Court refuses to OK agreed-on settlement in cyber case

A federal district court has refused to approve an agreed-upon class action settlement of $60,000 in a cyber case where personal information was inadvertently released because there was no evidence of injury.

In June 2018, an employee of Lincoln, Maine-based Carlos Lopez & Associates LLC, which provides mental and behavioral health services to veterans and others, accidentally sent an email containing personal information on approximately 130 current and former CLA employees to a distribution list of current employees, about 65 people, according to Friday’s ruling by the U.S. District Court in New York in Robin Steven et al. v. Carlos Lopez & Associates and Carlos Lopez, individually. The ruling was publicized this week.

“Although there was no evidence that the personal information contained in the email was shared with anyone outside of CLA, let alone misused, several people whose information had been shared sued on behalf of a class of all those whose information had been shared, alleging negligence and violations of several states’ laws,” said the ruling.

Although a settlement in the case was reached, and a motion to approve the settlement and attorneys’ fees unopposed, the court refused to approve the settlement, on the basis there were no allegations of “injury in fact.”

Many courts “have held that plaintiffs alleging the theft of personal identifying information in a ‘data breach’ have standing to bring claims against the entity that had held their data based on an increased risk of future identity theft,” said the ruling.

These courts, however, do not include the 2nd U.S. Circuit Court of Appeals in New York, the circuit within which the District Court operates.

While the appeals court “did cite some of these cases, arguably with approval,” in all the cases in which it did “the data was intentionally stolen by hackers or cyber criminals who had intentionally targeted the data,” said the ruling.

“Notably, when pressed on the point at oral argument, Plaintiffs’ counsel could not name a single case in which a court had found standing based on the risk of future identity theft that did not arise from such an intentional act,” said the court, in denying the plaintiffs’ motion for approval of the settlement and dismissing the case.

Plaintiff attorney Abraham Z. Melamed, managing partner with Derek Smith Law Group PLLC in New York, said in a statement the $60,000 settlement included attorneys fees. 

Mr. Melamed said, “We are disappointed with the Court’s decision, and are evaluating our options including the possibility of appealing the decision to the Second Circuit Court of Appeals. 

“The issue of 'injury in fact' to give plaintiffs standing to sue in data breach cases is the subject of a circuit split. We are hopeful that this split will ultimately be resolved by the Supreme Court in favor of plaintiffs, by finding that victims of data breaches have an injury sufficient to give them standing to sue.”

Defense attorneys in the case could not be reached for comment.

In August, a federal appeals court struck down Google’s class action settlement meant to resolve claims it invaded the privacy of millions of computer users by installing “cookies” in their browsers, but paying those users nothing for their troubles.