Melissa A. Murphy-Petros

In a victory for data breach class action defendants in New York State, Wilson Elser’s national Cybersecurity & Data Privacy and Appellate Teams worked together to create favorable law in a case of first impression in New York’s appellate courts, Greco v. Syracuse ASC, LLC, 2023 N.Y. App. Div. LEXIS 4032 (4th Dep’t 2023).

In Greco, defendant Syracuse ASC – an outpatient surgical center – was the victim of a cyberattack, like thousands of other organizations targeted by cybercriminals every single day through no fault of their own.  Plaintiff, who had received medical treatment at defendant’s facility, commenced a putative class action seeking to recover damages allegedly arising from unauthorized access of her personal information stored on defendant’s servers by an unknown third party.  Defendant filed a motion to dismiss the complaint based in part on plaintiff’s failure to demonstrate that she had suffered an injury-in-fact or standing to bring suit.  The trial court denied the motion to dismiss, and defendant appealed.

In a decision entered by the New York Appellate Division – Fourth Department on July 28, 2023, the appellate court agreed with defendant’s position that the trial court erred in denying the motion to dismiss based on lack of standing. 

Working on the case for Wilson Elser were Anjali C. Das, Co-Chair, Cybersecurity & Data Privacy Team and Melissa A. Murphy-Petros, Chair, Appellate Team.

The appellate court observed that “this is the first time the Appellate Division has been asked to address the issue of standing in this context, i.e., in a case brought by an individual whose information was involved in a larger electronic data breach or whose personal data was otherwise involved in the unauthorized access of electronic files stored on a computer system.”
 
The appellate court further noted that although the rise of cyberattacks resulting in unauthorized access to electronic data “is a relatively modern issue,” plaintiff still had to demonstrate that she suffered an injury-in-fact that was both sufficiently concrete and non-speculative in order to establish standing to bring the action: “[t]he novel issue presented is simply what circumstances, specific to this context, create an injury that is sufficiently concrete and non-speculative to constitute an injury-in-fact.”

In its analysis of plaintiff’s standing and allegations of injury in the context of a data breach class action, the appellate court made two key findings.

First, the appellate court observed that New York State trial courts confronting the issue have considered the following factors in similar cases and determined that these are the correct factors to consider in a data breach standing analysis:

Second, in applying the foregoing factors to the case before it, the appellate court found that the plaintiff’s personal information was not misused; that the personal information of all others involved in the data breach at issue was not misused; that more than one year had lapsed since the date of the breach without any misuse; and that plaintiff’s personal information that was accessible to unauthorized third parties during the data breach was limited to health information only, and did not include her Social Security number, date of birth, credit card numbers, or other such information that could be used to commit financial crimes.

Greco is precedential in New York State and its analysis will govern future data breach cases in that jurisdiction going forward.