Judge Nixes Former Employees’ Suit Against Marsh & McLennan Over 2021 Data Breach

January 19, 2022 by

A federal judge in New York has dismissed a potential class action against Marsh & McLennan by two former employees who sued after the firm suffered a data breach in 2021.

The plaintiffs, Florida residents Nancy Bohnak and Janet Lea Smith, who sought monetary damages and injunctive relief, failed to show that they suffered any “legally cognizable injury to support their substantive claims,” U.S. Judge Alvin K. Hellerstein of the Southern District of New York found.

The judge told the plaintiffs that to be “cognizable” under either Florida or New York law, “damages must be capable of proof with reasonable certainty and not merely speculative, and they must be proximately caused by the defendant.”

Marsh & McLennan reported that on April 26, 2021 it discovered at data breach potentially affecting the personally identifiable information (PII) of about 7,000 people. The data included Social Security or other federal tax identification numbers, driver’s license or other government issued identification, and passport information. MMC immediately notified law enforcement and launched an investigation and took measures that ended all unauthorized access ended on April 30.

Plaintiffs Bohnak and Smith claimed they have always been careful about sharing their PII and have never knowingly transmitted their unencrypted sensitive PII over the internet or any other unsecured source. They alleged that MMC had inadequate security practices and brought claims of negligence, breach of implied contract, and breach of confidence.

Bohnak and Smith claimed that as a result of the breach they suffered injuries that included lost or diminished value of PII; out-of-pocket expenses associated with recovery from identity theft, tax fraud, and/or unauthorized use of their PII; lost opportunity costs associated with attempting to mitigate the actual consequences of the data breach, including but not limited to lost time, and the continued and certainly increased risk to their PII.

The plaintiffs also sought injunctive relief including requiring MMC to protect all collected data with encryption and to implement a comprehensive information security program.

MMC argued that the plaintiffs failed to state claims for negligence, breach of implied contract, or breach of confidence because they do not allege damages, the existence of an implied contract, or the existence of a confidential relationship.

The judge agreed and told the plaintiffs that their failure to “plausibly” allege damages doomed their request for monetary damages, and their failure to plausibly allege irreparable injury doomed their request for injunctive relief.

“Plaintiffs can only speculate as to whether they will suffer harm at some unknown future date. They also can only speculate about the extent of that harm, if and when it does materialize. These damages are neither certain nor capable of proof with reasonable certainty. As to Plaintiffs’ allegations that they have suffered loss of time and money responding to the increased risk of harm, these damages are not cognizable because they are not proximately caused by the harm of disclosure,” the judge wrote.

Their complaint “falls short “in establishing that they have suffered legally cognizable injury to support their substantive claims, the judge ruled.