On July 28, 2023, the Fourth Department issued a decision in Greco v. Syracuse ASC, LLC, 2023 NY Slip Op. 03987, holding that a plaintiff asserting claims arising from a data breach lacked standing because of the lack of allegations of damage resulting from the breach, explaining:
[W]e agree with defendant that Supreme Court erred in denying its motion to dismiss the complaint. In order to possess standing, plaintiff was required, inter alia, to have suffered an injury-in-fact. The injury-in-fact requirement necessitates a showing that the party has an actual legal stake in the matter being adjudicated and that the party has suffered a cognizable harm that is not tenuous, ephemeral, or conjectural, but is, instead, sufficiently concrete and particularized to warrant judicial intervention. An alleged injury will not confer standing if it is based on speculation about what might occur in the future or what future harm might be incurred.
The parties correctly note that this is the first time the Appellate Division has been asked to address the issue of standing in this context, i.e., in a case brought by an individual whose information was involved in a larger electronic data breach or whose personal data was otherwise involved in the unauthorized access of electronic files stored on a computer system. Although the rise of unauthorized access to secure electronic systems, resulting in third parties obtaining the information stored thereon, is a relatively modern issue, the injury-in-fact requirement recognized in other contexts applies equally here. Thus, the novel issue presented is simply what circumstances, specific to this context, create an injury that is sufficiently concrete and non-speculative to constitute an injury-in-fact.
Analyzing similar issues, New York trial courts have looked to certain considerations, such as the type of personal information that was compromised; whether hackers or cybercriminals were involved and whether the attack was targeted; whether personal information was exfiltrated, published, or otherwise disseminated; whether the data has actually been misused; and the length of time that has elapsed since the data breach without misuse of the personal information at issue. Addressing the issue under the distinct Federal standing analysis, the Second Circuit has looked to conceptually similar considerations, such as whether the data was accessed via a targeted attack or an inadvertent disclosure, whether some of the data accessed has actually been misused even if plaintiff’s data has not yet been specifically misused, and whether the type of data at issue has exposed plaintiff to a greater risk. Given the numerous circumstances under which such data breaches may occur, many of those considerations may not apply in all cases and additional considerations may become relevant. Nevertheless, the core of the analysis remains the same: whether plaintiff has suffered a sufficiently concrete and non-speculative injury to satisfy the injury-in-fact requirement.
Here, having considered all relevant circumstances as alleged in the complaint, we conclude that plaintiff has not alleged an injury-in-fact and thus lacks standing. Perhaps most importantly, plaintiff has not alleged that any of the information purportedly accessed by the unknown third party has actually been misused. Plaintiff has not alleged that her own information has been misused or that the data of any similarly situated person has been misused in the over one-year period between the alleged data breach and the issuance of the trial court’s decision. Further, the complaint itself alleges that a third party accessed health information only. It does not allege that a third party accessed data more readily used for financial crimes such as dates of birth, credit card numbers, or social security numbers. Indeed, other than a general concern that certain of plaintiff’s health information may have been illegally accessed by a third party, plaintiff does not allege any direct harm flowing from the breach of defendant’s electronic system. We conclude that plaintiff failed to allege an injury-in-fact inasmuch as the potential for future misuse of her data and possible economic harm is too conjectural, tenuous and hypothesized to constitute an interest that is sufficiently concrete to confer standing. To the extent that plaintiff also contends that she established an injury-in-fact by virtue of the cost of identity protection and other mitigation efforts, we conclude that such mitigation efforts cannot confer standing absent a sufficiently concrete injury-in-fact legitimizing or warranting such efforts. A plaintiff cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending. Reviewing the complaint, we conclude that plaintiff has not otherwise alleged an injury-in-fact that would confer standing to bring this action.
(Internal quotations and citations omitted).