Decision to Dismiss Excellus Data Breach Class Action Reversed in Favor of Plaintiffs

Excellus Data Breach LawsuitU.S. District Court Judge Elizabeth A. Wolford, who is presiding over the Excellus data breach class action, reinstated certain plaintiffs’ claims in a decision released on Friday that reconsidered and reversed her previous ruling dismissing those claims.

In a decision last February, Judge Wolford ruled that four of the twenty named plaintiffs in the class action could not proceed with their claims as they had not alleged any misuse of their personally identifiable information due to the breach. According to this ruling, the plaintiffs’ risk of future harm was not “certainly impending” and so they had failed to allege an injury sufficient to establish Article III standing.

Following the February decision, the plaintiffs filed a motion for reconsideration in March, arguing the Court had relied on undeveloped details regarding the breach that should not have been considered at this stage.

The Second Circuit’s May decision in the Whalen v. Michaels Stores Inc. case also helped strengthen the plaintiffs’ motion for reconsideration.

The Whalen decision indicated in dicta that the theft of personally identifying information, such as Social Security numbers or birthdates, in a data breach would be enough for standing based on a threat of future harm.

“Until the Supreme Court or the Second Circuit definitively weighs in, in this circuit at least, harm based on the theft of personally identifying information, such as a Social Security number or date of birth, as alleged [by the Excellus plaintiffs], is sufficient to establish standing,” stated Judge Wolford in her decision.

The plaintiffs’ motion for reconsideration also revealed new evidence which established that three of the dismissed plaintiffs’ data had been extracted from Excellus and was for sale on the dark web. This reinforced their claims that their personally identifying information had been compromised and that hackers had harmful intentions.

Judge Wolford explained, “Had the court had the benefit of all this additional information when it rendered its decision and order, it would have reached a different conclusion — and it does so now.”

In a statement to the Democrat & Chronicle, Hadley Matarazzo, who is one of the lead counsels for the plaintiffs, said they are “…pleased by the Court’s ruling and are thankful that the claims of the representative plaintiffs whose personally identifiable and health information has been stolen, but not yet misused, are reinstated and will move forward on behalf of this class of individuals.”

How to Protect Yourself from Identity Theft after Your Data Has Been Breached

Data breachFollowing the unprecedented data breach at Excellus, the 10 million plus affected people are looking for ways to protect themselves from impending risk of future identity theft.

One of the best ways to protect oneself is to make sure that passwords are changed regularly and to not maintain the same password across various accounts.

In addition, freezing one’s credit with all three major credit bureaus is an excellent way to be sure that no unauthorized credit is issued in one’s name.

Finally, the Federal Trade Commission has a comprehensive ID protection guide that is a great resource. Visit their website for more information on how you can protect yourself from identity theft.

Plaintiffs Seek Reconsideration of Court’s Decision in Excellus Data Breach Case

Excellus Data Breach LawsuitOn February 22, 2017, Judge Elizabeth A. Wolford of the United States District Court for the Western District of New York issued a 90-page decision granting in part and denying in part Defendants’ Motions to Dismiss.

In her decision, she dismissed the claims brought by those plaintiffs who had not yet experienced any actual identity theft or fraud, including four of the twenty named plaintiffs. Among other things, she reasoned that these plaintiffs, and those others affected by the Excellus Data Breach, have not yet been legally injured until they experience actual fraud or identity theft.

On March 22, 2017, Plaintiffs’ Lead Counsel filed a Motion for Reconsideration with the Court. In the Motion, Plaintiffs asked the Court to reconsider its decision on a number of legal grounds, including newly discovered evidence found by their experts that shows that both those plaintiffs who have already experienced identity theft and those who have not face a substantial risk of harm in that certain plaintiffs’ information has been found for sale on the Dark Web.

The experts conducted these searches to see what information was actually available. In most instances, it was email addresses and passwords that were found, but in others, social security numbers and/or dates of birth were also found. Unfortunately, the purchase of sensitive information on the Dark Web does not protect victims. Individuals who sell this information can just turn around and sell it again in the future and, according to our experts, often do sell the information multiple times, which is why some of the plaintiffs have continued to experience more fraud.

The Excellus Defendants have until May 3, 2017 to respond to our Motion. Plaintiffs then have one more opportunity to submit papers due May 17, 2017.

It is not known when the Court will issue a decision on Plaintiffs’ Motion for Reconsideration, but expect it will be sometime this year.