Stapleton v. Tampa Bay Surgery Center, Inc.
Filing
15
ORDER: Defendant's Motion to Dismiss Plaintiffs' First Amended Class Action Complaint 12 is GRANTED. The Amended Complaint 4 is DISMISSED WITHOUT PREJUDICE. Plaintiffs have thirty (30) days to file an amended complaint that allege s an injury in fact if Plaintiffs are able to do so. Failure to file an amended complaint within thirty (30) days will result in this case being closed without further notice. Plaintiffs' Motion for Class Certification 11 is DENIED WITHOUT PREJUDICE as moot. Signed by Judge James S. Moody, Jr. on 8/30/2017. (LN)
<![CDATA[
UNITED STATES DISTRICT COURT
MIDDLE DISTRICT OF FLORIDA
TAMPA DIVISION
JANIE STAPLETON, on her own behalf
and on behalf of her minor child, C.P.,
DAVID PACKEN, on his own behalf and
on behalf of his minor child, D.J., and
CARMELO ALVAREZ, JR. on his own
behalf and on behalf of his minor child,
K.R.A.,
Plaintiffs,
v.
Case No: 8:17-cv-1540-T-30AEP
TAMPA BAY SURGERY CENTER,
INC.,
Defendant.
ORDER
Plaintiffs C.P., D.J., and K.R.A. are patients of Tampa Bay Surgery Center, Inc.
(“TBSCI”), whose parents provided sensitive information about them to TBSCI. TBSCI’s
patient database was hacked, and C.P., D.J., and K.R.A.’s information was briefly posted
online, along with the information of more than 142,000 other patients. Although no patient
has had their information misused as a result of the data breach, Plaintiffs are suing TBSCI.
The Court concludes the action should be dismissed because Plaintiffs have not suffered
an injury in fact and, thus, lack standing to sue.
FACTUAL BACKGROUND
C.P., D.J., and K.R.A. are minor children who were patients at TBSCI. (Doc. 4, ¶
4). As patients, the children’s parents were required to provide information to TBSCI,
including the children’s names, dates of birth, home addresses, and social security numbers
(the “Sensitive Information”). (Doc. 4, ¶ 5). TBSCI stored this Sensitive Information
electronically in a patient database. (See Doc. 4, ¶ 36).
In May 2017, a hacker breached TBSCI’s database and published C.P., D.J., and
K.R.A.’s Sensitive Information on a public file-sharing website, along with the Sensitive
Information of more than 142,000 other TBSCI patients. (Doc. 4, ¶ 4). Plaintiffs do not
allege that any of the Sensitive Information has been used. Instead, Plaintiffs allege they
are at an increased risk of having their identity stolen and are compelled to incur the costs
of credit monitoring/identity theft protection. (Doc. 4, ¶ 10). At least one Plaintiff, C.P.’s
mother Janice Stapleton, purchased identity theft protection. (Doc. 4, ¶ 8).
TBSCI admits that the data breach occurred and that the Sensitive Information was
briefly posted online before being removed. (Doc. 12). After the data breach, TBSCI
provided free identity protection services to Plaintiffs and other potentially affected
patients. (Doc. 12, p. 3–4). 1 The identity theft protection services TBSCI provided locks
the affected patient’s credit file to prevent access and sends an alert if someone attempts to
use the patient’s information to open a new line of credit. (Doc. 12, p. 3 n.3).
1
The Court construes TBSCI’s motion as a factual challenge to subject-matter jurisdiction and considers
the exhibits provided in its response. See Houston v. Marod Supermarkets, Inc., 733 F.3d 1323, 1336 (11th
Cir. 2013) (explaining, “[I]n a factual challenge to subject matter jurisdiction, a district court can ‘consider
extrinsic evidence such as deposition testimony and affidavits.’”).
2
In June 2017, Plaintiffs sued TBSCI in a putative class action suit for negligence,
breach of fiduciary duty, and invasion of privacy, all under Florida law. TBSCI now moves
to dismiss arguing the Court has no jurisdiction because Plaintiffs lack standing. 2
LEGAL STANDARD
Federal Rule of Civil Procedure 12(b)(1) allows a complaint to be dismissed for
lack of subject-matter jurisdiction. A district court has subject-matter jurisdiction if the
claims present a case or controversy under the Constitution and there is standing. Resnick
v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir. 2012). A plaintiff bears the burden of
proving standing, which requires a showing that “(1) it has suffered an ‘injury in fact’ that
is (a) concrete and particularized and (b) actual or imminent, not conjectural or
hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and
(3) it is likely, as opposed to merely speculative, that the injury will be redressed by a
favorable decision.” Id. (quoting Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC),
Inc., 528 U.S. 167, 180–81, 120 S.Ct. 693, 704, 145 L.Ed.2d 610 (2000)).
At the pleading stage, the injury element can be satisfied by “general factual
allegations of injury resulting from the defendant’s conduct.” Lujan v. Defs. of Wildlife,
2
While not raised by TBSCI, the Court is also concerned about whether Plaintiffs sufficiently alleged
subject-matter jurisdiction under 28 U.S.C. § 1332(d)(2). Under this subsection, Plaintiffs bear the burden
of demonstrating minimal diversity—that at least one proposed class member is diverse from TBSCI, a
citizen of Florida. Handforth v. Stenotype Inst. of Jacksonville, Inc., No. 309-CV-361-J-32MCR, 2010 WL
55578, at *2 (M.D. Fla. Jan. 4, 2010) (quoting Lowery v. Ala. Power Co., 483 F.3d 1184, 1194 n. 24 (11th
Cir.2007)). All Plaintiffs allege is that “at least one member of the putative class is a citizen of a state
different from Defendant.” (Doc. 4, ¶ 14). This conclusion is not supported by any factual allegation. If
Plaintiffs choose to file an amended complaint, the Court cautions them to consider whether their
jurisdictional allegations are sufficient.
3
504 U.S. 555, 561, 112 S. Ct. 2130, 2137, 119 L. Ed. 2d 351 (1992). An allegation of
imminent injury may suffice if the threatened injury is “certainly impending,” or there is a
“‘substantial risk’ that the harm will occur.” Clapper v. Amnesty Int'l USA, 568 U.S. 398,
414 n. 5, 133 S. Ct. 1138, 1150 n. 5, 185 L. Ed. 2d 264 (2013). But “‘[a]llegations
of possible future injury’ are not sufficient.” Id. at 409 (quoting Whitmore v. Arkansas, 495
U.S. 149, 158, 110 S. Ct. 1717, 1724, 109 L. Ed. 2d 135 (1990)). So a future injury will
not confer standing if it relies on an “attenuated chain of inferences necessary to find harm.”
Id. at 414 n. 5; see also Lujan, 504 U.S. at 564, (“Although imminence is concededly a
somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that
the alleged injury is not too speculative for Article III purposes—that the injury
is certainly impending.”).
DISCUSSION
The issue of whether a data breach on its own is an “injury in fact” is novel for this
Court and has not been addressed by the Eleventh Circuit. Other circuit courts have reached
conflicting conclusions, with the Sixth, Seventh, Ninth, and D.C. Circuits holding data
breach victims have standing because they are at a substantial risk of injury, and the First,
Second, Third, and Fourth Circuits holding data breach victims lacked standing. 3 So there
3
Compare Attias v. Carefirst, Inc., No. 16-7108, 2017 WL 3254941, at *6 (D.C. Cir. Aug. 1, 2017)
(holding, "No long sequence of uncertain contingencies involving multiple independent actors has to occur
before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by
virtue of the hack and the nature of the data that the plaintiffs allege was taken.); Galaria v. Nationwide
Mut. Ins. Co., No. 15–3386, 663 Fed. Appx. 384, 387–89, 2016 WL 4728027, at *3 (6th Cir. Sept. 12,
2016) (plaintiff-customers' increased risk of future identity theft theory established injury-in-fact after
hackers breached Nationwide Mutual Insurance Company's computer network and stole their sensitive
personal information, because “[t]here is no need for speculation where Plaintiffs allege that their data has
already been stolen and is now in the hands of ill-intentioned criminals”); Remijas v. Neiman Marcus Grp.,
4
is no clear consensus as to how the issue should be resolved. Considering the arguments
on both sides, the Court agrees with TBSCI that Plaintiffs did not alleged an injury in fact.
To satisfy standing, Plaintiffs must prove an imminent injury. While Plaintiffs allege
two categories of harm—(1) their risk of being victims of identity theft as a result of the
data breach and (2) the costs Plaintiff Stapleton has incurred and others may incur for credit
monitoring/identity theft protection—both categories require Plaintiffs to show there is at
least a substantial risk their Sensitive Information will be used in a harmful manner. That
is because the second category—Plaintiff Stapleton’s payment for credit monitoring and
LLC, 794 F.3d 688, 692, 694–95 (7th Cir. 2015) (plaintiff-customers' increased risk of future fraudulent
charges and identity theft theory established “certainly impending” injury-in-fact and “substantial risk of
harm” after hackers attacked Neiman Marcus with malware to steal credit card numbers,
because “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume
those consumers' identities”); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir.
2010) (plaintiff-employees' increased risk of future identity theft theory a “credible threat of harm” for
Article III purposes after theft of a laptop containing the unencrypted names, addresses, and social security
numbers of 97,000 Starbucks employees); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 632–34 (7th Cir.
2007) (banking services applicants' increased risk of harm theory satisfied Article III injury-in-fact
requirement after “sophisticated, intentional and malicious” security breach of bank website compromised
their information); with Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (brokerage account-holder's
increased risk of unauthorized access and identity theft theory insufficient to constitute “actual or
impending injury” after defendant failed to properly maintain an electronic platform containing her account
information, because plaintiff failed to “identify any incident in which her data has ever been accessed by
an unauthorized person”); Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011) (plaintiff-employees'
increased risk of identity theft theory too hypothetical and speculative to establish “certainly impending”
injury-in-fact after unknown hacker penetrated payroll system firewall, because it was “not known whether
the hacker read, copied, or understood” the system's information and no evidence suggested past or future
misuse of employee data or that the “intrusion was intentional or malicious”); Beck v. McDonald, 848 F.3d
262, 275 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017) ("Indeed, for the Plaintiffs
to suffer the harm of identity theft that they fear, we must engage with the same “attenuated chain of
possibilities” rejected by the Court in Clapper. 133 S.Ct. at 1147–48. In both cases, we must assume that
the thief targeted the stolen items for the personal information they contained. And in both cases, the thieves
must then select, from thousands of others, the personal information of the named plaintiffs and attempt
successfully to use that information to steal their identities. This “attenuated chain” cannot confer
standing.); Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116, at *1 (2d Cir. May 2, 2017)
(concluding a customer who had her card information stolen had not suffered an injury in fact because she
changed her card information so there was no threat of future harm).
5
identity theft protection—would not be an actual injury unless there was already a
substantial risk of identity theft. Clapper, 568 U.S. at 416 (holding, “respondents cannot
manufacture standing merely by inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly impending.”). So Plaintiffs only have standing
if their alleged injury is certainly impending or if there is a substantial risk of injury.
The Court concludes Plaintiffs’ allegations are insufficient to show that an injury is
certainly impending or that they have a substantial risk of imminent injury. First, Plaintiffs
are unable to identify a single proposed class member who has had their Sensitive
Information misused as a result of the data breach. See Torres v. Wendy's Co., 195 F. Supp.
3d 1278, 1283 (M.D. Fla. 2016) (discussing the number of plaintiffs who have experienced
fraudulent charges as an “influential factor” in determining whether future harm is
“certainly impending”). The lack of a single, identifiable instance of identity theft out of
the more than 142,000 patients indicates that there is no substantial risk of imminent injury.
Second, TBSCI has also lessened Plaintiffs’ risks of imminent injury by providing
free credit monitoring to all of those potentially affected by the data breach. Because the
protection locks the credit reports of the affected patients, TBSCI mitigated the risk of
Plaintiffs having their Sensitive Information misused in a way that causes them harm.
Finally, Plaintiffs allegations rely on a chain of inferences that is too attenuated to
constitute imminent harm. Plaintiffs’ argument requires the following chain of events
before they would suffer harm: (1) that their Sensitive Information was viewed when made
available online for a short period of time, (2) that someone downloaded that Sensitive
Information while it was available online, (3) that someone will use the Sensitive
6
Information, and (4) that the protection provided by TBSCI would be inadequate to prevent
the misuse of the Sensitive Information. Absent additional allegations indicating the events
in the chain are likely to occur, the Court cannot conclude an injury is certainly impending.
CONCLUSION
For these reasons, the Court concludes Plaintiffs’ allegations of harm are too
speculative to constitute an imminent injury. While Plaintiffs argue that the mere fact that
there was data breach is sufficient to constitute an imminent injury, the Court cannot agree
with that sort of ipse dixit reasoning. Something more than the mere data breach must be
alleged before Plaintiffs can show they have a substantial risk of injury. Lacking any
allegations that would show any harm is certainly impending, Plaintiffs failed to
demonstrate standing, and this Court lacks jurisdiction over their claims. 4
Accordingly, it is ORDERED AND ADJUDGED that:
1.
Defendant's Motion to Dismiss Plaintiffs' First Amended Class Action
Complaint (Doc. 12) is GRANTED.
2.
The Amended Complaint (Doc. 4) is DISMISSED WITHOUT PREJUDICE.
Plaintiffs have thirty (30) days to file an amended complaint that alleges an
injury in fact if Plaintiffs are able to do so. Failure to file an amended
complaint within thirty (30) days will result in this case being closed without
further notice.
4
TBSCI raises several other arguments in its Motion that the Court declines to address given the
conclusion that Plaintiffs did not allege an injury in fact.
7
3.
Plaintiffs’ Motion for Class Certification (Doc. 11) is DENIED WITHOUT
PREJUDICE as moot.
DONE and ORDERED in Tampa, Florida, this 30th day of August, 2017.
Copies furnished to:
Counsel/Parties of Record
8
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
