2014 was an interesting year in data breach litigation in California at both the federal and state level. As always is the case in data breach cases, the requirement of a cognizable harm or “standing” took center stage. At the state level, data breach defendants scored a huge victory in the case of Sutter Health v. Superior Court. In contrast, at the federal level, data breach plaintiffs scored big in the case of In re Adobe.
Sutter Health involved the increasingly common situation of a stolen computer from a hospital. The computer contained millions of patient health records. Patients filed a class action alleging violations of the Confidentiality of Medical Information Act (“CMIA”). The Act prohibits the disclosure of patient records and provides for statutory damages of $1,000 per breach. Doing the math, Sutter’s liability added up to $4 billion of exposure. The trial court denied Sutter’s demurrer resulting in an immediate appeal.