Gordon Rees Scully Mansukhani Partners John Mills and Joseph Salvo, with Associate Michi Rodriguez, secured the dismissal of a putative data breach class action filed in the Supreme Court of the State of New York, Otsego County, against the firm’s client, a private liberal arts college in upstate New York.
The lawsuit stemmed from a cybersecurity incident impacting the client’s systems, which may have resulted in the unauthorized access or acquisition of certain personal information, including names and Social Security numbers. The client provided notice of the incident together with an offer of complimentary credit monitoring and identity theft protection services. After receiving notice of the incident, the plaintiff filed suit, asserting common law and statutory claims on behalf of herself and a putative class of all individuals whose information was potentially impacted in the incident. The plaintiff alleged a heightened risk of identity theft and fraud, time and costs spent in response to the incident, compromise of her personal information, and emotional distress.
In moving to dismiss, the GRSM team argued that the plaintiff lacked standing because she failed to allege any actual or imminent injury, as she alleged injuries and damages that had not yet materialized and did not allege any actual misuse, such as identity theft, fraudulent charges, or unauthorized use of her personal information, as a result of the incident.
The court agreed, holding that, because the plaintiff did not allege any misuse of her personal information, any publication of the data, or any incidents of identity theft in the months following the incident, the “potential” for future misuse of personal information was “too conjectural, tenuous and hypothesized” to constitute a concrete injury. The court further concluded that mitigation efforts and costs associated with credit monitoring do not confer standing as a matter of law. Accordingly, the court dismissed the complaint in its entirety.
Notably, the court acknowledged that the appellate authority in the state of New York had dismissed similarly situated complaints involving data security incidents that impacted health information, but not social security numbers. Nonetheless, the court held that the alleged injuries were not sufficiently concrete to confer standing as a matter of law. The decision highlights a growing trend in New York courts to closely scrutinize speculative injury theories in data breach litigation.
This outcome also reflects the strength of GRSM’s Cyber, Privacy & Data Security team, which handles complex data breach litigation in healthcare, finance, and other sectors. Often partnering with privacy counsel to mitigate litigation risks, the team combines regulatory knowledge with strategic litigation experience to protect clients in evolving privacy and data security matters.