InfoBytes Blog
California Federal Court Dismisses Data Loss Class Action Because No Immediate Harm Exists
On January 20, the U.S. District Court for the Eastern District of California dismissed a putative class action brought on behalf of California residents against a company that lost multiple server drives containing personal and medical information. Whitaker v. Health Net of Cal., Inc. No. 11-910, 2012 WL 174961 (E.D. Cal. Jan. 20, 2012). The named plaintiff alleged that the loss of the drives and personal information violated California’s Confidentiality of Medical Information Act. Relying on Ninth Circuit decisions in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and Ruiz v. Gap Inc., No. 09-15971, 380 F. Appx. 689 (9th Cir. May 28, 2010), the plaintiff argued that the threat of harm naturally stems from a loss of data alone. The court held, however, that there is a difference between theft and loss of data. Unlike those prior cases in which personal data was obtained by hacking or data breach, loss of data does not present any actual or immediate harm, only conjectural or hypothetical harm. The court held that the plaintiff lacked standing and dismissed the case with leave to amend because the possibility of harm is not sufficient to meet the constitutional injury-in-fact standard.