New York Court Finds Exposure of PII Causes Concrete Harm

A New York District Court has considered a global professional services firm’s (“Defendants”) motion to dismiss a proposed class action brought by former emloyees (“Plaintiffs”).

Class Action

The Plaintiffs case was in relation to a data breach in which their personally-identifiable information (PII) was accessed. An unauthorized action used a vulnerability in a third party’s software to gain access to the information. This resulted in the disclosure of Social Security numbers and other federal tax ID numbers.

It was argued that the Defendant inadequately protected the PII, did not warn anyone about the poor security practices, did not effectively secure the hardware containing the information. The Plaintiffs argued that as a result of this they have suffered injuries which include:

  • Lost or diminished value of PII
  • Out-of-pocket expenses associated with the prevention, detection and recovery from:
    • Identity theft
    • Tax fraud
    • Unauthorized use of PII
  • Lost opportunity costs related with attempting to mitigate the actual consequences of the data breach, including:
    • Lost time
    • Continued and increased risk to their PII
      • which remained unencrypted and available to other unauthorized third parties.


The Defendants have moved to dismiss the Complaint for lack of subject-matter jurisdiction and failure to state a claim upon which relief may be granted. They state that they were always careful about sharing PII, never knowingly transmitted unencrypted sensitive PII over the internet and store any documents containing PII in a safe and secure location. They go on to say that all usernames and passwords for any of their online accounts are always unique.

It was decided that the Plaintiffs fell short in claiming they have suffered legally cognizable injury.


To be cognizable under Florida or New York law damages fit certain criteria. Mainly, they must be capable of proof with reasonable certainty and not merely speculative.

It was determined that the damages talked about were merely speculation and was based on harm being caused at a later date. This is not enough to bring a case against the Defendants for their actions.

The motion to dismiss was granted.

Value Privacy are all about making sure your data is protected and handled correctly. Cases like this are costly, even if it does not result in a fine or penalty the repetitional costs can be very damaging. Contact us to find out how we can look after your privacy and data.

Previous Post

Missouri Complaint Alleges Concealment of a Data Breach

Next Post

Massachusetts Moving Closer to a New Privacy Law

Related Posts