Michigan Appellate Court Requires Actual Injury for Data Breach Liability

January 5, 2015

In a decision highlighting the division among courts for data breach liability, Michigan’s appellate court recently joined those courts requiring actual proof of injury. On December 18, 2014, the Michigan Court of Appeals decertified a class action lawsuit against Henry Ford Health Systems (HFHS) and its subcontractor over the disclosure of personal health information. Doe v. Henry Ford Health Sys., 2014 Mich. App. LEXIS 2557 (Mich. Ct. App. Dec. 18, 2014). The Court held that the Plaintiff failed to allege the actual injury necessary to plead claims of negligence and breach of contract, and that invasion of privacy is an intentional tort which does not support a negligent cause of action.

The Plaintiff alleged, on behalf of the class of patients, that a Henry Ford’s subcontractor caused sensitive patient records to be disclosed on the Internet between June 3 and July 18, 2008. Upon learning of this problem, HFHS removed the patient data, notified patients of the disclosure, and took steps to protect patient information going forward. Initially, the lower court certified a class action.

The Michigan Court of Appeals held that the only alleged injury was for the cost of account monitoring associated with a possible, future injury potentially stemming from the data breach. The Court ruled that absent the Plaintiff’s showing that the exposed data was actually viewed online or used for an improper purpose, the Plaintiff failed to show actual, present injury, an element of both negligence and breach of contract. Similarly, absent any case law supporting a negligent cause of action, invasion of privacy was an intentional tort under Michigan law which did not support liability for the accidental disclosure of data.

Although this decision limited the liability for Michigan defendants who accidentally disclose sensitive client data without causing injury, much uncertainty still exists regarding the extent of liability in data breach litigation under state and federal law.

Dykema’s cybersecurity team will continue to monitor recent developments in this area. For more information on this article or cybersecurity legal obligations generally, please contact Jonathan Feld at (312) 627-5680, Susan Asam at (313) 568-5332, any of the attorneys in Dykema’s cybersecurity practice group, or your relationship partner.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2021 Dykema Gossett PLLC.