No. 18–251

_________________________________________________________________

IN THE

Supreme Court of the United States

________________________

BARKER & TODD, INC.,

Petitioner,

v.

ANTHONY HOPE,

Respondent,

_______________________

On Petition for Writ of Certiorari to the

United States Court of Appeals for the Thirteenth Circuit

_______________________

BRIEF FOR RESPONDENT

_______________________

Date: September 20, 2018 Team # 2727

Counsel for Respondent

Oral Argument Requested

ii

QUESTIONS PRESENTED

1. Article III of the Constitution requires standing to invoke federal

jurisdiction. Standing requires injury-in-fact, causation, and redressability.

The harm alleged must be concrete and particularized and actual or

imminent to qualify as an injury-in-fact. This Court has held that a

substantial risk of future harm can constitute injury-in-fact. B&T argues that

the District Court lacks subject matter jurisdiction under Rule

12(b)(1), because the future risk of identity theft does not satisfy injury-in-

fact. Was the appellate court correct in holding that Hope satisfied injury-in-

fact due to the substantial future risk of identity theft?

2. In absence of pertinent state precedent, multiple Circuits require federal

courts to exercise a reasonable judicial discretion. Missouriana has

recognized that individuals have a general right of privacy in their medical

records, but the state has not yet imposed that right against pharmaceutical

companies. This Court has recognized the ability for courts to use federal

statues to guide the standard of care for state law negligence claims. Did the

appellate court properly rule when it held that Hope stated a plausible state

law negligence claim by looking to HIPAA to establish the standard of care?

iii

TABLE OF CONTENTS

QUESTIONS PRESENTED ..........................................................................................i

TABLE OF AUTHORITIES ........................................................................................iii

OPINIONS

BELOW......................................................................................................vii

CONSTITUTIONAL AND STATUTORY PROVISIONS.............................................x

STATEMENT OF THE CASE .......................................................................................1

SUMMARY OF THE ARGUMENT ..............................................................................3

ARGUMENT .................................................................................................................6

I. The District Court has subject matter jurisdiction to hear Hope’s claim

because the risk of future financial harm is sufficiently concrete and

particularized and imminent to establish injury-in-fact as required to

have standing

.........................................................................................................6

A. Hope’s claim for risk of future financial harm is sufficiently concrete

and particularized because an invasion of one’s privacy traditionally

leads to relief and there was an identifiable data breach of Hope’s

personal information

................................................................................7

B. The risk of Hope’s future financial harm is actual or imminent because

Hope’s personal information has already been taken, found on the dark

web for sale, and downloaded hundreds of times

...................................10

II. Hope stated a claim upon which relief may be granted to the putative

class because B&T’s actions violated the duties and standards established

under HIPAA

..........................................................................................................18

A. Hope is able to bring a claim of negligence per se because B&T violated

the duties created by HIPAA’s statute and regulations ......................18

B. Hope is able to bring a claim of general negligence because HIPAA’s

well-established regulations effectively delineate the standard of care

for how personal information should be stored and secured ...............23

CONCLUSION .............................................................................................................27

iv

APPENDIX

....................................................................................................................A

TABLE OF AUTHORITIES

SUPREME COURT CASES

Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) …………………………….............................................10, 13

Grable & Sons Metal Products, Inc. v. Darue Eng'g & Mfg., 545 U.S. 308 (2005)............................................................................................19

Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) .........................................................................................6, 7

Merrell Dow Pharm. Inc. v. Thompson,

478 U.S. 804 (1986) .......................................................................................19,

21

Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) ................................................................................7, 9,

10

Sprint Comm’ns Co. v. APCC Servs., Inc., 544 U.S. 269 (2008) ............................................................................................6

Susan B. Anthony List v. Driehaus,

134 S. Ct. 2334 (2014) ......................................................................................10

APPELLATE COURT CASES

Attias v. CareFirst, Inc.,

865 F.3d 620 (D.C. Cir. 2017) .............................................................6, 11, 12,

17

Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) ............................................................................15

Bloodsaw v. Lawrence Berkeley Lab.,

v

135 F.3d 1260 (9th Cir. 1998) .........................................................................8, 9

Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384 (6th Cir. 2016)…………………………………………....11, 14,

17

Hetherton v. Sears, Roebuck & Co., 593 F.2d 526 (3d Cir. 1979) ..............................................................................19

In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017) .........................................................................8, 9,

10

In re Nickelodeon Consumer Privacy Litig.,

827 F.3d 262 (3d Cir. 2016) .................................................................................8

In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) .............................................................................15

Ins. Co. of N. Am. v. English,

395 F.2d 854 (5th Cir. 1968) ............................................................................23

Katz v. Donna Karan Co., 872 F.3d 114 (2d Cir. 2017) .................................................................................7

Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) .........................................................................15, 17

Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) ..........................................................................12

Lowe v. General Motors Corp.,

624 F.2d 1373 (5th Cir. 1980) ..........................................................................19

Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) ................................................................................15

Remijas v. Neiman Marcus Group, LLC, 794 F.3d 668 (7th Cir. 2015)................................................................6, 11, 17,

18

Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014)

................................................................................9

Whalen v. Michaels Stores, Inc., 689 F. App'x 89 (2d Cir. 2017) …………………….........................................15,

17

vi

DISTRICT COURT CASES

Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333 (W.D.N.Y. 2018) ....................................................................16

Grove Fresh Distributors, Inc. v. Flavor Fresh Foods, Inc., 720 F. Supp. 714 (N.D. Ill. 1989) ...........................................................................25

Harmon v. Maury Cnty.,

No. 1:05 CV 0026, 2005 WL 2133697 (M.D. Tenn. Aug. 31, 2005).......................21

In re Adobe Sys. Privacy Litig., 66 F.Supp. 3d 1197 (N.D. Cal. 2014) .....................................................11, 12, 13,

17

In re Cmty. Health Sys., No. 15-CV-222-KOB, 2017 U.S. Dist. LEXIS 21178 (N.D. Ala. 2017) ................11

I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL 2433585 (E.D. Mo. June 14, 2011).....................21

K.V. & S.V. v. Women’s Healthcare Network, LLC, No. 07-0228-CV-W-DW, 2007 WL 1655734 (W.D. Mo. June 6, 2007) ...........20

Sackin v. Transperfect Glob., Inc., 278 F.Supp.3d 739 (S.D.N.Y. Oct. 4, 2017) ....................................................16

STATE COURT CASES

Acosta v. Byrum,

638 S.E.2d 246 (N.C. Ct. App. 2006) ..........................................................21, 24

Allen v. Delchamps, Inc.,

624 So. 2d 1065 (Ala. 1993) ..............................................................................20

Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32 (Conn. 2014) .................................................................................24

Conboy v. State,

292 Conn. 642 (Conn. 2009) ..............................................................................18

Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812 (Del. Super. Ct. 2009) .............................................................24,

26

Grey's Ex'r v. Mobile Trade Co.,

vii

55 Ala. 387 (Ala. 1876).......................................................................................20

Hanson v. Jones Medical Ctr.,

199 Mis. 2d 321 (2002)

.......................................................................................23

Harden v. Danek Med., Inc.,

985 S.W.2d 449 (Tenn.

1998).............................................................................20

Martin v. Schroeder,

105 P.3d 577 (Ariz. Ct. App. 2005) ..................................................................20

R.K. v. St. Mary's Med. Ctr., Inc., 735 S.E.2d 715 (W. Va. 2012)............................................................................24

Scheele v. Rains,

874 N.W.2d 867 (Neb. 2016) ............................................................................25

Sheldon v. Kettering Health Network,

40 N.E.3d 661 (Ohio 2015) .........................................................................25, 26

Sorenson v. Barbute,

143 P.3d 295 (Utah Ct. App. 2006) ..................................................................21

Walgreen Co. v. Hinchy,

21 N.E.3d 99 (Ind. Ct. App. 2014) .....................................................................21

West v. Mache of Cochran,

370 S.E.2d 169 (Ga. Ct. App. 1988) ..................................................................20

Young v. Carran,

289 S.W.3d 586 (Ky. Ct. App. 2008) ................................................................24

STATE STATUTES

302 M.C.S. § 3/22-104 (2014) .......................................................................................21

CONSTITUTION

U.S. Const., Art. III, § 2, cl. 1 ........................................................................................6

RULES

Fed. R. Civ. P. 12(b)(1) ............................................................................................1, 3,

6

viii

Fed. R. Civ. P. 12(b)(6) ..........................................................................................1, 3,

18

REGULATIONS

45 C.F.R. §§ 164.302-.318 (2015) .................................................................................21

SECONDARY SOURCES

Lisa Andrews, Plaintiff, v. Family Dollar Stores of Oklahoma, Inc., And Barbara Robinson, Defendants., Labor & Empl. L. P 186938 ..................................................24

OPINIONS BELOW

The United States District Court for the District of Missouriana granted

B&T’s 12(b)(1) motion to dismiss for lack of standing. C.R. 14. Hope alleged that he

and the plaintiff class sufficiently established that they suffered an injury-in-fact

because of the increased risk of fraud and identity theft as well as the steps that

must be taken on the plaintiffs’ part to guard themselves from that future harm

that stems from the data breach that made their electronic personal health

information (“ePHI”) available for sale on the dark web. C.R. 6. However, the

district court pointed to Clapper, where this Court ruled that “threatened injury

must be certainly impending to constitute injury-in-fact.” C.R. 6. The district court

ix

rejected Hope’s allegations due to the lack of allegations of “actual misuse of the

data,” and because the court believed that in order for actual misuse to occur,

“many actions must first take place.” C.R. 7. Consequently, the court found that

Hope lacked standing to file this suit because the plaintiff class failed to show

injury-in-fact, which is required for standing under Article III of the United States

Constitution. C.R. 5.

The district court also granted B&T’s 12(b)(6) motion to dismiss for failure to

state a claim. Hope asserted two legal theories for finding B&T liable for the

injuries resulting from the data leak: negligence per se and general negligence. C.R.

8. Hope alleged that B&T was negligent per se because B&T violated the duties

owed under HIPAA’s statute and regulations. Further, Hope contended that B&T

can be found liable under negligence law generally because HIPAA establishes a

standard of care, which B&T failed to meet. C.R. 8. The district court ruled that it

did not believe Missouriana would find negligence per se or a common law

negligence claim under these circumstances, and thus Hope failed to state a claim

upon which relief may be granted. C.R. 13.

The United States Court of Appeals for the Thirteenth Circuit reversed the

district court’s order dismissing the complaint. C.R. 24. The appellate court found

that the district court erred not only in ruling that the putative class had not shown

injury-in-fact to have standing, but also in holding that Hopes complaint did not

allege a claim upon which relief may be granted. C.R. 16.

x

The appellate court ruled that the putative class suffered an intangible harm

that the appellate court recognizes as sufficiently concrete and particularized to

establish injury-in-fact for standing. Id. Pointing to this Court’s decision in Spokeo,

the appellate court reiterated this Court’s previous holding that intangible injuries

can satisfy standing and found that the risk of future identity theft or fraud arising

from an identifiable data breach may satisfy injury-in-fact. C.R. 19. Thus, the

appellate court held that Hope had established injury-in-fact, because Hope’s ePHI,

along with his Social Security number and date of birth, had been found on the dark

web being downloaded hundreds of times. C.R. 20, 21.

The appellate court also found that the district court erred in ruling that the

plaintiff class failed to state a claim. C.R. 24. The appellate court found that the

appellant properly asserted a state law negligence claim upon which relief could be

granted by claiming that B&T failed to maintain confidentiality of the plaintiff

class’s ePHI, leading to the unauthorized access of that information. Id. The

appellate court also ruled that it is proper for courts to look to the standards of care

established under HIPAA when determining the duty to protect ePHI. Id. Thus, the

appellate court found that the plaintiff class did properly state a claim,

and reversed and remanded to the court below to decide whether B&T complied

with HIPAA. Id.

xi

CONSTITUTIONAL AND STATUTORY PROVISIONS

U.S. Const., Art. III, § 2, Cl. 1

Fed. R. Civ. P. 12(b)(1)

Fed. R. Civ. P. 12(b)(6)

45 C.F.R. § 164.306(a)(1)

45 C.F.R. § 164.312(a)(1)

xii

1

STATEMENT OF THE CASE

Anthony Hope (Hope) filed a common law negligence complaint against

Barker & Todd, Inc. (B&T) on February 15, 2016, in the United States District

Court for Missouriana, alleging B&T violated standards set forth in the Health

Insurance Portability and Accountability Act (HIPAA) by failing to safeguard

Hope’s ePHI. C.R. 4. On March 1, 2016, B&T filed a 12(b)(1) Motion to Dismiss,

asserting that Hope had failed to establish injury-in-fact for purposes of Article II

standing. Additionally, B&T filed a 12(b)(6) Motion to Dismiss, asserting that Hope

may not use HIPAA violations as a basis for either negligence per se or general

negligence claims under Missouriana law. Id.

The district court granted B&T’s motions and found that Hope failed to

establish injury-in-fact for purposes of Article III standing, failed to state a

negligence per se claim a matter of law, and failed to state a common law negligence

claim upon which relief can be granted. C.R. 13. Hope appealed the district court’s

order dismissing his complaint to the United States Court for the Thirteenth

Circuit. C.R. 15-16.

The appellate court reversed the district court’s dismissal of the

complaint. C.R. 16. The court additionally remanded the case for proceedings in line

with its opinion. Id. B&T petitioned this Court for certiorari. C.R. 25. This case calls

upon the Court to resolve the following two issues: (1) whether patients, whose

ePHIs have been stolen, can establish injury-in-fact to confer standing under Article

2

III against the party that failed to safeguard their ePHIs; and (2) whether state law

negligence claims may be based on violations of HIPAA.

3

SUMMARY OF THE ARGUMENT

The appellate court was correct in denying B&T’s motion to dismiss because

Hope has standing to sue and has sufficiently pleaded a claim upon which relief can

be granted. Rule 12(b)(1) requires a court to have subject matter jurisdiction and for

a court to have subject matter jurisdiction, a plaintiff must have standing to sue.

Standing consists of three elements: (1) injury-in-fact, (2) a causal connection

between the injury and the conduct complained of, and (3) a favorable decision

would make it likely that the injury would be redressed. Rule 12(b)(6) requires a

plaintiff to allege facts with sufficient specificity to state a claim for relief that is

permissible on its face. Because Hope has established an injury-in-fact and has

sufficiently pleaded a claim for relief, this Court should affirm the appellate

court's holding.

I. Hope’s Injury-in-fact

The appellate court was correct in holding that Hope has an injury-in-fact as

required by standing. To establish injury-in-fact, the plaintiff must show an

invasion of a legally protected interested which is (a) concrete and particularized

and (b) actual or imminent rather than conjectural or hypothetical. An intangible

harm that has a close relationship to a harm that has traditionally been regarded as

providing a basis for a lawsuit in English or American courts or an intangible harm

identified by Congress meets the requirements of concreteness. An injury is

sufficiently particularized when it is individualized and when the plaintiff alleges a

violation of his own rights. A future injury is imminent if it is certainly impending

4

or there is a substantial risk that harm will occur. However, an injury that relies on

a highly attenuated or highly speculative chain of events to occur does not ripen

into imminence.

In this case, Hope has sufficiently alleged an injury-in-fact because he has

identified a taking of his personal information that was found for sale on the dark

web and has been downloaded hundreds of times. This is not a case in which no

taking of information has been identified and a chain of events that are highly

attenuated and highly speculative need to occur. Rather, Hope’s information has

already been taken deliberately from hackers and found on the Internet thereby

satisfying imminence. Further, the traditional right to privacy and Congress’s

affirmative act in protecting personal information through HIPAA satisfies the

concreteness requirement. Lastly, the future risk of identity theft alleged is

personal to Hope as his information was taken and he is alleging a violation of his

own rights. Thus, Hope has sufficiently alleged an injury-in-fact as required by

standing.

II. B&T’s Violation of Duties Owed to Hope

The appellate court was also correct in holding that Hope has sufficiently

pled a claim upon which relief can be granted. Although HIPAA does not provide a

private right of action, numerous federal courts have held that negligence per se

claims may in fact be based on violations of HIPAA. Further, several federal courts

and state courts have allowed negligence per se claims where there was a violation

of a federal statute. Most tellingly, this Court has accepted the use of different

5

statues that also lack a private right of action as the basis for state law negligence

per se claims. Thus, as the appellate court held, without a clear indication

suggesting otherwise, it cannot be held that HIPAA cannot form

a Missouriana state law claim simply because the issue has yet to be addressed.

Even if this Court finds unpersuasive the theory that a negligence per se

claim may be based on violations of HIPAA, Hope is still able to bring a claim of

general negligence based on the duties outlined in HIPAA. Missouriana has

recognized that individuals have a general right of privacy in their medical records

and just because Missouriana case law has not addressed the right of privacy in the

context of a pharmaceutical company does not lead to foreclosure to use of such a

claim. Rather, this Court has the duty to arrive at the decision which reasons

dictates, with the faith that the state courts will arrive at the same decision. Here,

reason dictates that allowing HIPAA to govern the standard of care would increase

efficiency and provide guidance on the requirements of protection of ePHI.

Further, numerous state courts have allowed HIPAA to guide the standard of

care in other state law negligence cases. Specifically, a state supreme court has held

that HIPAA may be used as a guidepost for determining the applicable standard of

care for a pharmaceutical company. Additionally, federal courts have also allowed

state law negligence claims that looked to a federal statue to determine the

standard of care. Thus, because there are ample examples of numerous courts of

varying jurisdictions approving the use of a federal statute, like HIPAA, to base a

state law negligence claim, this Court should affirm the appellate court’s decision

6

that Hope has a general negligence claim against B&T based on the standards in

HIPAA.

ARGUMENT

I. The District Court has subject matter jurisdiction to hear Hope’s claim

because the risk of future financial harm is sufficiently concrete and

particularized and imminent to establish injury-in-fact.

The Federal Rules of Civil Procedure permit a defendant to move to dismiss a

claim for relief based on lack of subject matter jurisdiction. Fed. R. Civ. P. 12(b)(1).

Courts presume, absent a clear indication to the contrary, that a dismissal for lack

of subject matter jurisdiction under Rule 12(b)(1) is a final, appealable order and a

district court’s decision of whether a plaintiff has standing is reviewed de

novo. Attias v. CareFirst, Inc., 865 F.3d 620, 624-25 (D.C. Cir. 2017); Remijas v.

Neiman Marcus Group, LLC, 794 F.3d 668, 691 (7th Cir. 2015). A federal court has

subject matter jurisdiction only over actual “[c]ases” and “[c]ontroversies.” U.S.

Const., Art. III, § 2, cl. 1; Lujan v. Defenders of Wildlife, 504 U.S. 555, 559 (1992).

For the case or controversy requirement to be satisfied, the plaintiff must meet the

requirements for standing. Sprint Comm’ns Co. v. APCC Servs., Inc., 544 U.S. 269,

273 (2008). Standing consists of three elements: (1) injury-in-fact, (2) a causal

connection between the injury and the conduct complained of, and (3) a favorable

decision would make it likely that the injury would be redressed. Lujan, 504 U.S. at

560-61. B&T has raised no issues about either causation or redressability. C.R. 21

n. 9. Therefore, the issue before the Court is limited to the question of injury-in-

fact.

7

An injury-in-fact is an “invasion of a legally protected interested which is (a)

concrete and particularized” and “(b) actual or imminent” rather than “conjectural

or hypothetical.” Lujan, 504 U.S. at 560. At the pleading stage, general allegations

of injury resulting from the defendant’s conduct can satisfy a plaintiff’s burden to

establish standing, because the court presumes that the general allegations

“embrace those specific facts that are necessary to support the claim.” Id. at 561

(quoting Lujan v. Nat’l Wildlife Federation, 497 U.S. 871, 889 (1990)). A bright-line

rule for injury-in-fact does not exist. Rather, injury-in-fact analysis is a highly case

and fact specific inquiry. Katz v. Donna Karan Co., 872 F.3d 114, 121 (2d Cir.

2017).

A. Hope’s claim for risk of future financial harm is sufficiently concrete and

particularized because an invasion of one’s privacy traditionally leads to

relief, and there was an identifiable data breach of Hope’s personal

information.

For an injury to be concrete, the injury must be “de facto.” Spokeo, Inc. v.

Robins, 136 S. Ct. 1540, 1548 (2016). Thus, the injury must actually exist and be

“real” and not “abstract.” Id. However, an injury does not have to be tangible to be

concrete. Id. at 1549. Rather, this Court has held on numerous occasions that

intangible injuries can be concrete. Id.

To determine whether an intangible harm constitutes injury-in-fact,

the court is instructed to look to the history and the judgement of

Congress. Id. Therefore, an intangible harm that has a close relationship to a harm

that has traditionally been regarded as providing a basis for a lawsuit in English or

American courts or an intangible harm identified by Congress meets the minimum

8

requirements of Article III. Id. Although Article III still requires a concrete injury in

the context of a statutory violation, this Court has held that, in some circumstances,

a plaintiff need not allege additional harm beyond what Congress has identified to

satisfy injury-in-fact. Id. Nor does it follow that the risk of real harm cannot satisfy

the requirement of concreteness. Id. (reasoning that the law has “long permitted

recovery by certain tort victims even if their harms may be difficult to prove or

measure”).

A clear example of risk of real harm deemed to satisfy concreteness would be

the unauthorized disclosure of information. According to the Third Circuit, the

unauthorized disclosure of information has “long been seen as injurious.” In re

Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625, 638 (3d Cir. 2017). The

Third Circuit is not alone on this view. As noted in the Restatement Second, the

common law alone will, on occasion, protect a person’s right to prevent the

disclosure of private information and with privacy torts, improper dissemination of

information itself can constitute a cognizable injury. Id. (citing Restatement

(Second) of Torts § 652A (2016)). Further, Congress has long provided plaintiffs

with “the right to seek redress for unauthorized disclosures of information that, in

Congress’s judgement, ought to remain private.” In re Nickelodeon Consumer

Privacy Litig., 827 F.3d 262, 274 (3d Cir. 2016). Additionally, although HIPAA itself

does not provide for a private right of action, it has been recognized that the

“constitutionally protected privacy interest in avoiding disclosure of personal

9

matters clearly encompasses medical information and its confidentiality.” Bloodsaw

v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998).

In the case at bar, the future risk of identity theft has a close relationship to

a traditionally protected right in English or American Courts – the right of

privacy. See In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d at 638.

Furthermore, the disclosure of ePHI and other personal information protected in

HIPAA’s privacy and security rules directly relates to the “constitutionally

protected privacy interest in avoiding disclosure of

personal matters.” See Bloodsaw, 135 F.3d at 1269. Therefore, there is an intangible

harm protected by HIPAA that has a close relationship to a traditionally regarded

harm, here privacy interest, in English or American Courts thus satisfying

concreteness. See In re Horizon, 846 F.3d at 640.

For an injury to be particularized, it must affect the plaintiff “in a personal

and individual way.” Spokeo, Inc., 136 S. Ct. At 1548. Thus, a plaintiff must (1) be

“among the injured,” in the sense that they allege the defendants violated their

statutory rights, and (2) the statutory right at issue must protect against an

“individual, rather than collective, harm.” Robins v. Spokeo, Inc., 742 F.3d 409, 413

(9th Cir. 2014) rev’d on other grounds. In Robins, the Ninth Circuit held that

because the plaintiff alleged the defendant violated his statutory rights and because

the plaintiff’s personal interest in the handling of his credit information are

individualized rather than collective, the plaintiff had satisfied the injury-in-fact

requirement. Id. at 413-14. On appeal, this Court stated that the Ninth Circuit’s

10

analysis was concerned only with particularization, not concreteness and did not

overrule the Ninth Circuit’s articulation of the requirements of

particularization. Spokeo, S. Ct. 1540 at 1548. Therefore, an injury is sufficiently

particularized when they are (1) individualized, and (2) the plaintiff alleges a

violation of his own rights. Id. at 1556.

An example of this standard being met by the disclosure of private

information is In re Horizon, where the Third Circuit held there was “no doubt” that

the plaintiffs’ complained of a particularized injury, which was the unauthorized

disclosure of their private information. In re Horizon, 846 F.3d at 633 n. 10. In the

case at bar, Hope has alleged the same violation of his rights based on the

disclosure of his own private information. C.R.4. Based off legal precedent and this

Court’s own standard in Spokeo, Hope has satisfied particularization because he

claimed (1) a violation of his own rights and (2) the violation (i.e. the handling of his

credit information) is individualized rather than collective. See Spokeo, S. Ct. 1540

at 1556; In re Horizon, 846 F.3d at 633 n. 10; C.R. 4. Therefore, Hope meets

the Spokeo particularization standard.

B. The risk of Hope’s future financial harm is actual or imminent because

Hope’s information has already been taken, found for sale on the dark

web, and downloaded hundreds of times.

For an injury to be imminent it must be certainly impending or there is a

substantial risk that harm will occur. Susan B. Anthony List v. Driehaus, 134 S. Ct.

2334, 2341 (2014). In terms of data theft, this Court does not require that a plaintiff

must wait to actually suffer identity theft or credit card fraud in order to have

standing, because such a requirement would run counter to the well-established

11

principle that harm need not have already occurred or be literally certain in order to

constitute an injury-in-fact. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n. 5

(2013) (noting that this Court has found standing based on a “substantial risk”). As

this Court articulated, imminence is a “somewhat elastic concept” that should not

be stretched beyond its purpose to “ensure that the alleged injury is not too

speculative for Article III purposes.” Id. at 409. Put another way, a substantial risk

cannot be found where it is based on “the attenuated chain of inferences necessary

to find harm.” Id. at 414 n. 5.

Presently, the circuit courts are divided as to how far imminence stretches. In

terms of unauthorized disclosures of personal data, a circuit split exists on whether

actual misuse of that personal data is required to have standing to assert data

breach claims. In re Cmty. Health Sys., No. 15-CV-222-KOB, 2017 U.S. Dist. LEXIS

21178, at *17 (N.D. Ala. 2017). While there is disagreement as to the elasticity of

the concept, this Court should follow the reasoning of the D.C., Sixth, Seventh,

Ninth, and arguably the Second Courts of Appeals which have all ruled that an

increased risk of future identity theft is sufficient to confer standing.

Numerous courts have found that a “substantial risk that harm will occur” is

shown where there is an increased risk of future harm due to hackers deliberately

targeting a database and stealing private information. In re Adobe Sys. Privacy

Litig., 66 F. Supp.3d 1197, *1215 (N.D. Cal. 2014) (holding that hackers who

deliberately targeted and breached a server resulted in a risk to the plaintiff that

was “immediate and very real” and satisfied standing); Galaria v. Nationwide Mut.

12

Ins. Co., 663 F. App'x 384, 389 (6th Cir. 2016) (holding where a data breach targets

personal information, a reasonable inference can be drawn that the hackers will use

the victim’s data for fraudulent purposes alleged in the complaint and the fact that

the defendants offered to pay for credit monitoring and identity theft monitoring

was telling thus showing a substantial risk of harm); Remijas, 794 F.3d at 694

(ruling that the plaintiffs had shown a substantial risk of harm because,

“presumably, the purpose of the hack is, sooner or later, to make fraudulent charges

or assume those consumers’ identities”); CareFirst, Inc., 865 F.3d at 624-25 (holding

that the cyberattack on defendant’s server which resulted in information hacked

like Social Security and credit card numbers and that the virtue of the hack

presented a risk much more substantial than the risk in Clapper); Krottner v.

Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (ruling that the plaintiffs

had alleged the threat of a real and immediate harm due to the future risk of

identity theft, after the theft of a laptop containing their unencrypted personal

data); In re Adobe Sys. Privacy Litig., 66 F. Supp.3d 1197, *1215 (N.D. Cal. 2014)

(holding that hackers who deliberately targeted and breached a server resulted in a

risk to the plaintiff that was “immediate and very real” and satisfied standing).

In CareFirst, the plaintiffs alleged that a cyberattack on defendant’s servers

gave access to identity thieves the “PII, PHI, ePHI, and other personal and sensitive

information of [p]laintiffs.” CareFirst, Inc., 865 F.3d 620 at 627-28. The D.C.

Circuit noted that, drawing on experience and common sense, a substantial risk of

identity theft is apparent where the information hacked includes

13

“[S]ocial [S]ecurity and credit card numbers.” Id. at 628. Further, the court stated

that it is “much less speculative—at the very least, it is plausible—to infer” that an

unauthorized party with access to personally identifying data has both the “intent

and the ability to use that data for ill.” Id. Thus, that court held that no long

sequence of uncertain contingencies needed to occur before the plaintiffs will suffer

any harm. Id. at 629. Rather, a substantial risk of harm already existed by “virtue

of the hack and the nature of the data that the plaintiffs allege was

taken.” Id. (holding that the risk presented was much more substantial than the

risk presented in Clapper which relied on a highly speculative fear of action).

Additionally, in In re Adobe, the Northern District Court of California held,

unlike the claim of future harm in Clapper that rested on a chain of events that was

both highly attenuated and highly speculative because the actor concerned had not

targeted the plaintiffs, the risk that plaintiffs’ personal data will be misused by

hackers who breached Adobe’s network was “immediate and very real.” In re

Adobe, 66 F.Supp.3d 1197 at *1214. In that case, plaintiffs alleged the hackers

“deliberately targeted” Adobe’s servers and collected “names, usernames,

passwords, email addresses, phone numbers, mailing addresses, and credit card

numbers and expiration dates.” Id. Plaintiffs’ personal information was among the

information taken during the breach. Id. The district court held that there was no

need to speculate “as to whether the hackers intend[ed] to misuse the personal

information stolen” as some of the stolen data had already surfaced on the

internet. Id. at *1215. The court noted this was in stark contrast to Clapper where

14

plaintiffs’ argument rested on the fact that the Government would have to decide to

target the plaintiffs’ communications and then choose to invoke its authority under

the statute in question as well as take numerous other steps for there to be

imminence of harm. Id. at *1214; Clapper, 568 U.S. at 410. Thus, plaintiffs’

allegations of future identity theft was ruled to be a concrete and imminent threat

that satisfied Article III. In re Adobe, 66 F.Supp.3d 1197 at *1216.

Similarly, in the Sixth Court of Appeals, a substantial risk of harm was found

in a case where hackers broke into Nationwide’s database and stole personal data

including dates of birth, marital statuses, genders, occupations, employers, Social

Security numbers, and driver’s license numbers. Galaria, 663 F. App'x 384, 386. The

plaintiffs argued that the theft of their personal data placed them at a “continuing,

increased risk of fraud and identity theft beyond the speculative allegations of

‘possible future injury’ or ‘objectively reasonable likelihood’ of injury.” Id. at 388.

The court agreed and noted that there was no need for speculation where plaintiffs

“allege that their data has already been stolen and is now in the hands of ill-

intentioned criminals.” Id. Further, the court emphasized that a reasonable

inference can be drawn that the hackers will use the victims’ data

for fraudulent purposes where a data breach targets personal

information. Id. Additionally, the court reiterated that it would be unreasonable to

expect plaintiffs to wait for actual misuse before taking steps to ensure security

where plaintiffs already know that they have lost control of their data. Id. This is

true despite the fact that Nationwide offered to provide some services for a limited

15

time to help monitor the victim’s credit, check their bank statements, and modify

their financial accounts, because plaintiffs alleged that the risk is continuing and

that they had incurred costs—namely, credit freezes—not provided by

Nationwide. Id. at 388-89.

The circuit courts that have found no substantial risk in cases alleging future

harm do so for reasons distinguishable from the case at bar. Namely, those circuits

found there is not a substantial risk of harm sufficient to satisfy injury-in-fact

where there is no identifiable taking or where it is not shown that the data breach

was the for the purpose of fraud. In re SuperValu, Inc., 870 F.3d 763, 770 (8th Cir.

2017) (ruling that the plaintiffs did not demonstrate a substantial risk of future

identity theft because the allegedly stolen card information did not include any

personal identifying information, such as Social Security numbers, birth dates, or

driver’s license numbers); Whalen v. Michaels Stores, Inc., 689 F. App'x 89, 90-91

(2d Cir. 2017) (finding insufficient standing where plaintiff did not “allege how she

can plausibly face a threat of future fraud,"—one of her proffered theories of

injury—"because her stolen credit card was promptly canceled after the breach and

no other personally identifying information—such as her birth date

or Social Security number—is alleged to have been stolen”); Beck v. McDonald, 848

F.3d 262, 276 (4th Cir. 2017) (noting no evidence was uncovered that the personal

information contained on a stolen laptop had been accessed or misused or that that

the thief stole the laptop with the intent to steal private information); Reilly v.

Ceridian Corp., 664 F.3d 38, 42-43 (3d Cir. 2011) (holding information taken from a

16

payroll system firewall by an unknown hacker was not enough to satisfy standing

requirements as it was “not known whether the hacker read, copied, or understood”

the system’s information and no evidence suggested past or future misuse of

employee data or that the intrusion was intentional or malicious); Katz v. Pershing,

LLC, 672 F.3d 64, 80 (1st Cir. 2012) (finding no injury-in-fact where the plaintiff did

not allege that her nonpublic personal information had been accessed by any

unauthorized person).

Recently, a Second Circuit case ruled that the above-mentioned Whalen does

not foreclose standing based on an increased risk of identity theft but rather

strongly implies that “the Second Circuit would follow those circuits that have held

that a risk of future identity theft is sufficient to plead an injury-in-fact.” Fero v.

Excellus Health Plan, Inc., 304 F.Supp.3d 333, 340 (W.D.N.Y. 2018). The Fero court

explained that although Whalen was “a payment card case in which the plaintiff did

not have standing based on an increased risk of identity theft,” Whalen’s “favorable

citations to Galaria, Remijas, and Lewert suggest that the Second Circuit would

follow the approach to the standing issue adopted by the Sixth and Seventh

Circuits, which have both found standing based on an increased risk of identity

theft.” Id. at 339.

Further, Fero pointed to another recent Second Circuit case that held, in a

data breach case, an imminent risk of future identity theft satisfies the injury-in-

fact requirement. Id. at 339-40 (citing Sackin v. Transperfect Glob., Inc., 278

F.Supp.3d 739 (S.D.N.Y. 2017)). In Sackin, the court ruled that the allegations that

17

the “Defendant provided Plaintiffs’ names, addresses, date of births, Social Security

numbers and bank account information directly to cyber-criminals creates a risk of

identity theft sufficiently acute so as to fall comfortably into the category of

certainly impending.” Sackin, 278 F.Supp.3d at 746. The Sackin court also

cited Whalen as evidence that the Second Circuit would join the sister circuits in

holding that an increased risk of identity theft is sufficiently imminent to establish

standing. Id.

In the case at bar, Hope has alleged a substantial risk of harm because

Hope’s personal information was taken by hackers found on the dark web

and has been downloaded hundreds of times. See CareFirst, Inc., 865 F.3d 620 at

627-28; In re Adobe Sys. Privacy Litig., 66 F.Supp. 3d 1197 at *1215; C.R. 3. This is

in stark contrast to the case where there is no evidence that the stolen information

has been accessed. See Katz, 672 F.3d at 79. Additionally, the private information

taken by the hackers was not just credit card information, but rather included

Hope’s Social Security number. See Whalen 689 F. App'x 89 at 90; C.R. 3. Although

B&T offered and Hope accepted a year of free credit monitoring, similar to the

plaintiffs in Galaria, Hope will have to pay for continued credit monitoring and had

to put a credit freeze in place without help from B&T. Galaria, 663 F. App'x at 388-

89 (finding substantial harm because plaintiffs’ alleged that the risk is continuing

and that they had incurred costs—namely, credit freezes—not provided by

Nationwide); C.R. 3, 4. Additionally, it is telling that B&T has offered credit

monitoring for a year, showing they do not think the “risk is so ephemeral that it

18

can be safely disregarded.” Remijas, 794 F.3d at 694; C.R.3. Therefore, Hope has

established a substantial risk of harm sufficient to satisfy imminence.

The District Court has subject matter jurisdiction to hear Hope’s claim

because the risk of future financial harm is sufficiently concrete and particularized

and imminent to establish injury-in-fact. Hope has identified a personal privacy

right traditionally recognized in American and English law thus showing the harm

is concrete and particularized. Further, five circuits across the country have ruled

that a future risk of identity theft is a substantial harm as it is more than plausible

to infer that a substantial harm arises from a data breach, because, sooner or later,

the hackers will exploit that information. As the Sixth Court articulated, “Why else

would hackers break into a database and steal private information?” Remijas, 794

F.3d at 693. Thus, this Court should uphold the appellate court’s finding that Hope

has alleged an injury-in-fact as required to confer standing.

II. Hope stated a claim upon which relief may be granted to the putative

class because B&T’s actions violated the duties and standards established

under HIPAA.

Hope stated a claim upon which relief may be granted because B&T’s actions

violated the standards established under HIPAA. Under Rule 12(b)(6), a plaintiff is

obligated to allege facts with sufficient specificity to state a claim for relief that is

permissible on its face and a lower court’s determination of a 12(b)(6) motion should

be reviewed de novo. Fed. R. Civ. P. 12(b)(6); Conboy v. State, 292 Conn. 642, 650

(Conn. 2009). In this case, Hope alleged state law negligence claims while using

HIPAA as a guidepost for the standard of care. Despite case law indicating the

contrary, the district court dismissed Hope’s claims for failure to state a claim.

19

Identifying this error, the appellate court reversed. Because Hope properly stated a

claim for common law negligence and negligence per se, this Court should affirm

the decision of the appellate court to reverse the dismissal.

A. Hope is able to bring a claim of negligence per se because B&T violated a

federal statute that put forth a duty upon B&T.

Missouriana’s negligence per se statute states: “An actor is negligent if,

without excuse, the actor violates a statute that is designed to protect against the

type of accident the actor’s conduct causes, and if the accident victim is within the

class of persons the statute is designed to protect.” C.R. 9-10. Missouriana modeled

this statute directly after the Restatement (Third) of Torts, which explains that

federal statutes and regulations can in fact give rise to a finding of negligence per

se. C.R. 22; See generally Restatement (Third of Torts: Phys. & Emot. Harm §

14 cmt. A (Am. Law Inst. 2010) (stating the section regarding negligence per se

“most frequently applies to statutes adopted by state legislatures, but equally

applies to . . . federal statutes as well as regulations promulgated by federal

agencies”); Grable & Sons Metal Products, Inc. v. Darue Eng'g & Mfg., 545 U.S. 308,

318–19 (2005) (agreeing with the Restatement (Third) of Torts § 14 that “the breach

of a federal statute may support a negligence per se claim as a matter of state law”).

Thus, we ask this Court to affirm the appellate court’s ruling on this point and

allow a negligence per se claim based on the violation of HIPAA’s privacy and

security regulations.

This Court has encountered state law negligence per se claims based on

violations of numerous other federal statutes that do not provide for private causes

20

of actions. Merrell Dow Pharm. Inc. v. Thompson, 478 U.S. 804, 823 (1986)

(addressing the question of jurisdiction in a state law negligence per se claim based

on a violation of the Federal Food, Drug, and Cosmetic Act (FDCA)). Additionally,

other federal courts have also allowed for negligence per se claims in cases where

there was a violation of a federal statute. Lowe v. General Motors Corp., 624 F.2d

1373, 1380 (5th Cir. 1980) (holding that a violation of the National Traffic and

Motor Vehicle Safety Act is evidence of negligence per se); Hetherton v. Sears,

Roebuck & Co., 593 F.2d 526, 529-30 (3d Cir. 1979) (finding negligence per se from a

violation of the Gun Control Act).

State courts have also addressed the issue of utilizing violations of federal

statutes to find state law negligence per se claims and confirmed that this method is

indeed acceptable. Martin v. Schroeder, 105 P.3d 577, 582-83 (Ariz. Ct. App. 2005)

(holding that a firearm sale in violation of the Gun Control Act amounted to

negligence per se); West v. Mache of Cochran, 370 S.E.2d 169, 173 (Ga. Ct. App.

1988) (finding a violation of the Gun Control Act to be negligence per se); Grey's

Ex'r v. Mobile Trade Co., 55 Ala. 387, 402-03 (Ala. 1876) (finding negligence per se

stemming from a violation of a federal law that regulates cotton shipments); Allen

v. Delchamps, Inc., 624 So. 2d 1065, 1067-68 (Ala. 1993) (denying the motion for

summary judgment on the negligence per se claim simply because the FDCA does

not provide a private right of action for damages: “However, the plaintiffs in this

case are not suing directly under the F.D.C.A or its accompanying regulations.

Rather, they are relying on the regulations to establish a duty or standard of

21

care”); Harden v. Danek Med., Inc., 985 S.W. 2d 449, 452 (Tenn. 1998) (stated that

violations of FDCA statute which did not provide for a private right of action could

be the basis of negligence per se action; summary judgment granted on other

grounds).

Other federal courts have also held that negligence per se claims may in fact

be based on violations of HIPAA. See, e.g., K.V. & S.V. v. Women’s Healthcare

Network, LLC, No. 07-0228-CV-W-DW, 2007 WL 1655734, at *1 (W.D. Mo. June 6,

2007) (holding that plaintiff’s negligence per se claim that relied on HIPAA did

state a cause of action); I.S. v. Washington Univ., No. 4:11CV235SNLJ, 2011 WL

2433585, at *2 (E.D. Mo. June 14, 2011) (“[T]he Court finds that Count III may

stand as a state claim for negligence per se despite its exclusive reliance upon

HIPAA.”); Harmon v. Maury Cnty., No. 1:05 CV 0026, 2005 WL 2133697, at *3, *4

(M.D. Tenn. Aug. 31, 2005) (granting a motion to remand to state court for a state

law negligence per se claim based on HIPAA).

State courts have also held that negligence per se claims based on violations

of HIPAA are permissible. See Acosta v. Byrum, 638 S.E.2d 246, 251 (N.C. Ct. App.

2006) (holding that plaintiff’s negligence per se claim that relied on HIPPA

was sufficient); Sorenson v. Barbute, 143 P.3d 295, 300-01, n.2. (Utah Ct. App.

2006), aff’d, 177 P.3d 614 (Utah 2008); See also Walgreen Co. v. Hinchy, 21 N.E.3d

99, 109-110 (Ind. Ct. App. 2014).

In the case at bar, Hope is bringing a claim of Missouriana state law

negligence per se because B&T’s “actions violated the Health Insurance Portability

22

and Accountability Act of 1996 (HIPAA), Pub L. No. 104-191, 110 Stat. 1936

(codified as amended in scattered sections of 42 U.S.C.), and its implementing

regulations, 45 C.F.R. §§ 164.302-.318 (2015), because B&T failed to properly secure

his ePHI.” C.R. 4. The district court in the case at bar relies on a case from the Ohio

Court of Appeals that states that HIPAA cannot be the basis for a negligence per se

claim because of the statute’s lack of private right of action. C.R. 12. However, this

Court has accepted the use of different federal statutes that also lack a private right

of action as the basis for state law negligence per se claims. Merrell Dow. In Merrell

Dow, the Court examined the jurisdiction for a negligence per se claim based on the

mislabeling of the drug Bendectin, which was considered “misbranding” and in

violation of the FDCA. Id at 822. The Court held this despite FDCA not providing a

private right of action. Id. The same approach by this Court should be taken for

HIPAA. Simply because HIPAA does not provide for a private right of action, does

not mean that a state law negligence per se claim based on a violation HIPAA is

barred because it has been accepted by countless courts of law higher than those

cited in the trial court’s opinion.

The district court also claims that aside from the lack of private right of

action, Hope cannot bring his negligence per se claim based on a violation of

HIPAA’s regulations concerning the encryption of ePHI because HIPAA does not

require the records to be encrypted unless the covered entity decides that

implementation of an encryption system is “reasonable and appropriate.” C.R. 13.

However, if an entity decides that the encryption implementation is not reasonable

23

and appropriate, this decision must be documented and explained, in addition to the

implementation of an equivalent alternative measure that is reasonable and

appropriate. APPENDIX II -- ADMINISTRATIVE NOTICES AND GUIDANCE,

2005 WL 4172330. Because B&T implemented the encryption system in lieu of

documenting why that method was neither reasonable nor appropriate given their

circumstances, it can be presumed that B&T evaluated their circumstances and

determined that encryption was reasonable and appropriate and thus are required

under HIPAA to maintain their encryption system. Thus, Hope may bring a claim of

negligence per se based on the violation of the security provisions of HIPAA.

Based on the information provided and the large body of legal precedent,

Hope should be allowed to pursue his state law negligence per se claim based on the

violations of the privacy and security regulations laid forth in HIPAA. Accordingly,

we ask this Court to affirm the lower court’s ruling on this point.

B. Hope is able to bring a claim of general negligence because HIPAA’s well-

established regulations effectively delineate the standard of care for how

personal information should be stored and secured.

In the event that this Court does not find the above argument persuasive,

Hope is still able to sue for general negligence. Missouriana state law imposes a

duty to safeguard personally identifiable health records because Missouriana has

recognized that individuals have a general right of privacy in their medical records.

C.R. 23; Hanson v. Jones Medical Ctr., 199 Mis. 2d 321, 333 (2002) (holding medical

center liable for public disclosure of private facts when it disclosed results of wife’s

pregnancy test to her estranged husband without her consent). The appellate court

points to case law that explains that since Missouriana case law does not have a

24

case that is on point regarding Missouriana’s right of privacy and how it would

apply to a pharmaceutical company, this court has the duty to “arrive at the

decision which reason dictates, with the faith that the state courts will arrive at the

same decision.” C.R. 23; See, e.g., Ins. Co. of N. Am. v. English, 395 F.2d 854

(5th Cir. 1968). Thus, we ask this Court to establish that it is appropriate to look

towards HIPAA as a guidepost for general negligence claims for determining the

standard of care for pharmaceutical companies regarding the protection of the right

of privacy in medical records.

A number of state courts have already allowed HIPAA to be used as a guide

for the standard of care in state law negligence claims. For example, the State of

Delaware has held specifically that HIPAA may be used as a guidepost for

determining the applicable standard of care for a pharmaceutical

company. Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812 (Del. Super. Ct.

2009). Other state courts have also allowed HIPAA to guide the standard of care in

other state law negligence cases. Byrne v. Avery Ctr. for Obstetrics & Gynecology,

P.C., 102 A.3d 32, 42 (Conn. 2014) (concluding that HIPAA regulations may well

inform the applicable standard of care in certain circumstances); Acosta, 638 S.E.2d

at 251 (“Here, defendant has been placed on notice that plaintiff will use... HIPAA

to establish the standard of care. Therefore, plaintiff has sufficiently pled the

standard of care in her complaint.”); Young v. Carran, 289 S.W.3d 586, 589 (Ky. Ct.

App. 2008) (observing that state case law permits use of federal statutes to inform

the standard of care in common-law negligence claims); Sorensen, 143 P.3d at 300-

25

01 no.2 (holding that Sorensen had stated a cause of action for negligence, implying

that the Privacy Rule found in HIPAA can be used to show the standard of

care); R.K. v. St. Mary's Med. Ctr., Inc., 735 S.E.2d 715, 724 (W. Va. 2012) (“state

common-law claims for the wrongful disclosure of medical or personal information .

. . compliment HIPAA by enhancing the penalties for its violation and thereby

encouraging HIPAA compliance”); ¶ 186,938 Lisa Andrews, Plaintiff, v. Family

Dollar Stores of Oklahoma, Inc., And Barbara Robinson, Defendants., Labor

& Empl. L. P 186938 (allowing plaintiff to bring state tort claims using HIPAA to

show the outrageousness of the conduct of defendants). State courts have also

allowed other federal laws to guide the standard of care in state law negligence

cases. Scheele v. Rains, 874 N.W. 2d 867, 872-73 (Neb. 2016) (“This court has

concluded on various occasions that the violation of a regulation or statute is not

negligence per se, but may be evidence of negligence to be considered with all the

other evidence in the case”).

Federal courts have also allowed state law negligence claims that looked to a

federal statute to determine the standard of care applicable. Grove Fresh

Distributors, Inc. v. Flavor Fresh Foods, Inc., 720 F. Supp. 714, 716 (N.D. Ill. 1989)

(allowing claim to proceed where FDCA regulation was basis for standard of

care). Grove Fresh explains that in fact, “[n]othing prohibits Grove Fresh from using

the FDCA or its accompanying regulations in that fashion.” Grove Fresh

Distributors, Inc., 720 F. Supp. at 716.

26

There are cases to the contrary as well; stating that in those cases, the courts

could not look to HIPAA to inform on the standard of care in negligence

cases. Sheldon v. Kettering Health Network, 40 N.E.3d 661, 672 (Ohio

2015). Sheldon is distinguishable from the case at bar because in that case, the

plaintiffs were claiming that HIPAA creates a standard of care that requires the

regular running of “epic clarity reports” to ensure there had not been instances of

improper access to the medical information. Id at ¶16. In the case at bar, Hope is

claiming that HIPAA creates a standard of care for pharmaceutical companies to

adequately encrypt medical information if the company finds that course of action is

reasonable and appropriate. C.R. 11. Because HIPAA’s security standards do guide

companies to take this course of action as alleged by Hope, it is proper to look to

HIPAA in the case at bar to determine the standard of care, despite the fact that it

was inappropriate in Sheldon.

This Court has the duty to arrive at the decision that reason dictates to

ensure that states apply the law uniformly. Missouriana law states that there is a

right to privacy regarding medical records. Reason concludes that this duty would

extend to pharmaceutical companies. Following the reasoning of cases such

as Fanean, and acknowledging the distinction to cases such as Sheldon, this Court

should reach the conclusion that Hope’s claim of general negligence based on a

violation of the duty put forth in HIPAA regulations states a valid claim.

Because it is an accepted practice to apply state law negligence per se claims

to federal statutes despite the lack of a private right of action, Hope properly states

27

a claim for negligence per se. Additionally, since it is reasonable to use HIPAA as a

guide and extend Missouriana’s state law duty to protect medical records to

pharmaceutical companies, Hope also properly states a claim for general negligence.

Accordingly, the court should affirm the lower court’s ruling to reverse the dismissal

of Hope’s claims.

CONCLUSION

For the foregoing reasons, Mr. Anthony Hope respectfully requests this Court

affirm the judgement of the Court of Appeals of the Thirteenth Circuit.

Respectfully Submitted,

Team 2727

Team 2727

Counsel for Respondent

Date: September 20, 2018

28

A

APPENDIX A

US Const. Art. III, § 2, Cl.1

The judicial Power shall extend to all Cases, in Law and Equity, arising

under this Constitution, the Laws of the United States, and Treaties made, or

which shall be made, under their Authority;--to all Cases affecting

Ambassadors, other public Ministers and Consuls;--to all Cases of admiralty

and maritime Jurisdiction;--to Controversies to which the United States shall

be a Party;--to Controversies between two or more States;--between a State

and Citizens of another State;--between Citizens of different States,--between

Citizens of the same State claiming Lands under Grants of different States,

and between a State, or the Citizens thereof, and foreign States, Citizens or

Subjects.

B

APPENDIX B

Fed. Rules Civ. P. R. 12(b)(1)

(b) How to Present Defenses. Every defense to a claim for relief in any

pleading must be asserted in the responsible pleading if one is required. But

a party may assert the following defenses by motion:

(1) lack of subject-matter jurisdiction; . . .

C

APPENDIX C

Fed. R. Civ. P. R. Rule 12(b)(6)

(b) How to Present Defenses. Every defense to a claim for relief in any

pleading must be asserted in the responsive pleading if one is required. But a

party may assert the following defenses by motion:

(6) failure to state a claim upon which relief can be granted; and . . .

D

APPENDIX D

HIPAA Security Standards - 45 C.F.R. § 164.306(a)(1)

(a) General requirements. Covered entities and business

associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all

electronic protected health information the covered entity or

business associate creates, receives, maintains, or transmits.

E

APPENDIX E

HIPAA Technical Safeguards - 45 C.F.R. § 164.312(a)(1)

(a) A covered entity or business associate must, in accordance with

§164.306:

(1)Standard: Access control. Implement technical policies and

procedures for electronic information systems that

maintain electronic protected health information to allow access only

to those persons or software programs that have been granted access

rights as specified in § 164.308(a)(4).