohio 1998) ........................................................... passim
Clapper v. Amnesty Int'l USA,
568 U.S. 398 (2013) ........................................................................ passim
vi
TABLE OF AUTHORITIES (con't)
Page(s)
Comer v. Murphy Oil USA,
585 F.3d 855 (5th Cir. 2009), reh’g granted,
Comer v. Murphy Oil USA,
607 F.3d 1049 (5th Cir. 2010) .............................................. 14, 16, 18, 19
Conley v. Gibson,
355 U.S. 41 (1957) .................................................................................. 13
Doe v. Bd. of Trs. of Univ. of Ill.,
429 F.3d 930 (N.D. Ill. 2006) ................................................................. 43
Doe v. S. Gyms, LLC,
112 So. 3d 822 (La. 2013) ....................................................................... 23
Eisenhuth v. Moneyhon,
119 N.E.2d 440 (Ohio 1954) ............................................................. 49, 50
Emeson v. Dep't of Corr.,
376 P.3d 430 (Wash. Ct. App. 2016) ...................................................... 23
Fanean v. Rite Aid Corp. of Del., Inc.,
984 A.2d 812 (Del. Super. Ct. 2009) ...................................................... 54
Galaria v. Nationwide Mut. Ins. Co.,
663 F. App'x 384 (6th Cir. 2016) .......................................... 35, 37, 38, 39
Gates v. Black Hills Health Care Sys.,
997 F. Supp. 2d 1024 (D.S.D. 2014) ...................................................... 23
Griswold v. Connecticut,
381 U.S. 479 (1965) ................................................................................ 23
Hanson v. Jones Med. Ctr.,
199 Mis. 2d 321 (2002) ..................................................................... 55, 56
vii
TABLE OF AUTHORITIES (con't)
Page(s)
I.S. v. Wash. Univ.,
No. 4:11CV235SNLJ, 2011 WL 2433585
(E.D. Mo. June 14, 2011)................................................................ passim
In re Cmty. Health Sys., Inc.,
No. 15-CV-222-KOB, 2016 WL 4732630
(N.D. Ala. Sept. 12, 2016) ................................................................ 45, 46
In re Horizon Healthcare Servs. Inc. Data Breach Litig.,
846 F.3d 625 (3d Cir. 2017) ....................................................... 35, 36, 38
Ins. Co. of N. Am. v. English,
295 F.2d 854 (5th Cir. 1968) ............................................................ 44, 45
Jensen v. State,
72 P.3d 897 (Idaho 2003) ....................................................................... 23
K.V. & S.V. v. Women’s Healthcare Network, LLC,
No. 07-0228-CV-W-DW, 2007 WL 1655734
(W.D. Mo. June 6, 2007) ......................................................................... 48
Katz v. Pershing, LLC,
672 F.3d 64 (1st Cir. 2012) .............................................................. 37, 40
Katz v. United States,
389 U.S. 347 (1967) ................................................................................ 23
Lujan v. Defs. of Wildlife,
504 U.S. 555 (1992) ........................................................................ passim
McLain v. Real Estate Bd. of New Orleans, Inc.,
444 U.S. 232 (1980) ................................................................................ 13
Merrell Dow Pharms, Inc. v. Thompson,
478 U.S. 804 (1986) .................................................................... 46, 48, 51
viii
TABLE OF AUTHORITIES (con't)
Page(s)
Monsanto Co. v. Geertson Seed Farms,
561 U.S. 139 (2010) ........................................................................ passim
Neale v. Volvo Cars of N. Am., LLC,
794 F.3d 353 (3d Cir. 2015) ................................................................... 15
Pavesich v. New England Life Ins. Co.,
50 S.E. 68 (Ga. 1905) ............................................................................. 23
Pisciotta v. Old Nat. Bancorp,
499 F.3d 629 (7th Cir. 2007) ...................................................... 35, 37, 38
Remijas v. Neiman Marcus Grp., LLC,
794 F.3d 688 (7th Cir. 2015) ................................................ 36, 37, 39, 40
Resha v. Tucker,
670 So. 2d 56 (Fla. 1996) ........................................................................ 23
S.C. Med. Ass'n v. Thompson,
327 F.3d 346 (4th Cir. 2003) .................................................................. 55
Sheldon v. Kettering Health Network,
40 N.E.3d 661 (Ohio Ct. App. 2015) .................................... 45, 49, 52, 54
Sierra Club v. Morton,
405 U.S 727 (1972) ................................................................................. 29
Smith v. Triad of Ala., LLC,
No. 1:14–CV–324–WKW, 2015 WL 5793318
(M.D. Ala. Sept. 29, 2015) ................................................................ 47, 48
Spokeo, Inc. v. Robins,
136 S. Ct. 1540 (2016), as revised (May 24, 2016) ........................ passim
Susan B. Anthony List v. Driehaus,
134 S. Ct. 2334 (2014) ...................................................................... 18, 19
ix
TABLE OF AUTHORITIES (con't)
Page(s)
Tabata v. Charleston Area Med. Ctr., Inc.,
759 S.E.2d 459 (W. Va. 2014) ................................................................ 23
Warth v. Seldin,
422 U.S. 490 (1975) ........................................................................ passim
Webb v. Smart Document Sols., LLC,
499 F.3d 1078 (9th Cir. 2007) .......................................................... 41, 55
Weinberg v. Advanced Data Processing, Inc.,
147 F.Supp.3d 1359 (S.D. Fla. 2015) ............................................... 50, 52
Whitmore v. Arkansas,
495 U.S. 149 (1990) .......................................................................... 21, 32
Yath v. Fairview Clinics, N.P.,
767 N.W.2d 34 (Minn. App. 2009) ......................................................... 53
Constitutional Provisions
U.S. Const. art. III, § 2, cl. 1 ............................................................................ 14
Statutes
42 U.S.C. § 1320a-7c ........................................................................................ 42
42 U.S.C. § 1320d-2(d) ..................................................................................... 43
42 U.S.C. § 1320d-5(d) ..................................................................................... 43
302 M.C.S. § 3/22-104 ................................................................................ 44, 47
410 M.C.S. § 22/46-101(a) ............................................................................... 56
x
TABLE OF AUTHORITIES (con't)
Page(s)
Rules
Fed. R. Civ. P. 12(b)(6) ................................................................................. 7, 13
Fed. R. Civ. P. 12(b)(1) ................................................................................. 7, 13
Regulations
45 C.F.R. § 164.103 .................................................................................... 41, 42
45 C.F.R. § 164.306 ............................................................ 41, 42, 55, 57, 58, 59
45 C.F.R. § 164.312. ............................................................................. 42, 56, 59
45 C.F.R. § 164.314 .................................................................................... 42, 59
Other Authorities
Abram Chayes, The Role of the Judge in Public Law Litigation,
89 HARV. L. REV. 1281 (1976)........................................................... 17, 20
Ann Woolhandler & Caleb Nelson, Does History Defeat
Standing Doctrine?,102 MICH. L. REV. 689 (2004) .................... 16, 17, 20
Charles A. Wright & Mary Kay Kane,
Law of Federal Courts 69 (6th ed. 2002) ............................................... 18
DICTIONARY.COM, https://www.dictionary.com/browse/dark-web. ................... 5
Erin Fuchs, Identity Theft Now Costs Far More Than
All Other Property Crimes Combined, BUSINESS INSIDER,
https://www.businessinsider.com/bureau-of-justice-statistics-
identity-theft-report-2013-12. .......................................................... 25, 26
New Oxford American Dictionary (2d ed. 2005) ............................................... 5
xi
TABLE OF AUTHORITIES (con't)
Page(s)
Restatement (Second) of Torts § 652A (Am. Law Inst. 1977) ........................ 24
Restatement (Third) of Torts: Phys. & Emot.
Harm § 14 (Am. Law Inst. 2010) ............................................... 46, 47, 48
Restatement (Third) of Torts: Phys. & Emot.
Harm § 7 (Am. Law Inst. 2010) ....................................................... 43, 55
Samuel D. Warren & Louis D. Brandeis, The Right to Privacy,
4 HARV. L. REV. 193 (1890) ............................................................... 22, 23
See Credit Freeze FAQs, FEDERAL TRADE COMMISSION CONSUMER
INFORMATION, https://www.consumer.ftc.gov/articles/0497-
credit-freeze-faqs#what. ......................................................................... 28
Docket No. 18-251
In The
Supreme Court of the United States
October Term 2018
BARKER & TODD, INC.,
Petitioner,
v.
ANTHONY HOPE,
Respondent.
On Writ of Certiorari to the
Thirteenth Circuit Court of Appeals
BRIEF FOR RESPONDENT
TO THE SUPREME COURT OF THE UNITED STATES:
Respondent, Anthony Hope, appellant in Docket No. 17-1450 before the
United States Court of Appeals for the Thirteenth Circuit, respectfully submits
this brief on the merits, and asks this Court to affirm the Thirteenth Circuit
Court of Appeals.
2
3
OPINIONS BELOW
The decision and order of the United States District Court for the
District of Missouriana is unreported and set out in the record. (R. at 1–14.)
The opinion and order for the Thirteenth Circuit Court of Appeals is also
unreported and set out in the record. (R. at 15–24.)
CONSTITUTIONAL PROVISIONS
Article III of the United States Constitution is relevant to this case
and is reprinted in Appendix A.
STATUTORY PROVISIONS
The following statutes are relevant to this case: 42 U.S.C. § 1320a-
7(c); 42 U.S.C. § 1320d-2(d); 42 U.S.C. § 1320d-5(d); 302 M.C.S. § 3/22-104;
410 M.C.S. § 22/46-101(a). These statutes are reprinted in Appendix B.
RULES AND REGULATIONS
The following provisions of the Code of Federal Regulations are
relevant to this case: 45 C.F.R. § 164.103; 45 C.F.R. § 164.306; 45 C.F.R.
§ 164.312; 45 C.F.R. § 164.314. These provisions are reprinted in Appendix
C. The following provisions of the Federal Rules of Civil Procedure are
relevant to this case: Fed. R. Civ. P. 12(b)(1); Fed. R. Civ. P. 12(b)(6). These
provisions are reprinted in Appendix D.
4
STATEMENT OF THE CASE
Factual Background
The sensitive data. Petitioner Barker & Todd, Inc. (B&T) is a
Missouriana pharmaceutical company that manufactures several
prescription drugs. (R. at 1–2.) Medical insurance only partially covers
some of the medications that B&T manufactures. (R. at 2.) In order to make
its drugs available to more people despite their prohibitive cost, B&T offers
a prescription assistance plan for participants whose income level and lack
of medical coverage make them candidates for extra help. (R. at 2.) Anthony
Hope of South Illinois is one such candidate. (R. at 3.)
Respondent Anthony Hope’s nightmare began when he filled out an
application to enroll in B&T’s program. (See R. at 2–3.) The application
asked for Hope’s medical history and insurance information, as well as his
date of birth and social security number. (R. at 2.) To enroll in the
assistance program, Hope entrusted his personal identifying information to
B&T. (See R. at 3.) Hope’s trust turned out to be misplaced. (See R. at 3.)
The data breach. B&T stores personal customer data
electronically. (R. at 2.) Normally, the information is encrypted, such that it
is only accessible via devices with a proper decryption key and a password.
(R. at 2.) B&T failed in its responsibility of good stewardship of customer
5
data on October 26, 2015. (See R. at 2.) On that day, B&T began a process
of transferring its data from local servers to cloud-based servers. (R. at 2.)
The vendor who operated the cloud-based servers had discovered a
vulnerability in the servers, called a “zero-day” exploit,1 which allowed
unauthorized users to access the servers without a decryption key. (R. at 2–
3.) The vendor issued a patch to remedy the security vulnerability through
an update shortly after B&T purchased the cloud-based servers, but before
B&T began the data transfer. (See R. at 3.)
B&T could have protected its customers if it had installed the
security patch before transferring customer data to the cloud-based servers.
(See R. at 2–3.) Instead, the B&T employee in charge of the data transfer
failed to check for server updates before beginning the transfer. (R. at 2.)
While the IT department eventually installed the patch, the un-updated
servers left transferred B&T customer data vulnerable to unauthorized
users for eight long hours. (R. at 3.) Hope’s personal information was
among the data left exposed by B&T. (R. at 3.)
1 “Zero-day” exploits are gaps in a server’s security which hackers discover
and take advantage of before developers notice the problem. (R. at 2.) After
discovery of the problem, developers will issue a “patch” to shore up the
server’s security. (R. at 2.)
6
The theft. In compliance with HIPAA regulations and Missouriana’s
Data Breach Notification Act, on November 8, 2015 B&T notified affected
individuals that their electronic protected health information (ePHI) had
potentially been compromised. (R. at 3.) In an attempt to remedy its
mismanagement of its customer’s private information, B&T offered to pay
to monitor affected customer’s credit for one year. (R. at 3.) This
proposition, of course, was meant to address the looming threat of identity
theft2 faced by affected B&T customers due to the breach. (R. at 3.)
Anthony Hope signed up for B&T’s credit monitoring service
immediately upon being notified that his date of birth and social security
number could have been accessed. (R. at 3.) On November 30, 2015, Hope
received chilling news. (See R. at 3.) The credit monitoring service informed
Hope that his personal information, including his date of birth and his
social security number, had been uploaded onto the dark web.3 (R. at 3.)
Even worse, the credit monitoring company told Hope that his personal
2 Identity theft is “the fraudulent acquisition and use of a person’s private
identifying information, usually for financial gain.” Identity theft, New
Oxford American Dictionary (2d ed. 2005). 3 The dark web is “the portion of the Internet that is intentionally hidden
from search engines, uses masked IP addresses, and is accessible only with
a special web browser.” Dark web, DICTIONARY.COM,
https://www.dictionary.com/browse/dark-web.
7
identifying information was on a “darknet market” website. (R. at 3.) A
download counter on the darknet website indicated that Hope’s birth date
and social security number had been downloaded hundreds of times. (R. at
3.)
The aftermath. While Hope has yet to have his identity
appropriated, he lives in a state of fear and anxiety waiting for the day his
identity will be stolen. (R. at 4.) He especially fears B&T’s actions will go
beyond just harming him personally, and will also harm his fiancée, to
whom Hope will soon be married. (See R. at 4.) The newlyweds will combine
their finances, so the impending threat of credit fraud from Hope’s exposed
information is an ever-present concern. (See R. at 4.) In addition to
enrolling in the credit monitoring service, Hope had to put a freeze on his
credit. (R. at 4.) While this requires that Hope be notified if someone tries
to open a new account with his information, it will also require Hope to go
through several steps to lift the credit freeze if he wants to obtain a new
line of credit himself. (R. at 4.)
Hope brought the instant class action suit against B&T on February
15, 2016, suing for himself and those similarly situated whose ePHI was
also found on the dark web. (R. at 4.) Hope alleged that B&T handled his
and the class members’ information negligently, entitling them to damages.
8
(R. at 4.) Hope proceeded on two bases of negligence: negligence per se and
general negligence. (R. at 4.) Both theories of negligence are rooted in
B&T’s violation of HIPAA. (R. at 4.)
Procedural History
District of Missouriana. Anthony Hope brought this class action
suit against B&T for negligence in the District of Missouriana, based on
diversity jurisdiction. (R. at 4.) In the trial court proceedings, B&T moved
for dismissal of Hope’s claims for lack of standing and for failure to state a
claim on which relief could be granted, pursuant to Federal Rules of Civil
Procedure 12(b)(1) and 12(b)(6), respectively. (R. at 4.) B&T claimed that
Hope had not suffered an injury in fact, so did not have Article III standing
for the lawsuit. (R. at 4.) B&T also alleged that a negligence claim could not
be based on HIPAA in Missouriana. (R. at 4.) The trial court agreed with
B&T and dismissed Hope’s complaint for lack of standing and failure to
state a claim on which relief could be granted. (R. at 4–5.)
Thirteenth Circuit. Hope appealed the district court’s dismissal of
his claims to the Court of Appeals for the Thirteenth Circuit. (R. at 17.) The
Thirteenth Circuit concluded the lower court erred in finding a lack of
standing in light of this Court’s ruling in Spokeo. (R. at 19–21.) Specifically,
the Appeals Court found that Hope suffered an injury which was concrete
9
and particularized enough to confer Article III standing. (R. at 21.) Further,
the court determined that HIPAA could be used as a standard to assess
negligence. (R. at 24.) Accordingly, Hope had properly pleaded a negligence
claim. (R. at 24.) The Thirteenth Circuit Court of Appeals reversed the
dismissal of Hope’s claims and remanded the case to the district court. (R.
at 24.)
SUMMARY OF THE ARGUMENT
Standing. To sue in federal court, the Constitution requires a
plaintiff to establish standing. Standing is the metric by which the
judiciary determines whether a particular dispute is the sort of “Case” or
“Controversy” meant for resolution in its courts. One element of standing is
the injury-in-fact requirement, which requires a plaintiff to show that he or
she suffered a concrete, particularized, and actual or imminent invasion of
a legally protected interest. Hope and the putative class have suffered an
injury in fact sufficient to confer Article III standing because the exposure
of their personal information to the dark web is a concrete, particularized,
and actual injury.
Standing has traditionally only been a consideration when a plaintiff
brings a public law claim, because the judiciary seeks to avoid venturing
outside the confines of Article III into areas more suitable for resolution by
10
the legislative or executive branches. While all federal claims must satisfy
the elements of standing in order to be justiciable, standing for private law
claims where the plaintiff has clearly been personally touched by the
adverse action is generally self-evident. Hope and the putative class all
individually suffered invasions of their discrete private rights. This is not
the sort of dispute which should be resolved in the legislative or executive
branches. It is exactly the type of controversy meant for resolution in the
courts. The fact that the plaintiffs have come forward claiming
individualized harm establishes a de facto injury. Beyond that, the case
should be allowed to proceed to a decision on the merits.
Further, exposure of one’s personal identifying information, creating
an increased risk of identity theft, meets the elements of the injury-in-fact
requirement. In Spokeo, this Court held that intangible harms can rise to
the level of concreteness necessary for standing. Theft of one’s personal
identifying information is the sort of intangible harm that is concrete. This
Court has found that both an increased risk of harm and preventative
measures that one would not have to take but for the actions of another can
constitute concrete injuries. Accordingly, because Hope has an increased
risk of identity theft and had to take preventative measures to stop the
misappropriation of his identity, he suffered concrete injuries.
11
For particularity, this Court has said a plaintiff must be injured in a
personal, individualized way. The particularized nature of Hope’s injury is
elemental. There is nothing more particular to an individual than his or her
identity. The essence of a social security number is its particularity to a
single person. Hope’s social security number is now in the hands of internet
thieves. Though a class of people has been harmed here, the injuries
themselves are individualized, not collective. Therefore, Hope suffered an
individualized injury.
Further, Hope’s injury is de facto. It exists. Thieves have downloaded
Hope’s personal information hundreds of times. That itself is an actual
injury. Even so, this Court has held that in the absence of an actual injury,
an imminent future harm can be an injury where it is certainly impending.
If the nefarious download of Hope’s information is not an actual injury,
then the theft of his identity is at least an imminent injury. Of the
hundreds of thieves who have downloaded his information, it is certainly
impending that at least one of them will successfully steal Hope’s identity.
Lower courts can offer guidance on this situation. The Third, Sixth,
Seventh, and Ninth Circuits have recognized an injury in fact when a
plaintiff has had their personal identifying information accessed by an
unauthorized user due to the negligence of a party entrusted to protect that
12
information. Hope respectfully urges this Court to consider the well-
reasoned holdings of the lower courts in recognizing that the explicit
exposure of one’s personal information to the waiting arms of identity
thieves is an innate harm deserving of redress.
HIPAA as a basis for a negligence claim. The Health Insurance
Portability and Accountability Act (HIPAA) ensures and promotes the
safety of consumers’ electronic protected health information (ePHI) that is
in the hands of certain covered entities, including pharmaceutical
companies. At root, HIPAA was designed to stop fraud. The Department of
Health and Human Services and state attorneys general can enforce
HIPAA. However, HIPAA does not create a private right of action.
Negligence is a state tort claim, the requirements of which differ
from state to state. Generally, to prevail in a negligence claim a plaintiff
must prove that the defendant had a duty to exercise reasonable care, the
defendant breached the duty, the breach caused an injury to the plaintiff,
and the plaintiff suffered actual harm. Negligence per se is a derivative of a
negligence claim in which the plaintiff’s burden of proving a breach is
reduced because the duty is based on a codified law. If the defendant
violates the regulation or statute which sets the duty, the plaintiff can
13
prove a de facto breach. Federal statutes and regulations can be used as
standards for state negligence per se claims.
Some jurisdictions have allowed HIPAA standards to be imposed as a
duty for a negligence per se claim. While other jurisdictions have not
allowed the use of HIPAA as a standard for negligence per se claims, those
states generally disallow HIPAA’s use because their own laws preclude it.
Neither Missouriana’s statutes nor case law preclude the use of HIPAA to
establish a duty in a negligence per se claim. Because this situation is
analogous to the states that permit HIPAA to form a standard for
negligence per se, this Court should recognize that Missouriana’s legal
atmosphere permits the use of HIPAA in a negligence per se claim.
Many states, even those that do not permit the use of HIPAA in a
negligence per se claim, are amenable to using HIPAA standards to inform
upon the standard of care in a general negligence claim. HIPAA establishes
that healthcare providers must take special care to protect customer
information. Additionally, Missouriana recognizes that individuals have a
general right of privacy in their medical records and that a violation of that
privacy through a security breach requires customers to be subsequently
notified. Because Missouriana recognizes the need for secured information,
14
it is reasonable to apply HIPAA as a standard to inform upon the duty of
care in a data breach case.
STANDARD OF REVIEW
The Court has wide latitude in this case and is not bound to the
reasoning of the lower courts in deciding either the 12(b)(1) or 12(b)(6)
motions.
The Court can forge a new path through a novel standing issue
because this Court reviews the dismissal of a claim pursuant to Federal
Rule of Civil Procedure 12(b)(1) de novo. See Arbaugh v. Y&H Corp., 546
U.S. 500, 514 (2006). This freedom to view standing through fresh eyes
comes from the principle that every court has the independent
responsibility to consider subject matter jurisdiction. See id.
A ruling on a Federal Rule of Civil Procedure 12(b)(6) motion is also
reviewed de novo, accepting all well-pleaded facts as true in the light most
favorable to the non-moving party. Bell v. City of Country Club Hills, 841
F.3d 713, 716 (7th Cir. 2016). “It is axiomatic that a complaint should not
be dismissed unless ‘it appears beyond doubt that the plaintiff can prove no
set of facts in support of his claim which would entitle him to
relief.’” McLain v. Real Estate Bd. of New Orleans, Inc., 444 U.S. 232, 246
(1980) (quoting Conley v. Gibson, 355 U.S. 41, 45–46 (1957)). More
15
specifically, “[t]o survive a motion to dismiss, a complaint must contain
sufficient factual matter, accepted as true, to ‘state a claim to relief that is
plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
ARGUMENT
I. Hope and the putative class have Article III standing because they
established that they suffered an injury in fact.
Article III of the Constitution of the United States gives the judiciary
the power to arbitrate “Cases” and “Controversies.” U.S. Const. art. III, § 2,
cl. 1. The doctrine of standing serves to sift out which cases and
controversies are disputes of the type meant for resolution in our Nation’s
judicial system, as opposed to those more appropriately contemplated by
the executive or the legislative branches. Lujan v. Defs. of Wildlife, 504 U.S.
555, 559–60 (1992). While the law of standing has mostly developed around
public law claims, private, common-law claims can also confer standing
(and usually do so without triggering standing concerns). Comer v. Murphy
Oil USA, 585 F.3d 855, 863 n. 3 (5th Cir. 2009), reh’g granted, Comer v.
Murphy Oil USA, 607 F.3d 1049, 1066 (5th Cir. 2010).
To have standing in federal court, a dispute must meet three criteria:
1) the plaintiff must have suffered an “injury in fact;” 2) there must exist a
causal connection between the conduct at issue and the alleged injury; and,
16
3) “it must be ‘likely,’ as opposed to merely ‘speculative,’ that the injury will
be ‘redressed by a favorable decision.’” Lujan, 504 U.S. at 560–61 (citations
omitted). The party seeking federal jurisdiction has the burden of
establishing each element of standing. Id. at 561. In a class action suit, at
least one named plaintiff must establish standing. Neale v. Volvo Cars of N.
Am., LLC, 794 F.3d 353, 359 (3d Cir. 2015). Here, it is undisputed that
Hope meets the second and third elements of standing. Only the injury-in-
fact requirement remains at issue. That element is also met.
Standing is best considered in light of the historical context in which
it arose. “The law of Article III standing, which is built on separation-of-
powers principles, serves to prevent the judicial process from being used to
usurp the powers of the political branches.” Clapper v. Amnesty Int'l USA,
568 U.S. 398, 408 (2013) (citations omitted). Historic common law provides
the basis for the doctrine of standing. Spokeo, Inc. v. Robins, 136 S. Ct.
1540, 1549 (2016), as revised (May 24, 2016). Historically, courts presumed
a plaintiff suing for a violation of a private right (belonging to an
individual) had “suffered a de facto injury merely from having his personal,
legal rights invaded.” Id. at 1551 (Thomas, J., concurring) (discussing,
thoroughly, the history of standing). Whether a plaintiff had standing to
sue based on a sufficient injury in fact has often only been an issue when
17
an individual has sued to enforce a public right (a right belonging to the
community as a whole). Id. at 1551–52. The enforcement of a public right
raises red flags with the courts for separation-of-powers purposes, while the
enforcement of private rights does not invoke standing in the same
politically-conscious way. Id.
A. The doctrine of standing is unsuitably invoked in this case
because Hope seeks to enforce a private, not a public,
right.
While standing is a hurdle which every federal lawsuit must clear,
standing concerns are rarely triggered in private-right cases. See Lujan,
504 U.S. at 560 (describing standing as an “irreducible constitutional
minimum”); see also Comer, 585 F.3d at 863 n. 3 (noting that standing is
normally only at issue in public law claims). When the plaintiff is
personally “an object of the action . . . at issue,” there is generally little
question that he suffered an injury. Lujan, 504 U.S. at 561 (speaking
tellingly, there, in the context of regulatory actions of the government).
The distinction between private and public rights, and the different
ways in which these respective types of rights could be adjudicated through
the courts, has roots in early American common law. See Ann Woolhandler
& Caleb Nelson, Does History Defeat Standing Doctrine?, 102 MICH. L. REV.
689, 691–93 (2004) (observing that, historically, private litigation
18
concerning private rights has not raised standing issues). One scholar
observed that “[t]he standing issue could hardly arise at common law or
under early code pleading rules . . . under the traditional model” because
“the question of plaintiff's standing merged with the legal merits.” Abram
Chayes, The Role of the Judge in Public Law Litigation, 89 HARV. L. REV.
1281, 1290 (1976). The question for private-right action historically was:
“[o]n the facts pleaded, does this particular plaintiff have a right to the
particular relief sought from the particular defendant from whom he is
seeking it?” Id. Historically, “[w]ithin the area of private control . . . courts
paid close attention to whether the correct private parties were before
them.” Ann Woolhandler & Caleb Nelson, Does History Defeat Standing
Doctrine?, 102 MICH. L. REV. 689, 691 (2004).
Most standing issues arise in public law claims dealing with
government action or inaction. For instance, the seminal case Lujan v.
Defenders of Wildlife deals with the government’s decision not to extend
protective regulations promulgated in the Endangered Species Act to
actions taken in foreign nations. Lujan, 504 U.S. at 558–59. Another
widely-known example is Warth v. Seldin, in which citizens challenged
Rochester, New York’s zoning laws. Warth v. Seldin, 422 U.S. 490, 493, 499
(1975) (handing down the adage that private parties cannot sue over a
19
public right based on a “generalized grievance”). Most other standing cases
also deal with actions of the government affecting the public at large (or at
least a section of the public). See, e.g., Monsanto Co. v. Geertson Seed
Farms, 561 U.S. 139, 144 (2010) (concerning a decision by a government
agency to deregulate a strain of genetically engineered alfalfa); see also
Clapper, 568 U.S. at 401 (dealing with a federal statute allowing
international surveillance); see also Susan B. Anthony List v. Driehaus, 134
S. Ct. 2334, 2338 (2014) (concerning an Ohio statute regulating political
campaign speech). These are the sorts of cases, dealing with
implementation of broad government initiatives and policies, that the
doctrine of standing contemplates may be better suited for determination
by the political branches than by the judiciary. See Lujan, 504 U.S. at 559–
60.
While “[t]he law of standing is almost exclusively concerned with
public-law questions involving determinations of constitutionality and
review of administrative or other governmental action” one scholar notes
that, “[i]n theory, of course, it is not so limited.” Comer, 585 F.3d at 864
(quoting Charles A. Wright & Mary Kay Kane, Law of Federal Courts 69
(6th ed. 2002)). “The person suing for . . . a tort must be found to be the real
20
party of interest, but in practice those suits are brought only by a person
harmed by the supposed wrong, and standing to sue is self-evident.” Id.
Standing is a nonissue in this case. Hope, and the rest of the
putative class, suffered injuries to their discrete private rights. The
mishandling of Hope’s information is a de facto injury, and he should
accordingly be afforded a presumption of meeting the injury-in-fact
requirement. See Spokeo, 136 S. Ct. at 1551 (Thomas, J., concurring). The
security of Hope’s personal information in the hands of a private company
is not an issue which should be resolved by one of the other branches of
government. The Court would not usurp the ballot box by deciding this
issue. Hope’s dilemma is precisely the sort of controversy meant for
resolution in our judicial system.
Unlike Lujan, Warth, Monsanto, Clapper, and Susan B. Anthony,
this is not a case in which a party seeks to enforce a public right. Hope
seeks to enforce a private right. There exists no more private of a right than
the right to be the sole owner of one’s identity. Hope seeks to enforce his
private right against B&T to be free from the unauthorized spreading of his
personal identifying information on the dark web. Though B&T’s actions
affected a large group of people, each affected individual seeks to enforce a
discrete private right to be secure in his or her identity. B&T may argue
21
that this is a case of individuals attempting to enforce a public right not to
have their private information mishandled by businesses. While it is true
that each individual member of the public will benefit by better business
stewardship of their information, the harm is individualized, not collective.
As a case seeking to enforce a private right, standing here should
look no further than whether the proper parties are before the court. See
Ann Woolhandler & Caleb Nelson, Does History Defeat Standing Doctrine?,
102 MICH. L. REV. 689, 691 (2004). Beyond that, the question of Hope’s
standing should merge with the merits of the case. See Abram Chayes, The
Role of the Judge in Public Law Litigation, 89 HARV. L. REV. 1281, 1290
(1976). Here, the proper parties are before the court: Hope was harmed by
the action of B&T. As an object of B&T’s action, there is little question of
Hope’s standing to sue. See Lujan, 504 U.S. at 561.
Accordingly, the Court should recognize that Hope’s attempt to
redress a private wrong does not invoke standing concerns because he
suffered a de facto injury, he was an object of the harm, and he is a proper
party to the action. Hope has standing.
B. Hope has established standing because his injury in fact is
concrete, particularized, and actual or imminent.
Notwithstanding the fact that a private-right injury such as this one
should not trigger standing concerns at all, Hope’s injury satisfies the
22
injury-in-fact elements. To meet the injury-in-fact threshold, a plaintiff
must establish an “invasion of a legally protected interest which is . . .
concrete and particularized” and “actual or imminent, not ‘conjectural’ or
‘hypothetical.’” Lujan, 504 U.S. at 560 (citing Allen v. Wright, 468 U.S. 737,
751 (1984); quoting Whitmore v. Arkansas, 495 U.S. 149, 155 (1990)). The
concreteness of an injury is considered separately from its particularity.
Spokeo, 136 S. Ct. at 1545. In analyzing whether Hope suffered an
adequate injury in fact, the appeals court below mostly focused on the
concreteness of the injury. (See R. at 20–21.) While the concreteness of his
injury may be the tallest hurdle that Hope overcomes, his injury is also
sufficiently particular and imminent to confer standing.
1. The presence of Hope’s personal information on the dark web, the
fact that the information has been downloaded hundreds of times,
and the preventative measures he will now have to take to protect
his identity are concrete injuries.
This Court has emphasized that the “injury . . . must be concrete in
both a qualitative and temporal sense.” Whitmore, 495 U.S. at 155. In order
for an injury to be sufficiently concrete, it must be “‘de facto’; that is, it
must actually exist.” Spokeo, 136 S. Ct. at 1548.
23
i. Intangible injuries, such as the dissemination of
personal information on the dark web, can be
concrete injuries in fact.
This Court has recognized that an intangible injury can rise to the
level of concreteness necessary to establish an injury in fact. See Spokeo,
136 S. Ct. at 1549. In Spokeo, Inc. v. Robins, a man sued a credit reporting
company for mis-reporting his personal information in violation of a federal
statute. Id. at 1545–46. While the Court would not rule on the
concreteness of this particular plaintiff’s injury because the lower court did
not consider concreteness, this Court used the moment to emphasize that
such an intangible injury could, if properly pleaded, still be concrete. Id. at
1549–50.
The Spokeo Court further gave guidance on how to determine which
intangible harms are concrete. See id. The Court enlightened that “it is
instructive to consider whether an alleged intangible harm has a close
relationship to a harm that has traditionally been regarded as providing a
basis for a lawsuit in English or American courts.” Id. at 1549.
The right to privacy has long been in the ambit of English and
American courts. See, e.g., Samuel D. Warren & Louis D. Brandeis, The
Right to Privacy, 4 HARV. L. REV. 193 (1890). In fact, English courts
recognized an independent right to privacy, not rooted in theories of
24
property rights, as early as 1820. Id. at 205. The right to privacy—or, the
“right of the individual to be let alone”—“is like the right not to be
assaulted or beaten, the right not to be imprisoned, the right not to be
maliciously prosecuted, [or] the right not to be defamed.” Id. Already in
1890, Justice Brandeis discerned that courts had long been protecting the
right to privacy—“rights as against the world”—whether or not courts had
recognized so doing. Id. at 213.
In 1965, this Court recognized a right to privacy as against the
government in the penumbras of many of the rights guaranteed in the Bill
of Rights. See Griswold v. Connecticut, 381 U.S. 479, 484 (1965). Still, the
right to privacy as against other individuals is left mostly to the laws of
each state. Katz v. United States, 389 U.S. 347, 350–51 (1967). The first
state to recognize an enforceable right to privacy was Georgia in 1905. See
generally Pavesich v. New England Life Ins. Co., 50 S.E. 68, 71 (Ga. 1905).
Many states have since recognized the tort of invasion of privacy as a basis
for a lawsuit. See, e.g., Gates v. Black Hills Health Care Sys., 997 F. Supp.
2d 1024, 1031 (D.S.D. 2014); Resha v. Tucker, 670 So. 2d 56, 59 (Fla. 1996);
Jensen v. State, 72 P.3d 897, 902 (2003); Doe v. S. Gyms, LLC, 112 So. 3d
822, 833 (La. 2013); Emeson v. Dep't of Corr., 376 P.3d 430, 441 (Wash. Ct.
App. 2016); Tabata v. Charleston Area Med. Ctr., Inc., 759 S.E.2d 459, 464
25
(W. Va. 2014). In fact, “the existence of a right of privacy is now recognized
in the great majority of the American jurisdictions that have considered the
question.” Restatement (Second) of Torts § 652A (Am. Law Inst. 1977). All
told, privacy is a legally protected interest in American courts.
The intangible harm caused by the exposure of Hope’s personal
information to the dark web is of the concrete sort that has traditionally
provided a basis for a lawsuit in English and American Courts. Though
Hope seeks redress through negligence claims, the harm done to him and
the class by B&T is parallel to the recognized intangible harm of invasion of
privacy. B&T has compromised the privacy of each class member by
exposing their most private information to the dark web. This harm is a
cousin to those intangible harms which traditionally provided a basis for a
lawsuit in our common law. The harm done to Hope and the putative class
by B&T is the intangible sort that the Spokeo Court proclaimed is still
concrete. Hope and the putative class have been harmed concretely enough
to confer standing.
ii. The increased risk of identity theft to which Hope is
exposed is a concrete injury in and of itself.
The risk of real harm can satisfy the element of concreteness.
Spokeo, 136 S. Ct. at 1549. For example, in Monsanto Co. v. Geertson Seed
Farms, this Court held that a “substantial risk” of future harm was itself
26
an injury. Monsanto, 561 U.S. at 153–54. There, conventional alfalfa
farmers sued because the Animal and Plant Health Inspection Service
deregulated a species of genetically modified alfalfa that had the potential
to intermingle with conventional alfalfa. Id. at 154–55. This Court reasoned
that the risk of harm of contamination, even if the harm never came to
fruition, was concrete enough to meet the injury-in-fact element of
standing. Id. at 146.
The Spokeo Court emphasized the need for concrete injuries to
“actually exist.” Spokeo, 136 S. Ct. at 1548. To be concrete, an injury—even
one that simply increases a risk—must be “‘real,’ and not ‘abstract.’” Id. A
person whose information is revealed through an online data breach
becomes nine and a half times more likely to have their identity stolen.
Erin Fuchs, Identity Theft Now Costs Far More Than All Other Property
Crimes Combined, BUSINESS INSIDER,
https://www.businessinsider.com/bureau-of-justice-statistics-identity-theft-
report-2013-12.
Here, the increased risk of identity theft to which Hope has been
subjected is a concrete injury. As in Mansanto, Hope has suffered a risk
increase that harms him enough itself to satisfy the injury-in-fact
requirement. Like the situation in Mansanto, Hope will never know which
27
day he will wake up and find his identity stolen, his credit ruined, and his
life in a state which will be hard to repair. In line with the Spokeo Court’s
guidance, Hope’s injury is real. There is nothing abstract about becoming
nine and a half times more likely to be a victim of identity theft. The
increased risk that B&T has imposed on Hope and the rest of the putative
class is a concrete injury. B&T may try to argue that Hope and the putative
class have not suffered an injury that “actually exist[s].” See Spokeo, 136 S.
Ct. at 1548. However, Hope and the putative class will see a de facto rise in
their identity theft risk. The injury does exist—statistics say so. See Fuchs,
Identity Theft Now Costs Far More Than All Other Property Crimes
Combined. Accordingly, Hope’s injury is concrete.
iii. The preventative measures Hope will need to take to
protect his identity, whether or not his identity is
stolen, constitute a concrete injury because he will
spend money he would not have had to otherwise.
Preventative measures that one would not have had to take but for
the action of another, regardless of whether the harm ever comes to
fruition, can be concrete injuries. See Monsanto, 561 U.S. at 154. For
example, in Monsanto, the government deregulated a genetically modified
alfalfa seed for growth on alfalfa farms in close proximity to conventional
alfalfa farms. Id. at 144, 153. The heightened risk of gene flow between the
conventional alfalfa seeds and the genetically modified seeds caused
28
conventional seed farmers to have to take preventative measures to protect
their crops. Id. at 154. Conventional alfalfa farmers who marketed their
crops to consumers who wished to purchase non-genetically-modified alfalfa
were forced to test their crops for contamination by the genetically modified
seeds. Id. Further, the conventional farmers had to attempt to minimize
the likelihood of contamination by taking certain measures to ensure non-
contaminated seed breeding occurred and that they had backup, non-
domestic supplies of alfalfa seed (bred in the safety of national borders that
had not deregulated the genetically modified alfalfa) in case of
contamination. Id. at 154–55. This Court determined that “[s]uch harms,
which respondents will suffer even if their crops are not actually infected
with the [genetically modified] gene, are sufficiently concrete to satisfy the
injury-in-fact prong of the constitutional standing analysis.” Id. at 155.
Here, Hope and the other class members have had to undertake
credit monitoring activities due to the mishandling of their information by
B&T, which they would not have had to do otherwise. This situation is
exactly like Monsanto because whether or not Hope’s identity actually gets
stolen, the preventative measures that he must now undertake are
injurious in themselves. B&T has only offered credit monitoring services to
those affected by its carelessness for one year, which hardly seems like a
29
long enough time given that Hope’s information has been downloaded by
potential criminals on the dark web hundreds of times. The risk that
someone could steal his identity at any moment will not dissolve after one
year; the risk will likely continue for many years to come. This means that
Hope and the others will need to purchase their own credit monitoring
services as soon as B&T’s one year of monitoring is up.
Additionally, Hope would not have had to put a freeze on his credit
but for the actions of B&T. Now, Hope will need to jump through hoops to
lift the freeze so that he can open a new line of credit, apply for a job, rent
an apartment, or buy insurance. See Credit Freeze FAQs, FEDERAL TRADE
COMMISSION CONSUMER INFORMATION,
https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#what. It also
generally costs money to temporarily lift a freeze each time a potential new
creditor would need to see Hope’s credit report. See id. All in all, having to
impose a credit freeze which he will frequently have to have lifted costs
Hope not only in money, but also in time and effort.
B&T will likely try to argue that Hope himself is not bearing the
costs of these preventative measures because B&T is paying for credit
monitoring for a year. However, B&T has shown no indication that it will
pay for any more than a year’s worth of credit monitoring, and all
30
indications point to the injured parties having to pick up the slack and pay
for credit monitoring after the first year elapses. (See R. at 7.) The costs of
credit monitoring services beyond one year and of imposing and lifting a
credit freeze are of the same preventative sort that the farmers in
Monsanto had to undertake in paying to have their crops tested. This Court
thought the preventative measures in Monsanto were sufficiently concrete
for standing; surely the Court has not changed its mind about the
concreteness of preventative measures so quickly.
Overall, B&T concretely injured Hope by increasing his risk of
identity theft and by causing him to have to take preventative measures.
Therefore, Hope satisfies the concreteness element of the injury-in-fact
requirement of standing.
2. The exposure of Hope’s personal information to the
dark web is a particularized injury because he has a
personal stake in whether his identity is stolen.
A party seeking legal redress “must assert his own legal rights and
interests, and cannot rest his claim to relief on the legal rights or interests
of third parties.” Warth, 422 U.S. at 499. In other words, the party must “be
himself among the injured.” Sierra Club v. Morton, 405 U.S 727, 634 (1972).
It is helpful to look at particularity through the lens of what this Court has
found to be not sufficiently particular.
31
The injurious action needs to have affected the party “in a personal
and individual way.” Lujan, 504 U.S. at 561 n. 1. For example, in Lujan,
this Court suggested that injury caused by government policies which
allegedly threatened endangered species could constitute an injury in fact if
one of the plaintiffs could show that they intended to travel to the area of
the world the threatened animals inhabited to observe the animals. Id. at
562–63. There, two plaintiffs submitted affidavits that they intended to
eventually return to parts of the world allegedly negatively affected by
government regulations, but neither had certain plans to do so at the time
of the lawsuit. Id. at 564–65. The Court implied that if the plaintiffs had
specific plans to visit the endangered animals, they could have
particularized injuries. See id.
An injury must be more than a “generalized grievance” to be
particularized. Warth, 422 U.S. at 499. In Warth, this Court provided an
informative look at the distinction between a particularized injury and a
general grievance. See id. There, plaintiffs sued the City of Rochester, New
York alleging that the town had enacted zoning laws which would prevent
low and moderate income individuals from living there. Id. at 493. The
Warth Court emphasized that an aggrieved plaintiff must allege a personal
stake in the outcome of a controversy and “a distinct and palpable injury to
32
himself, even if it is an injury shared by a large class of other possible
litigants.” Id. at 498, 501. Ultimately, plaintiffs in Warth did not have
particularized injuries because the plaintiffs had not alleged that they
themselves had been excluded by the zoning laws. Id. at 508, 510.
In this case, Hope, and each individual who has had his or her
identifying information leaked because of B&T’s carelessness, are
themselves among the injured. In fitting with the Court’s guidance in
Lujan, Hope has been affected by B&T’s data breach in a personal and
individualized way. There is nothing more personal than one’s identity.
Unlike in Lujan, Hope has specifically alleged a way in which he is
personally harmed: his personal information has been downloaded
hundreds of times from the dark web. This is not a public harm, like in
Lujan. The theft of Hope’s information affects only him.
Here, the injured class has not asserted a “generalized grievance.”
See Warth, 422 U.S. at 499. As Warth mandated, though a whole class of
people has been affected by B&T’s actions, each class member has asserted
“his own legal rights and interests.” See id. at 498–99. Each member of the
class, Hope among them, has a legal interest in keeping his or her personal
identifying information off of the dark web. They each have a right to not
have their identity stolen by one of the hundreds of people who have
33
downloaded their information from the darknet market. This is not a case
of a plaintiff asserting the legal interest of a third party. Unlike the
plaintiffs who had not themselves been excluded by questionable zoning in
Warth, Hope and the others here have themselves had their identifying
information released onto the dark web. Each individual’s date of birth and
social security number now wait to be stolen from the darknet market. It is
hard to imagine a more “distinct and palpable injury” than that. See Warth,
422 U.S. at 501.
Hope has a personal stake in the action here, because his personal
identifying information was stolen. Because Hope asserts his own rights
here, and he was individually injured, he accordingly meets the
particularity element of Article III standing.
3. Even if Hope has yet to experience an actual injury, the
hundreds of downloads of Hope’s information from the
dark web foretells an imminent, not hypothetical,
injury.
In the event that this Court finds Hope’s injury is not “actual,” the
theft of his identity is imminent. While “[a]llegations of possible future
injury do not satisfy the requirements of Article III,” if a “threatened injury
[is] ‘certainly impending’” it may constitute an injury in fact. Whitmore, 495
U.S. at 158 (quoting Babbitt v. Farm Workers, 442 U.S. 289, 298 (1979)).
For example, in Monsanto, this Court recognized that a substantial risk of
34
harm met the requirements of injury in fact. Mansanto, 561 U.S. at 153.
There, the “substantial risk” of gene flow from genetically modified alfalfa
seed injured the conventional seed farmers in several ways. Id. at 153–54.
This Court acknowledged that the “reasonable probability” of
contamination injured the plaintiffs sufficiently to confer standing. Id.
This Court gave further guidance on the requirements of imminence
in Clapper v. Amnesty International USA. There, this Court found that
plaintiffs did not have standing where the possibility of injury was rooted
in a “highly speculative fear” and “relied on a highly attenuated chain of
possibilities.” Clapper, 568 U.S. at 410. In Clapper, attorneys, human rights
personnel, and members of the media sued the federal government over
new international surveillance protocols. Id. at 406. This Court ultimately
held that the plaintiffs’ fears that the new surveillance methods would
interfere in conversations with their clients and sources were too
attenuated, because they were based off the unknown future actions of
third parties. Id. at 410.
Here, the theft of Hope’s identity is certainly impending. There is
only one reason for his information to be on the dark web: to find its way
into the hands of a criminal who will use his personal information to steal
his identity. Like Monsanto, there is both a “substantial risk” and
35
“reasonable probability” that Hope’s identity will be stolen because his
information has already been downloaded from the dark web hundreds of
times. See Monsanto, 561 U.S. at 153. Hope and the putative class, unlike
the plaintiffs in Clapper, do not have to predict the actions of a third party
or wait for an unfortunate series of events to unfold before the theft of their
identity is certainly impending. The third party of concern (an identity
thief) has likely already downloaded Hope’s information as one of the
hundreds of downloads from the dark web. In fact, most, if not all, of the
downloads of Hope’s information were likely carried out by individuals with
nefarious purposes. They almost certainly intend to appropriate his
identity because there is no other reason to download someone’s personal
information from the dark web.
The theft of Hope’s identity is an imminent, not hypothetical, injury
because identity thieves already have his information and it is certainly
impending that one of the thieves will soon put Hope’s information to
illegal use. Accordingly, Hope meets the third element of the injury-in-fact
requirement.
C. The Court should recognize, as lower courts have, the
innate harm that an increased risk of identity theft poses.
The Third, Sixth, Seventh, and Ninth Circuits have recognized the
increased risk of identity theft from exposure of personal information as a
36
palpable enough injury to meet the injury-in-fact requirement of standing.
See, e.g., In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d
625, 629 (3d Cir. 2017); see also Galaria v. Nationwide Mut. Ins. Co., 663 F.
App'x 384, 387–89 (6th Cir. 2016); see also Krottner v. Starbucks Corp., 628
F.3d 1139, 1140 (9th Cir. 2010); see also Pisciotta v. Old Nat. Bancorp, 499
F.3d 629, 634 (7th Cir. 2007). For example, the Ninth Circuit held that
plaintiffs whose information had been stolen, but not misused, suffered an
injury concrete enough to confer Article III standing. Krottner, 628 F.3d at
1140. In that case, someone stole a laptop from Starbucks containing the
personal identifying information of thousands of Starbucks employees. Id.
at 1141. The Ninth Circuit reasoned that the injury, increased risk of
identity theft, was “real and immediate” enough to constitute an injury in
fact. Id. at 1143.
In the same vein, the Third Circuit has also found standing where
private information has been exposed through a data breach. See In re
Horizon, 846 F.3d at 629. In a 2011 case, Reilly v. Ceridian Corp., the Third
Circuit held that plaintiffs in a laptop-theft case had no injury-in-fact
because their information had not been misused and there was no evidence
the thief “read, copied, and understood their personal information.” Reilly v.
Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011). However, more recently, the
37
Third Circuit has changed its position. In In re Horizon Healthcare
Services, Inc. Data Breach Litigation, a health insurer had two unencrypted
laptops stolen from its facilities. In re Horizon, 846 F.3d at 629–30. The
laptops contained the personal identifying information of thousands of
customers. Id. at 630. There, the Third Circuit reasoned that, like privacy
torts, unauthorized dissemination of personal information could “itself
constitute a cognizable injury.” Id. at 638–39. The court held that the
alleged dissemination of the plaintiffs’ information, even without evidence
of misuse, was a de facto injury. Id. at 629 (basing its holding, ultimately,
on the statutory violation of the Fair Credit Reporting Act that occurred in
the dissemination of the information).
The Seventh Circuit, in considering a similar case, focused on the
obvious nefarious intent of a hacker who penetrated a business’s computers
for the specific purpose of obtaining sensitive customer data. See Remijas v.
Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015). On facts that
sound familiar, the Seventh Circuit found that plaintiffs suing the
department store Neiman Marcus for a breach of their electronic data had
standing to sue where they “suffered a substantial risk of harm.” Id. at 689,
693. “Presumably,” the court reasoned, “the purpose of the hack is, sooner
or later, to make fraudulent charges or assume those consumers'
38
identities.” Id.; see also Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 631–
32, 640 (7th Cir. 2007) (finding that where a third-party “hacker”
perpetrated a “sophisticated, intentional and malicious” attack on a
company website to access the unsecured personal information of
thousands of customers of an online banking service, an act which causes
an increased risk of harm meets federal injury-in-fact requirements);
compare Katz v. Pershing, LLC, 672 F.3d 64, 79–80 (1st Cir. 2012) (finding
that where there was no allegation that any unauthorized person had
accessed her data, a plaintiff did not meet the injury-in-fact requirement
because future identity theft was conjectural); Beck v. McDonald, 848 F.3d
262, 274 (4th Cir. 2017) (finding that where a plaintiff did not allege that
personal identifying information had been stolen with the intent to use it
for identity theft purpose, the increased risk of identity theft was
speculative).
Finally, the Sixth Circuit has recognized that “allegations of a
substantial risk of harm, coupled with reasonably incurred mitigation
costs” due to a data breach “are sufficient to establish a cognizable Article
III injury at the pleading stage of the litigation.” Galaria, 663 F. App'x at
388. In Galaria v. Nationwide Mutual Insurance Co., plaintiffs sued an
insurance company after hackers gained access to the sensitive identifying
39
information of over a million customers. Id. at 386. After the breach,
Nationwide offered free credit monitoring for a year to affected customers,
as well as identity-fraud protection up to $1 million. Id. In holding that the
injury was sufficient to confer standing, the court reasoned there was “no
need for speculation where [the] Plaintiffs allege[d] that their data ha[d]
already been stolen and [was] in the hands of ill-intentioned criminals.” Id.
at 388. Further, the fact that Nationwide offered free credit monitoring and
identity fraud protection to the affected customers went to show that the
company, too, recognized the risk caused by the data breach. Id. “Where a
data breach targets personal information, a reasonable inference can be
drawn that the hackers will use the victims' data for the fraudulent
purposes alleged in [p]laintiffs' complaints.” Id.
In this case, Hope’s situation mirrors that which has been found to
be an injury in fact in lower courts. The unauthorized dissemination of
Hope’s information is a cognizable injury. See In re Horizon, 846 F.3d at
638–39. Like the reasoning in Pisciotta v. Old National Bancorp, B&T has
increased the risk of harm from that which Hope would have otherwise
faced. Hope’s information is not only on the dark web, but it has also been
downloaded hundreds of time.
40
Hope sits in an even more vulnerable position than the Starbucks
employees did in Krottner, where there was no indication that the
employees’ information had been placed on the dark web or nefariously
downloaded. If those employees suffered a concrete injury in fact, surely
Hope and the putative class did too, here. The helpless situation in which
Hope finds himself is worse than the situation in Krottner in yet another
way. In Krottner, the Ninth Circuit reasoned that the employees could
suffer an injury even when there was no documented misuse of their
information. Here, thieves posted Hope’s personal identifying information
on the dark web. The posting of his information is misuse of that
information. The sole reason personal identifying information gets posted
on the dark web in the manner that Hope’s was is for identity theft
purposes. The posting in and of itself constitutes misuse.
The hackers’ criminal intent should be a consideration in this case.
See Remijas, 794 F.3d at 693; Galaria, 663 F. App'x at 388. Just like
Galaria, Hope has alleged that his information has been stolen and is
already in the hands of criminals who intend to misappropriate his
identity. In fact, just like Nationwide in Galaria, B&T recognizes the harm
caused by the increased risk of identity theft because they have offered free
credit monitoring for a year. Here, as in Galaria, a reasonable inference can
41
be drawn from the fact that hackers targeted personal information: they
intend to use it fraudulently. Accordingly, Hope’s allegations should suffice
at this stage in the litigation to merit standing.
B&T will likely try to place the present case in the confines of Reilly
v. Ceridian Corp., Katz v. Pershing, LLC, or Beck v. McDonald. Those
comparisons will not pass inspection. Here, unlike in Reilly, it is known
that the thief “read, copied, and understood” Hope’s personal information
because that is the only reason the thief would have posted the identifying
information on the dark web. See Reilly, 664 F.3d at 42. The thief must
have understood that the information he received was personal identifying
information because he commercialized the information on the dark web.
Further, those who downloaded Hope’s identifying information from the
darknet market had to have known what they were downloading; paying to
receive another’s social security number does not happen by accident. It
almost goes without saying that this case is distinct from Katz and Beck
because the plaintiffs in those cases did not allege unauthorized users had
accessed their information or that the data had been stolen for criminal
purposes. Here, Hope knows unauthorized users have accessed his
information because a thief posted his information on the darknet market.
Nobody had authorization to do that. Like Remijas, it is safe to presume
42
that, sooner or later, the hackers intend to commit fraud with Hope’s
personal identifying information.
Four circuit courts have arrived at the conclusion that an increased
risk of identity theft is an injury in fact, largely because hackers who
specifically target sensitive information have an obvious intent to use the
information for criminal purposes. Hope respectfully urges this Court to
adopt the sound reasoning of the lower courts and recognize that increased
risk of identity theft is an injury that warrants standing.
II. Hope and the putative class adequately pleaded state
negligence claims because HIPAA may be used as a
legislatively imposed standard for negligence per se and to
inform upon general negligence.
In response to the rapid technological changes in health information
systems, Congress passed the Health Insurance Portability and
Accountability Act (HIPAA). See Webb v. Smart Document Sols., LLC, 499
F.3d 1078, 1084 (9th Cir. 2007). HIPAA was designed to promote the
security and confidentiality of individually identifiable health information
that a “covered entity” creates, receives, maintains, or transmits. 45 C.F.R.
§ 164.306(a)(1). HIPAA is made up of federal regulations that provide
standards applicable to “covered entities” that handle this information. Id.
§ 164.103. These uniform standards were created to regulate the
transmission of ePHI and to inhibit the misappropriation of such
43
information through fraud. See 42 U.S.C. § 1320a-7(c). Pharmaceutical
companies are undoubtedly “covered entities” subject to the regulations of
HIPAA. See 45 C.F.R. § 164.103 (defining covered entities to include health
care provided via the sale of drugs).
Within HIPAA’s standards, there exists a division between required
and addressable standards. Id. at § 164.306(d). While a required standard
is just that, required, addressable standards are more flexible, but require
additional steps to evaluate the degree to which the standard applies. Id.
When approaching an addressable standard, a covered entity has discretion
to determine whether a particular action is required to protect information.
Id. In the covered entity’s evaluation, they must determine the level of risk
and act accordingly. Id. If, however, they deem a particular precaution
inappropriate or unreasonable, the entity must document why, and
implement a reasonable alternative. Id. While HIPAA denotes encryption
to be an addressable standard, steps must be taken to determine what is
necessary and implement “a mechanism to encrypt electronic protected
health information whenever deemed appropriate.” Id. § 164.312.
Additionally, HIPAA requires entities to “update as needed, in response to
environmental or operational changes affecting the security of the
electronic protected health information.” Id. § 164.314.
44
HIPAA, however, does not have an enforcement mechanism in its
regulations that provides a private cause of action. Adams v. Eureka Fire
Prot. Dist., 352 Fed. Appx. 137, 138–39 (8th Cir. 2009). Civil enforcement of
HIPAA may be pursued by the Department of Health and Human Services
as well as state attorneys general. See Doe v. Bd. of Trs. of Univ. of Ill., 429
F.3d 930, 944 (N.D. Ill. 2006); HITECH Act, 42 U.S.C. §§ 1320d-2(d),
1320d-5(d) (2012).
Negligence is a state cause of action, the requirements of which vary
from state to state. See generally Restatement (Third) of Torts: Phys. &
Emot. Harm § 7 (Am. Law Inst. 2010) (discussing the variation of
jurisdictional elements and requirements of different states). In order to
successfully bring a negligence cause of action, the burden rests on the
plaintiff to establish four elements: 1) that the defendant had a duty to
exercise reasonable care; 2) that the defendant breached that duty; 3) that
the breach of duty caused the injury to the plaintiff; and 4) that the
plaintiff sustained an injury. See generally id. (outlining the traditional
elements of negligence).
A negligence per se cause of action differs from ordinary negligence
by effectively reducing the plaintiff’s burden of proof by establishing a
legislatively imposed duty. See generally id.; see also Chambers v. St.
45
Mary’s School, 697 N.E.2d 198, 201 (Ohio 1998). The Missouriana statute
codifying negligence per se is as follows: “An actor is negligent if, without
excuse, the actor violates a statute that is designed to protect against the
type of accident the actor’s conduct causes, and if the accident victim is
within the class of persons the statute is designed to protect.” 302 M.C.S. §
3/22-104.
The question of whether HIPAA preempts state laws has been
answered in the negative. See Byrne v. Avery Ctr. for Obstetrics &
Gynecology, P.C., 102 A.3d 32, 36 (Conn. 2014). Thus, HIPAA does not
preempt or preclude state negligence claims based upon standards set out
in HIPAA’s regulations. The question before this Court is one of state law.
While Missouriana courts and legislatures have not had the opportunity to
resolve this question, it is this Court’s responsibility to rule in a manner
consistent with the laws of Missouriana. Ins. Co. of N. Am. v. English, 295
F.2d 854, 860 (5th Cir. 1968). It is helpful to broach this issue by looking at
other jurisdictions’ decisions and reasoning to inform upon HIPAA’s
applicability in Missouriana negligence claims.
46
A. Hope’s negligence per se claim may be based on a violation
of standards established in HIPAA because neither HIPAA
nor Missouriana’s statutes preclude it.
This Court has a duty to “arrive at [a] decision which reason dictates,
with faith that the state courts will arrive at the same decision” English,
295 F.2d at 860. In other words, this Court must use the laws of the state
in order to deliver a compatible opinion. While HIPAA does not provide any
explicit language precluding its utilization as an element in a state law
claim, some jurisdictions have found their own laws to be inconsistent with
that very application. See generally Sheldon v. Kettering Health Network,
40 N.E.3d 661 (Ohio Ct. App. 2015). Other jurisdictions, however, have
permitted HIPAA to be used as a legislatively imposed duty for the
purposes of negligence per se. See I.S. v. Wash. Univ., No. 4:11CV235SNLJ,
2011 WL 2433585 (E.D. Mo. June 14, 2011). Missouriana’s own statute, and
lack of judicial history preventing regulatory based negligence per se
claims, demonstrate the validity of Hope’s claim.
1. The Missouriana negligence per se statute does not, in
and of itself, preclude HIPAA as a basis for a valid
cause of action.
“A conflict exists among the states regarding whether a plaintiff may
pursue a negligence per se claim based on an alleged violation of a federal
statute that does not provide a private right of action.” In re Cmty. Health
47
Sys., Inc., No. 15-CV-222-KOB, 2016 WL 4732630, at *26 (N.D. Ala. Sept.
12 2016) (identifying the variations in states’ negligence per se statutes and
the implication on including a federal statute). Despite HIPAA’s lack of a
private cause of action, federal regulations are often utilized legitimately as
an element of a state tort action. See generally Merrell Dow Pharm., Inc. v.
Thompson, 478 U.S. 804, 817 (1986) (acknowledging the validity of using
federal statutes as an element of a state cause of action); see also I.S., 2011
WL 2433585 at *2 (asserting the validity of “a state claim for negligence per
se despite its exclusive reliance upon HIPAA”).
The Restatement (Third) of Torts (Restatement) provides valuable
insight into the intricacies of the negligence per se doctrine. In addressing
what may apply for the purposes of negligence per se, the Restatement says
“[t]his Section most frequently applies to statutes adopted by state
legislatures, but equally applies . . . to federal statutes as well as
regulations promulgated by federal agencies.” Restatement (Third) of Torts:
Phys. & Emot. Harm § 14 cmt. A (Am. Law Inst. 2010) (noting most states
that accept negligence per se apply it to violations of administrative
regulations).
In I.S. v. Washington University, the defendant disclosed protected
medical information to the plaintiff’s employer, without the plaintiff’s
48
consent or authorization. I.S., 2011 WL 2433585 at *3. The plaintiff
brought a Missouri negligence per se claim against the defendant based
upon the defendant’s violation of HIPAA by improperly disclosing his
personal medical records. Id. The United State District Court for the
Eastern District of Missouri found that the state claim was valid by
denying the defendant’s motion to dismiss. Id. The case, however, was
remanded to state court to be heard on the merits. Id. at *5.
Along the same lines, in Smith v. Triad of Ala., LLC, plaintiffs
brought a negligence per se claim alleging that the defendant’s failure to
safeguard personal health information resulted in a breach of HIPAA.
Smith v. Triad of Alabama, LLC, No. 1:14–CV–324–WKW, 2015 WL
5793318 at *11–12 (M.D. Ala. Sept. 29, 2015). The court permitted this
HIPAA-based claim to advance beyond the motion to dismiss stage,
reasoning that “no binding precedent [exists] holding that a HIPAA
violation is not a proper basis for a negligence per se claim under Alabama
law.” Id. The court further noted that a HIPAA-based negligence per se
claim is cognizable as a matter of law. Id.
The Missouriana negligence per se statute is identical to that found
in the Restatement. 302 M.C.S. § 3/22-104; Restatement (Third) of Torts:
Phys. & Emot. Harm § 14 (Am. Law Inst. 2010) (matching the Missouriana
49
negligence per se statute word for word). The Restatement emphasizes the
application of federal regulations for the purpose of establishing a
negligence per se claim. See Restatement (Third) of Torts: Phys. & Emot.
Harm § 14 cmt. A (Am. Law Inst. 2010). HIPAA does not provide any
explicit language precluding the use of its standards in a state action. In
fact, federal regulations are a standard basis for negligence per se claims,
and HIPAA has been the basis of several with no federal contradiction. See,
e.g., K.V. & S.V. v. Women’s Healthcare Network, LLC, No. 07-0228-CV-W-
DW, 2007 WL 1655734 at *1 (W.D. Mo. June 6, 2007); Thompson, 478 U.S.
at 817.
It is reasonable to infer, especially in light of the lack of precluding
statutory language, that Missouriana’s negligence per se statute is
compatible with, or at the very least does not preclude, federal regulations.
See Triad of Alabama, 2015 WL 5793318 at *11–12. Further, because
Missouriana’s negligence per se statute exactly mirrors the Restatement,
and the Restatement makes clear that federal regulations can be used in
negligence per se claims, it is logical to infer that Missouriana’s statute
means to allow the use of federal regulations. Thus, HIPAA is a valid basis
for a negligence per se claim.
50
2. Missouriana’s lack of binding case law restricting the
scope of negligence per se illustrates the jurisdiction’s
compatibility with HIPAA.
In precluding HIPAA’s use in a Missouriana negligence per se action,
the trial court based its holding on the case Sheldon v. Kettering Health
Network. (R. at 10.) (citing Sheldon, 40 N.E.3d at 672). In Sheldon, the
court reasoned that the lack of a private cause of action represented an
incompatibility between HIPAA and an Ohio negligence per se claim.
Sheldon, 40 N.E.3d at 674. In its analysis, the Sheldon court reasoned that
permitting the use of HIPAA in a state negligence per se claim would be
“tantamount to authorizing a prohibited private right of action for violation
of HIPAA itself.” Id. at 672. Much of the Sheldon analysis was based upon
an Ohio Supreme Court case, Chambers v. St. Mary’s School. Id. at 674
(citing Chambers, 697 N.E. 2d 198). In its analysis, however, the Sheldon
court failed to consider all of the reasoning from Chambers.
The Chambers court addressed the applicability of a regulation in an
Ohio state negligence claim. Chambers, 697 N.E.2d at 202. The court
reasoned that regulations were not compatible with negligence per se
because of the lack of public participation in their creation. Chambers, 697
N.E.2d at 202. Additionally, a previous Ohio court decision limited
negligence per se claims to “legislative enactments.” Id. (citing Eisenhuth v.
51
Moneyhon, 119 N.E.2d 440 (Ohio 1954)) (noting that “rulemaking by
administrative agencies does not involve the collaborative effort of elected
officials”). The court went on to assert that permitting a regulation to be
the basis of “negligence per se could open the floodgates to litigation.” Id. at
202–203. The court finally expressed concern by asserting “[s]trict
compliance with such a multitude of rules would be virtually impossible.”
Id at 203.
Florida’s contemplation of whether HIPAA can be used as a basis for
a negligence claim offers further insight into how states decide HIPAA-
based claims are inconsistent with their jurisprudence. See Weinberg v.
Advanced Data Processing, Inc., 147 F.Supp.3d 1359, 1365–66 (S.D. Fla.
2015). In Weinberg v. Advanced Data Processing, Inc., a federal district
court outlined the rich history of limiting Florida’s negligence per se claims
to violations of state statutes. Id. (“Florida courts have refused to recognize
a private right of action for negligence per se based on an alleged violation
of a federal statute that does not provide for a private right of action.”)
(citation omitted). The Weinberg court concluded that HIPAA and the
state’s negligence per se claims were incompatible, thus, a “claim of
negligence based upon a HIPAA violation fails.” Weinberg, 147 F.Supp.3d
at 1366.
52
Conversely, the Connecticut Supreme Court addressed both
preemption and the applicability of HIPAA in state common law claims.
Byrne, 102 A.3d at 35. In Byrne v. Avery Ctr. for Obstetrics & Gynecology,
P.C., the plaintiff brought a negligence claim under HIPAA against her
healthcare provider for improperly breaching the confidentiality of her
medical records. Id. at 38. In its holding, the court reasoned that HIPAA
did not preempt state actions and noted the value of utilizing the HIPAA
standard in negligence claims because the goals of HIPAA and a HIPAA-
based negligence claim are aligned to disincentivize the improper
dissemination and misappropriation of medical records. Id. at 48; see also
Thompson, 478 U.S. at 817 (acknowledging the validity of state claims
based upon federal statutes that do not create a private cause of action).
Connecticut is not the only state that has allowed negligence per se
claims based on HIPAA. The Eastern District of Missouri held that a
plaintiff’s negligence per se claim was sufficiently pleaded despite its
exclusive reliance upon HIPAA. See I.S., 2011 WL 2433585 at *2. In this
case, the plaintiff alleged that the defendant improperly disclosed the
plaintiff’s medical records in violation of HIPAA. Id. at *1. The plaintiff
sued under a negligence per se theory supported by the regulatory
standards of HIPAA. Id. In its reasoning, the I.S. court differentiated
53
between a HIPAA-based negligence per se claim and a private cause of
action under HIPAA. Id. Thus, the court held that a HIPAA-based claim
was not precluded. Id.
In this case, Missouriana courts have not had the opportunity to rule
on “whether it would recognize a violation of a federal statute or regulation
as the basis for a negligence per se claim.” (R. at 10.) Thus, the Missouriana
court differs from the courts of Ohio and Florida. See Sheldon, 40 N.E.3d at
672; see also Weinberg, 147 F.Supp.3d at 1365. Further, several courts have
held that HIPAA does not preempt state claims and may be used as an
element of a state cause of action, disposing of the Sheldon court’s concerns
about compatibility. Sheldon, 40 N.E.3d at 672 (discussing the concern that
a HIPAA-based negligence claim is precluded by HIPAA); see Byrne, 102
A.3d at 36 (holding that HIPAA claims do not preempt a state negligence
cause of action and may be used as a basis in determining negligence).
This is a case of first impression in Missouriana. In fact, few states
have actually dealt with this exact issue before. While the Chambers court
expressed concern about opening the “flood gates of litigation,” it is
reasonable to regard this problem as, at most, limited. Chambers, 697
N.E.3d at 202–203. Further, the Chambers court’s concern about the
practicality of compliance goes against the very goal of HIPAA. It would
54
actually be less intrusive for a state to follow the already required and
addressable standards outlined in HIPAA as opposed to generating a new
standard altogether. State HIPAA-based negligence per se claims simplify
compliance for covered entities, such as B&T, by reducing the number of
standards with which they must comply. See generally Yath v. Fairview
Clinics, N.P., 767 N.W.2d 34, 49–50 (Minn. App. 2009) (concluding that a
state statutory cause of action for improper disclosure of medical records
was not preempted by HIPAA because “[a]lthough the penalties under the
two laws differ, compliance with [the Minnesota statute] does not exclude
compliance with HIPAA,” and “[r]ather than creating an ‘obstacle’ to
HIPAA, [the Minnesota statute] supports at least one of HIPAA's goals by
establishing another disincentive to wrongfully disclose a patient's health
care record”).
Accordingly, the Missouriana negligence per se statute is compatible
with the use of a HIPAA-based standard. Not only would it increase
efficiency and contribute to a common goal, but it would also simplify the
standard of care for covered entities such as B&T by limiting the variations
nationwide.
55
B. HIPAA is particularly useful to inform on the
reasonableness of care for the purposes of general
negligence because it outlines a clear and already
applicable standard.
While on the surface it appears that many jurisdictions disagree as
to the applicability of HIPAA in state negligence claims generally, many
states consider HIPAA to be an informative authority in determining the
standard of care under ordinary negligence. See, e.g. Byrne, 102 A.3d at 47;
Chambers, 697 N.E. 2d at 568. It follows that HIPAA may be used to inform
upon the standard of care required in protecting ePHI in an ordinary
negligence claim. Despite the rejection of HIPAA in negligence per se
claims, many courts permit and even promote its consideration for the
purposes of establishing an ordinary negligence claim. See, e.g., Chambers,
697 N.E.2d at 568; Fanean v. Rite Aid Corp. of Del., Inc., 984 A.2d 812, 823
(Del. Super. Ct. 2009) (concluding that a claim of negligence per se could
not be premised on a HIPAA violation, but holding that common-law
negligence claims could utilize HIPAA as a “guidepost for determining the
standard of care”). In determining Ohio’s law’s incompatibility with
regulatory-based negligence per se claims, the Chambers court noted the
efficiency and effectiveness of utilizing regulatory standards to inform upon
ordinary negligence. Chambers, 697 N.E.2d at 203. This reasoning was
ignored by the Sheldon court and the trial court in this case.
56
“An actor ordinarily has a duty to exercise reasonable care when the
actor's conduct creates a risk of . . . harm.” Restatement (Third) of Torts:
Phys. & Emot. Harm § 7 (Am. Law Inst. 2010). In passing HIPAA,
“Congress intended through legislation to ‘recogniz[e] the importance of
protecting the privacy of health information in the midst of the rapid
evolution of health information systems.’” Webb, 499 F.3d at 1084 (quoting
S.C. Med. Ass'n v. Thompson, 327 F.3d 346, 348 (4th Cir. 2003)). In
essence, Congress acknowledged a risk of harm stemming from the
misappropriation of individuals’ medical records when it enacted HIPAA in
1996. The promulgations of regulations established a standard for covered
entities such as B&T in hopes of protecting the privacy of individuals’
healthcare information. In rejecting Hope’s negligence claim, the trial court
asserted the lack of a statutory duty to protect ePHI under Missouriana
law. The court went on to say that even in the presence of a Missouriana-
imposed duty, HIPAA would be too flexible under the “addressable”
standard. (R. at 13.) While flexible, the addressable standard still requires
steps to be taken that B&T did not perform. See 45 C.F.R. § 164.306(d).
Missouriana has recognized that individuals have a general right of
privacy in their medical records, including ePHI. See Hanson v. Jones Med.
Ctr., 199 Mis. 2d 321, 333 (2002) (holding a medical center liable for public
57
disclosure of private medical information). In addition to this right of
privacy in medical records, Missouriana also established requirements via
the Missouriana Data Breach Notification Act, which applies to “[an]
individual or commercial entity that conducts business in Missouriana and
that owns or licenses computerized data that includes personally
identifiable information about a resident of Missouriana.” 410 M.C.S. §
22/46-101(a) (2005). While this act deals with notification, it illustrates
Missouriana’s understanding of the importance of protecting ePHI and
places a duty upon those that handle it, much like the way HIPAA does.
In the present case, the ePHI that B&T handled was predictably
stolen and downloaded hundreds of times. While B&T complied with the
Missouriana Data Breach Notification Act by notifying Hope and the
putative class, it violated those individuals’ rights to privacy provided for in
Hanson v. Jones Medical Center. See Hanson, 199 Mis. 2d at 333. Both
Missouriana and HIPAA generally acknowledge a duty for those handling
ePHI to exercise reasonable care, which HIPAA standardized through
regulations. 45 C.F.R. § 164.312. The trial court was correct to say that the
manner in which B&T strives to “[e]nsure the confidentiality, integrity, and
availability of all electronic protected health information the covered entity
58
. . . creates, receives, maintains, or transmits” in an “addressable” standard.
However, there is more to addressable standards than mere discretion.
The general idea of the addressable standard is that a covered entity
must assess whether particular safeguards in their systems are reasonable
and appropriate. 45 C.F.R. § 164.306(d). It is within the covered entity’s
discretion as to what they view as reasonable and appropriate. Id. If a
particular protection, such as encryption, is deemed unreasonable, then the
entity must document why and implement a reasonable alternative. Id.
Both Missouriana and HIPAA recognize the risks associated with handling
ePHI. Additionally, HIPAA mandates, as a required standard, that covered
entities “[p]rotect against any reasonably anticipated threats or hazards to
the security or integrity of such information.” 45 C.F.R. § 164.306(a)(2).
In the present case, B&T assessed the potential threat to the stored
ePHI, and as a result of understanding the real and imminent threat,
encrypted the data. (R. at 2.) B&T did so in order to comply with HIPAA in
in case of a potential “security incident.” (See R. at 1.) In the course of
carrying out this duty, B&T failed to follow its own standards to protect the
information it knew was vulnerable. B&T employees did not make a
conscious decision that encryption was not reasonable or appropriate;
instead, they failed to do their job by failing to implement the patch that
59
was available well before the data transfer, resulting in the breach despite
their knowledge of zero-day exploits. (See R. at 2.) As a result of this
deficiency, Hope and the putative class’ information was stolen and
misappropriated on the dark web.
These zero-day exploits are so common in the industry that they
have a name as well as significant protocol to prevent them. (R. at 2.) It is
reasonable to infer that B&T was well aware of these exploits, or at least
should have been, when handling this type of data. (See R. at 2–3.) This
falls directly into one of the required standards set out in HIPAA that
covered entities must protect against any reasonably anticipated threats.
See 45 C.F.R. § 164.306(a)(2). The zero-day exploit was anticipated, yet
Hope’s information was still compromised due to the failure of B&T to
implement the required update. This did not require B&T to make
significant changes, but instead to carry out its safeguards that it itself
deemed appropriate. Even if B&T evaluated and deemed encryption
unnecessary, it would have still needed to comply with HIPAA by
documenting why it was deemed inappropriate or unreasonable to take
that extra step to protect the data. Id. § 164.306(d). B&T neither
documented, nor updated its system in response to a known change in its
environment and in the face of a zero-day exploit in violation of a required
60
standard set out in HIPAA. See 45 C.F.R. §§ 164.306, .312, .314. This
violation of required, not just addressable, standards demonstrates the
need and value of using HIPAA when informing on the standard of care.
The duty set out by Missouriana jurisprudence, coupled with the
basic standard requirements and addressable standards of HIPAA, may be
the basis of a negligence claim to outline whether B&T utilized a
reasonable standard of care. This long-established standard would increase
efficiency by streamlining and standardizing the requirements in the state
of Missouriana while advancing the goals of both the state and HIPAA
itself.
CONCLUSION
In contemplating Article III standing in a private law claim such as
this one, Hope has standing because he suffered a de facto injury that is
just the sort of controversy the courts should resolve. In spite of the fact
that standing is a nonissue, Hope established an injury in fact sufficient to
confer standing because the increased risk caused by the exposure of his
personal information on the dark web and the preventative measures he
subsequently had to undertake constitute a concrete, particularized, and
actual injury.
61
Further, HIPAA can be used to establish the standard for a
negligence per se claim and to evaluate the duty of care in a general
negligence claim because Missouriana does not have any law that precludes
using it as such.
Accordingly, the Court should affirm the Court of Appeals for the
Thirteenth Circuit and its reversal of the district court’s dismissal of Hope’s
claim.
Respectfully Submitted,
/s/ Team 2704
Attorneys for Respondent
62
CERTIFICATE OF SERVICE
We certify that a copy of Respondent’s brief was served upon the
Petitioner, Barker & Todd, Inc., through the counsel of record by certified
U.S. mail return receipt requested, on this, the 20th day of September
2018.
/s/ Team 2704
Attorneys for Respondent
APPENDIX A
Constitutional Provisions
U.S. Const. art. III, § 2, cl. 1
The judicial Power shall extend to all Cases, in Law and Equity, arising
under this Constitution, the Laws of the United States, and Treaties made,
or which shall be made, under their Authority;--to all Cases affecting
Ambassadors, other public Ministers and Consuls;--to all Cases of
admiralty and maritime Jurisdiction;--to Controversies to which the United
States shall be a Party;--to Controversies between two or more States;--
between a State and Citizens of another State;--between Citizens of
different States;--between Citizens of the same State claiming Lands under
Grants of different States, and between a State, or the Citizens thereof, and
foreign States, Citizens or Subjects.
APPENDIX B
United States Code Provisions
42 U.S.C. § 1320a-7c. Fraud and abuse control program.
(a) Establishment of program
(1) In general
Not later than January 1, 1997, the Secretary, acting through the
Office of the Inspector General of the Department of Health and
Human Services, and the Attorney General shall establish a
program—
(A) to coordinate Federal, State, and local law enforcement
programs to control fraud and abuse with respect to health
plans,
(B) to conduct investigations, audits, evaluations, and
inspections relating to the delivery of and payment for health
care in the United States,
(C) to facilitate the enforcement of the provisions of sections
1320a-7, 1320a-7a, and 1320a-7b of this title and other
statutes applicable to health care fraud and abuse, and
(D) to provide for the modification and establishment of safe
harbors and to issue advisory opinions and special fraud alerts
pursuant to section 1320a-7d of this title.
42 U.S.C. § 1320d-2(d). Standards for information transactions and
data elements.
(d) Security standards for health information.
(1) Security standards.
The Secretary shall adopt security standards that--
(A) take into account:
(i) the technical capabilities of record systems used to
maintain health information;
(ii) the costs of security measures;
(iii) the need for training persons who have access to
health information;
(iv) the value of audit trails in computerized record
systems; and
(v) the needs and capabilities of small health care
providers and rural health care providers (as such
providers are defined by the Secretary); and
(B) ensure that a health care clearinghouse, if it is part of a
larger organization, has policies and security procedures
which isolate the activities of the health care clearinghouse
with respect to processing information in a manner that
prevents unauthorized access to such information by such
larger organization.
(2) Safeguards.
Each person described in section 1320d-1(a) of this title who maintains
or transmits health information shall maintain reasonable and
appropriate administrative, technical, and physical safeguards--
(A) to ensure the integrity and confidentiality of the
information;
(B) to protect against any reasonably anticipated--
(i) threats or hazards to the security or integrity of the
information; and
(ii) unauthorized uses or disclosures of the information;
and
(C) otherwise to ensure compliance with this part by the
officers and employees of such person.
42 U.S.C. § 1320d-5(d). General penalty for failure to comply with
requirements and standards.
* * *
(d) Enforcement by State attorneys general.
(1) Civil action
Except as provided in subsection (b), in any case in which the attorney
general of a State has reason to believe that an interest of one or more
of the residents of that State has been or is threatened or adversely
affected by any person who violates a provision of this part, the
attorney general of the State, as parens patriae, may bring a civil
action on behalf of such residents of the State in a district court of the
United States of appropriate jurisdiction--
(A) to enjoin further such violation by the defendant; or
(B) to obtain damages on behalf of such residents of the State,
in an amount equal to the amount determined under
paragraph (2).
* * *
(5) Construction
For purposes of bringing any civil action under paragraph (1), nothing
in this section shall be construed to prevent an attorney general of a
State from exercising the powers conferred on the attorney general by
the laws of that State.
302 M.C.S. § 3/22-104
An actor is negligent if, without excuse, the actor violates a statute
that is designed to protect against the type of accident the actor’s
conduct causes, and if the accident victim is within the class of persons
the statute is designed to protect.
410 M.C.S. § 22/46-101(a). Missouriana Data Breach Notification Act.
The Act applies to:
An individual or a commercial entity that conducts business in
Missouriana and that owns or licenses computerized data that
includes personally identifiable information about a resident of
Missouriana.
APPENDIX C
Code of Federal Regulations Provisions
45 C.F.R. § 160.103. Definitions.
* * *
Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.
* * *
Health care means care, services, or supplies related to the health of
an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, and counseling, service, assessment, or procedure
with respect to the physical or mental condition, or functional
status, of an individual or that affects the structure or function of
the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in
accordance with a prescription.
* * *
Health care provider means a provider of services (as defined in
section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or
health services (as defined in section 1861(s) of the Act, 42 U.S.C.
1395x(s)), and any other person or organization who furnishes, bills, or
is paid for health care in the normal course of business.
45 C.F.R. § 164.306. Security standards: General rules.
(a) General requirements. Covered entities and business associates
must do the following:
(1) Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity or
business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or
hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or
disclosures of such information that are not permitted or
required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
(b) Flexibility of approach.
(1) Covered entities and business associates may use any
security measures that allow the covered entity or business
associate to reasonably and appropriately implement the
standards and implementation specifications as specified in
this subpart.
(2) In deciding which security measures to use, a covered
entity or business associate must take into account the
following factors:
(i) The size, complexity, and capabilities of the covered
entity or business associate.
(ii) The covered entity's or the business associate's
technical infrastructure, hardware, and software security
capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to
electronic protected health information.
(c) Standards. A covered entity or business associate must comply with
the applicable standards as provided in this section and in § 164.308, §
164.310, § 164.312, § 164.314 and § 164.316 with respect to all
electronic protected health information.
(d) Implementation specifications.
In this subpart:
(1) Implementation specifications are required or addressable.
If an implementation specification is required, the word
“Required” appears in parentheses after the title of the
implementation specification. If an implementation
specification is addressable, the word “Addressable” appears in
parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, §
164.312, § 164.314, or § 164.316 includes required
implementation specifications, a covered entity or business
associate must implement the implementation specifications.
(3) When a standard adopted in § 164.308, § 164.310, §
164.312, § 164.314, or § 164.316 includes addressable
implementation specifications, a covered entity or business
associate must—
(i) Assess whether each implementation specification is a
reasonable and appropriate safeguard in its environment,
when analyzed with reference to the likely contribution to
protecting electronic protected health information; and
(ii) As applicable to the covered entity or business
associate—
(A) Implement the implementation specification if
reasonable and appropriate; or
(B) If implementing the implementation specification
is not reasonable and appropriate—
(1) Document why it would not be reasonable and
appropriate to implement the implementation
specification; and
(2) Implement an equivalent alternative measure
if reasonable and appropriate.
(e) Maintenance. A covered entity or business associate must review
and modify the security measures implemented under this subpart as
needed to continue provision of reasonable and appropriate protection
of electronic protected health information, and update documentation
of such security measures in accordance with § 164.316(b)(2)(iii).
45 C.F.R. § 164.312. Technical safeguards.
A covered entity or business associate must, in accordance with §
164.306:
(a)(1) Standard: Access control. Implement technical policies and
procedures for electronic information systems that maintain
electronic protected health information to allow access only to those
persons or software programs that have been granted access rights
as specified in § 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique
name and/or number for identifying and tracking user
identity.
(ii) Emergency access procedure (Required). Establish
(and implement as needed) procedures for obtaining
necessary electronic protected health information during
an emergency.
(iii) Automatic logoff (Addressable). Implement electronic
procedures that terminate an electronic session after a
predetermined time of inactivity.
(iv) Encryption and decryption (Addressable). Implement
a mechanism to encrypt and decrypt electronic protected
health information.
(b) Standard: Audit controls. Implement hardware, software, and/or
procedural mechanisms that record and examine activity in
information systems that contain or use electronic protected health
information.
(c)(1) Standard: Integrity. Implement policies and procedures to
protect electronic protected health information from improper
alteration or destruction.
(2) Implementation specification: Mechanism to authenticate
electronic protected health information (Addressable).
Implement electronic mechanisms to corroborate that
electronic protected health information has not been altered or
destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures
to verify that a person or entity seeking access to electronic protected
health information is the one claimed.
(e)(1) Standard: Transmission security. Implement technical security
measures to guard against unauthorized access to electronic
protected health information that is being transmitted over an
electronic communications network.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security
measures to ensure that electronically transmitted
electronic protected health information is not improperly
modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever
deemed appropriate.
45 C.F.R. § 164.314. Organizational requirements.
(a)(1) Standard: Business associate contracts or other arrangements.
The contract or other arrangement required by § 164.308(b)(3) must
meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of
this section, as applicable.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract must provide
that the business associate will—
(A) Comply with the applicable requirements of this
subpart;
(B) In accordance with § 164.308(b)(2), ensure that any
subcontractors that create, receive, maintain, or
transmit electronic protected health information on
behalf of the business associate agree to comply with
the applicable requirements of this subpart by entering
into a contract or other arrangement that complies with
this section; and
(C) Report to the covered entity any security incident of
which it becomes aware, including breaches of
unsecured protected health information as required by §
164.410.
(ii) Other arrangements. The covered entity is in
compliance with paragraph (a)(1) of this section if it has
another arrangement in place that meets the requirements
of § 164.504(e)(3).
(iii) Business associate contracts with subcontractors. The
requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this
section apply to the contract or other arrangement between
a business associate and a subcontractor required by §
164.308(b)(4) in the same manner as such requirements
apply to contracts or other arrangements between a
covered entity and business associate.
(b)(1) Standard: Requirements for group health plans. Except when
the only electronic protected health information disclosed to a plan
sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as
authorized under § 164.508, a group health plan must ensure that its
plan documents provide that the plan sponsor will reasonably and
appropriately safeguard electronic protected health information
created, received, maintained, or transmitted to or by the plan
sponsor on behalf of the group health plan.
(2) Implementation specifications (Required). The plan
documents of the group health plan must be amended to
incorporate provisions to require the plan sponsor to—
(i) Implement administrative, physical, and technical
safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of the electronic
protected health information that it creates, receives,
maintains, or transmits on behalf of the group health plan;
(ii) Ensure that the adequate separation required by §
164.504(f)(2)(iii) is supported by reasonable and
appropriate security measures;
(iii) Ensure that any agent to whom it provides this
information agrees to implement reasonable and
appropriate security measures to protect the information;
and
(iv) Report to the group health plan any security incident of
which it becomes aware.
APPENDIX D
Federal Rules of Civil Procedure Provisions
Fed. R. Civ. P. 12(b). Defenses and Objections: When and How
Presented; Motion for Judgment on the Pleadings; Consolidating
Motions; Waiving Defenses; Pretrial Hearing.
* * *
(b) How to Present Defenses. Every defense to a claim for relief in any
pleading must be asserted in the responsive pleading if one is
required.
But a party may assert the following defenses by motion:
(1) lack of subject-matter jurisdiction.
* * *
(6) failure to state a claim upon which relief can be granted.