Anjali C. Das

​Anjali Das (Partner-Chicago) obtained dismissal of six of eight claims in a Data Breach Class Action filed against a health care provider arising out of a cybersecurity incident that potentially exposed patient health information. Plaintiff filed suit in Minnesota Federal Court on behalf of a Class consisting of nearly 12,000 patients whose information was allegedly compromised as a result of the underlying incident. Wilson Elser convinced plaintiffs to voluntarily dismiss that action for failure to satisfy the federal Class Action Fairness Act requirements. Plaintiffs proceeded to refile their case in Minnesota State Court seeking damages for negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence and consumer fraud. Wilson Elser filed a motion to dismiss the State Court action for lack of subject-matter jurisdiction and failure to state a claim for which relief may be granted. 

In dismissing plaintiff’s invasion of privacy claim, the Court noted that “[h]ere, there is no intentional act alleged against [defendant]. [Plaintiff’s] allegation is only that [defendant’s] cybersecurity must have been lacking, which allowed a nonparty cybercriminal to infiltrate [plaintiff’s] PII [personally identifiable information].  [Plaintiff] clearly alleges an intentional act by the cybercriminal, no intentional act on the part of [defendant] to intrude upon his seclusion is alleged. In fact, [defendant] could not intrude into [plaintiff’s] private affairs because a core allegation made by [plaintiff] is that he provided the information to [defendant] willingly.”

With respect to the two surviving claims, the Court expressed its skepticism that plaintiff would ultimately be able to prove these claims “[i]n light of the highly sophisticated businesses and governments that have been subject to similar cybercrimes.”

This favorable ruling from the Minnesota State Court will make it increasingly difficult for plaintiffs to successfully assert claims against organizations that have been the victim of cyberattacks.