Opinion
39571-5-III
10-31-2024
SARAH NUNLEY AND MICHELLE SLATER, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED, Appellant, v. CHELAN-DOUGLAS HEALTH DISTRICT A WASHINGTON MUNICIPAL CORPORATION, AND DOES 1-10, INCLUSIVE, Respondent.
OPINION
Staab, A.C.J.
After hackers accessed personal records in a cyberattack on Chelan-Douglas Health District's (Health District) network, Sarah Nunley and Michelle Slater filed suit claiming the Health District was negligent in gathering, storing, and securing their personal information. The Health District moved to dismiss under CR 12(b)(6), raising two issues. First, the Health District argued that it did not owe the Plaintiffs a duty of care since any injury was caused by the criminal acts of third parties. Second, the Health District asserted that the Plaintiffs had failed to allege a cognizable injury as a necessary element of their claim for negligence. The superior court granted the Health District's motion and the Plaintiffs appeal.
For purposes of clarity, we will use "Plaintiffs" to refer to Nunley and Slater collectively, and use their specific names when referring to them individually.
We reverse. We hold that companies that collect and store personal identifiable information (PII) and personal health information (PHI) have a duty to use reasonable care in collecting and storing the information. This duty includes taking reasonable steps to prevent unauthorized access and disclosure of the information.
We also hold that the Plaintiffs have asserted cognizable injuries at this preliminary stage. The Plaintiffs contend that the Health District breached its duty by failing to use ordinary care in securing their personal identification and as a result, the Plaintiffs' personal information was stolen. According to the facts alleged by the Plaintiffs, they are current victims of identity theft as opposed to future or potential victims of identity theft. They allege existing loss in the form of mental distress and inconvenience as well as the loss in value of their personal identity. Under the deferential standard of pleadings, the allegations are sufficient to assert a current loss, and it is possible that the plaintiffs will be able to prove these damages.
We reverse the superior court's order dismissing the Plaintiffs' claim of negligence and remand for further proceedings.
In considering a motion to dismiss under CR 12(b)(6), the court presumes the allegations set forth in the complaint are true. The following facts are taken from the Plaintiffs' complaint.
The Health District provides various health services in Chelan and Douglas Counties. To perform its services, it collected, stored, managed, and transmitted plaintiffs' PII and PHI such as full names, Social Security numbers, dates of birth, financial account information, medical treatment/diagnosis information, medical records or patient numbers, and/or health insurance policy information.
Beginning in 2020, the Health District was made aware that the PII and PHI it collected and stored were vulnerable to a data breach and that its security protocols were inadequate. Despite this warning, the Health District did not improve its security protocols and failed to hire internal or external information technology (IT) personnel to address the vulnerabilities. In January of the following year, the Health District identified "several issues" with its IT infrastructure and assigned its "Incident Management Team" to work on improvements. "In early May 2021, FBI agents contacted [the Health District] to warn them of an impending cyber-attack." Clerk's Papers (CP) at 11. Between May 10 and May 14, hackers attempted two separate attacks on the Health District's systems. During this same timeframe, the Health District was also the target of an email phishing attack. Following these attempted attacks, the Health District did not improve its security measures.
Federal Bureau of Investigation.
Between July 2 and July 4, the Health District's network was subject to a data breach. During the investigation of this breach, it was revealed that Plaintiffs' PII and PHI had been removed from its network in connection with the breach. The attorney general's report stated the information removed included "full names, Social Security numbers, dates of birth/death, financial account information, medical treatment/diagnosis information, medical records or patient numbers, and/or health insurance policy information." CP at 11. Approximately 108,906 individuals in Washington State were affected by this data breach.
Nunley, a patient at the Health District, was one of the individuals who received a notice in March 2022 stating her PII and PHI were exposed in the data breach. Before the data breach, she supplied her full name, date of birth, address, and telephone number to the Health District. In addition, the Health District had access to her medical information such as treatment/diagnosis information, medical record number or patient number, and health insurance policy information. Nunley received a notice that stated "certain identifiable personal and protected health information, including your full name and one or more of the following may have been removed from our network in connection with this incident: Medical Information (Treatment/Diagnosis Information, Medical Record or Patient Number, and/or Health Insurance Policy Information), [and] Date of Birth." CP at 57. The notice Nunley received did not state her Social Security number was compromised.
Nunley alleges that she experienced a substantial uptick in the number and frequency of spam telephone calls related to medical services as well as spam emails. Some of these calls included a person impersonating a representative at the Health District attempting to gain access to additional information. In addition, she was notified, in March 2022, by her credit monitoring service of two instances of her Social Security number appearing on the dark web, as well as her expired personal identification issued by Washington State. She was also notified of two "soft pulls" of her credit by Goldman Sachs.
Following the data breach, Nunley alleges she spent time and effort mitigating the data breach such as researching it, reviewing credit reports, creditor monitoring, researching credit services offered by the Health District, dealing with unwanted spam calls, and she claims an unauthorized business license was opened in her name. Nunley claims she has spent at least five hours dealing with the data breach. In addition to her time and effort, Nunley alleges she has suffered emotional distress due to the release of this information.
Slater, another individual affected by the data breach, received the exact same notice as Nunley, stating her PII and PHI were exposed in the data breach despite her having no known relationship with the Health District. She alleges she made reasonable efforts to mitigate the data breach such as researching it, reviewing credit reports, credit monitoring, and reviewing financial account statements for any indication of attempted identity theft.
Nunley and Slater both allege actual injury in the form of damage and diminution in the value of their PII and PHI as well as the present, imminent, and impending injury arising from the increased risk of fraud. As a result of this breach, they both anticipate spending considerable time and money attempting to mitigate and address these harms.
Nunley brought this class action for negligence on behalf of herself, Slater, and other Washington residents whose PII and PHI was disclosed by the Health District during the data breach. The Health District filed a CR 12(b)(6) motion to dismiss, arguing Plaintiffs failed to allege a duty was owed and that they did not plead cognizable damages. After hearing the issue, the court eventually entered an order granting the motion to dismiss with prejudice for failure to state a claim upon which relief could be granted. Nunley and Slater appeal the trial court's order.
ANALYSIS
We must decide two issues in this appeal. First, whether under the facts alleged in the complaint, the Health District could have a duty to protect the Plaintiffs' personal information from being wrongly obtained by third parties. Second, whether the Plaintiffs have alleged a cognizable injury sufficient to support its cause of action for negligence when they do not claim any out-of-pocket expenses, but do claim loss of time attempting to mitigate the effects of the data breach, mental distress over concerns that their identity will be misused, and loss of value of their personal information.
1. Standard of Review
Appellate courts review an order granting a CR 12(b)(6) motion to dismiss de novo. Jackson v. Quality Loan Serv. Corp., 186 Wn.App. 838, 843, 347 P.3d 487 (2015). Dismissal is appropriate where a plaintiff is unable to "prove any set of facts consistent with the complaint that would entitle the plaintiff to relief." Id. All facts alleged in the "complaint are presumed true," but an appellate court is not required to accept the complaint's legal conclusions. Id. "'[A]ny hypothetical situation conceivably raised by the complaint defeats a CR 12(b)(6) motion if it is legally sufficient to support the plaintiff's claim.'" Id. at 843 (quoting Bravo v. Dolsen Co., 125 Wn.2d 745, 750, 888 P.2d 147 (1995)). However, "'[i]f a plaintiff's claim [still] remains legally insufficient . . . under . . . [the] hypothetical facts, dismissal pursuant to CR 12(b)(6) is appropriate.'" Id. at 843-44 (quoting Gorman v. Gerlock, Inc., 155 Wn.2d 198, 215, 118 P.3d 311 (2005)).
"'A cause of action for negligence'" accrues when a plaintiff demonstrates "'(1) the existence of a duty owed, (2) breach of that duty, (3) a resulting injury, and (4) a proximate cause between the breach and the injury.'" Pitoitua v. Gaube, 28 Wn.App. 2d 141, 151, 534 P.3d 882 (2023) (quoting Tincani v. Inland Empire Zoological Soc'y, 124 Wn.2d 121, 127-28, 875 P.2d 621 (1994)). Although the court's order does not specify its reason for dismissing the claim, the proffered argument by the Health District in support of dismissal related to the elements of duty and damages will be evaluated in turn.
2. Duty of Care
Plaintiffs contend that the Health District had a duty to exercise reasonable care to protect their PII and PHI from the foreseeable acts of third parties. They maintain that this duty arises from the Health District's actions of collecting, storing, and maintaining large amounts of valuable personal information on its network. The Health District argues that it had no duty to protect the Plaintiffs' PII and PHI from the criminal acts of third persons and the failure to implement procedures to mitigate the risk of cyberattacks did not create a duty because the Health District did not facilitate the attack or affirmatively act.
A duty of care is "'an obligation, to which the law will give recognition and effect, to conform to a particular standard of conduct toward another.'" Centurion Props. III, LLC v. Chi. Title Ins. Co., 186 Wn.2d 58, 64, 375 P.3d 651 (2016) (internal quotation marks omitted) (quoting Certification from the United States Court of Appeals v. LTK Consulting Servs., Inc., 170 Wn.2d 442, 449, 243 P.3d 521 (2010)). The determination of whether a duty exists is a question of law that this court reviews de novo. See Munich v. Skagit Emergency Commc'n Ctr., 175 Wn.2d 871, 877, 288 P.3d 328 (2012). In determining whether a duty exists, we consider principles reflected in existing law as well as "'logic, common sense, justice, policy, and precedent.'" Stalter v. State, 151 Wn.2d 148, 155, 86 P.3d 1159 (2004) (internal quotation marks omitted) (quoting Keates v. City of Vancouver, 73 Wn.App. 257, 265, 869 P.2d 88 (1994)); see Barlow v. State, No. 101045-1, slip op. at 5 (Wash. Jan. 4, 2024), https://www.courts.wa.gov/opinions/pdf/1010451.pdf.
We first consider the principles in existing law. Under the Restatement of Torts, actors have a duty to exercise reasonable care to avoid the foreseeable consequences of their own actions. Restatement (Second) of Torts § 281 reporter's note cmts. c, d (Am. L. Inst. 1965). This "'encompasses the duty to refrain from directly causing harm to another through affirmative acts of misfeasance.'" Pitoitua, 28 Wn.App. 2d at 153. On the other hand, nonfeasance is characterized by "'passive inaction or failure to take steps to protect others from harm.'" Robb v. City of Seattle, 176 Wn.2d 427, 437, 295 P.3d 212 (2013) (quoting Lewis v. Krussel, 101 Wn.App. 178, 184, 2 P.3d 486 (2000)). The "distinction between 'acts' and 'omissions'" is important because liability will typically not be imposed for the latter. Brown v. MacPherson's, Inc., 86 Wn.2d 293, 300, 545 P.2d 13 (1975).
An actor's "duty to exercise reasonable care to avoid the foreseeable consequences of their acts" includes the duty "to avoid exposing another to harm from the foreseeable conduct of a third party." Washburn v. City of Fed. Way, 178 Wn.2d 732, 757, 310 P.3d 1275 (2013). Because the criminal conduct of third parties is usually not foreseeable, "there is generally no duty to prevent third parties from causing criminal harm to others." Id. This general rule is subject to exceptions. Criminal conduct is not per se unforeseeable. Id.
The Plaintiffs argue that one of these exceptions applies in this case. In limited circumstances "[a]n act or an omission may be negligent if the actor realizes or should realize that it involves an unreasonable risk of harm to another through the conduct of the other or a third person which is intended to cause harm, even though such conduct is criminal." Restatement (Second) § 302B. Comment e further explains:
There are, however, situations in which the actor, as a reasonable man, is required to anticipate and guard against the intentional, or even criminal, misconduct of others. In general, these situations arise where the actor is under a special responsibility toward the one who suffers the harm, which includes the duty to protect him against such intentional misconduct; or where the actor's own affirmative act has created or exposed the other to a recognizable high degree of risk of harm through such misconduct, which a reasonable man would take into account.(Emphasis added.)
Washington has adopted this Restatement and three cases demonstrate its application. The first case to find a duty to protect a third party absent a special relationship was Parrilla v. King County, 138 Wn.App. 427, 157 P.3d 879 (2007). There, the court found that King County owed a duty of care after a bus driver exited his bus with the engine running leaving a visibly erratic passenger on board who then drove the bus away injuring the plaintiff. Parrilla, 138 Wn.App. at 430, 433.
The Parrilla court recognized the rule that criminal conduct is generally not foreseeable, but noted that "if a third party's criminal conduct is reasonably foreseeable, an actor may have a duty to avoid actions that expose another to that misconduct." Parrilla, 138 Wn.App. at 437. Thus, the court held that under Restatement (Second) 302B a duty to "guard against a third party's foreseeable criminal conduct exists where an actor's own affirmative act has created or exposed another to a recognizable high degree of risk of harm through such misconduct, which a reasonable person would have taken into account." Parrilla, 138 Wn.App. at 439.
Applying this rule to the circumstances of the Parrilla case, the court found that the plaintiff alleged that the driver acted affirmatively when he left a bus with the engine running and an unstable and volatile passenger on board. Id. at 438. The driver acted with knowledge of these peculiar conditions, and an "affirmative act created a high degree [of] risk" of intentional "misconduct, which a reasonable person would have taken into account." Id. at 441. Based on these facts, "King County owed a duty of care to the Parrillas" who were injured when the unstable passenger commandeered the bus. Id.
The Restatement was next applied by our Supreme Court in Robb v. City of Seattle, 176 Wn.2d 427. There, the defendant shot Robb "using a stolen shotgun loaded with two shells." Id. at 430. "Less than two hours before the shooting, officers . . . stopped [the defendant] and his companion . . . on suspicion of burglary. . . . During the stop, the officers observed three to five shotgun shells on the ground," but failed to question either individual "about the shells nor picked them up." Id. When the officers could not establish probable cause to arrest, they released the defendant. Id. After this incident, a witness noticed the defendant returned to the scene, picked something up off the ground, and then shot Robb. Id. The issue was whether the acts of the officers were considered affirmative acts or more appropriately considered an omission or a failure to act. Id. at 432.
In finding that this was a case of an omission or nonfeasance, the court held that the officers "did not affirmatively create a new risk when they stopped [the defendant] and failed to pick up the nearby shells." Id. at 437. "The officers did not provide the [shotgun] shells, nor did they give [the defendant] the shotgun he used to kill Robb," and therefore, the officers only "failed to remove a risk when they did not remove the shells." Id. at 437-38. Whether the officers stopped the defendant or not, he would have presented the same risk. Id. at 438. Put simply, "the situation of peril . . . existed before law enforcement stopped [the defendant], and the danger was unchanged by the officers' actions." Id. "Because [the officers] did not make the risk any worse, their failure to pick up the shells was [more appropriately characterized as] an omission, not an affirmative act." Id.
Finally, in Washburn, the court considered whether the city owed a duty to the decedent who died at the hands of her boyfriend after he was served by police with a protection order. 178 Wn.2d 732. The court noted that police were aware of information making it reasonably foreseeable that the boyfriend would react violently to being served with the protection order. Id. at 759. In addition, the officer knew that he was serving the boyfriend at the decedent's home with the decedent present, but instead of insuring her safety the officer walked away after serving the order, leaving the boyfriend at the house with the decedent. Id. at 761. The court found that under these circumstances, the officer's act of serving the protection order on the boyfriend was an affirmative act that created a new and foreseeable risk that the boyfriend would respond violently, and the officer had a duty to eliminate or reduce this risk. Id. at 760.
The Washburn court rejected the city's characterization of its participation as nonfeasance-the failure to act-even though the plaintiff produced evidence that the officer failed to take steps to ensure the decedent's safety. Instead, the court recognized that these were simply examples of ways in which the officer improperly served the order. Id. at 760-61.
In the case before us, the Plaintiffs allege that the Health District's act of collecting, retaining, and storing the Plaintiffs' PII and PHI constitutes an affirmative act that created a high degree of risk that third parties would attempt to obtain the personal information. Assuming the Plaintiffs can prove these allegations, we agree that they are sufficient to create a duty upon the Health District to use ordinary care in the collection and storage of the Plaintiffs' personal information.
By collecting numerous records of sensitive data and storing them on network systems that the Health District maintained, the Health District created a new and greater risk that criminals would come after the personal information. Personal information has value. And while its value in singular form may not be enough to create a target for hackers, when the single record is collected and stored with hundreds or thousands of other personal records on a single network, the benefit of hacking a system to obtain these records rises exponentially. By gathering individual records and storing them collectively on a network, the Health District took affirmative steps that created a high degree of risk.
Two of the illustrations provided in Restatement (Second) 302B comt. e(H) support our conclusion. The illustrations provide that a duty may arise "[w]here the actor acts with knowledge of peculiar conditions which create a high degree of risk of intentional misconduct," or "[w]here property of which the actor has possession or control affords a peculiar temptation or opportunity for intentional interference likely to cause harm." Restatements (Second) 302B cmt. e(H), (G). Here, it is alleged that the Health District possessed and controlled the personal information records of the Plaintiffs, and had specific knowledge that its system was being targeted by cyber criminals who would be attempting to gain access to these confidential records. See Tae Kim v. Budget Rent A Car Sys., Inc., 143 Wn.2d 190, 198, 15 P.3d 1283 (2001) (noting that "'[i]t would be unjust to require one to anticipate that a crime will be committed unless there has been a warning'" (emphasis added) (internal quotation marks omitted) (quoting W. Page Keeton et al., Prosser and Keeton on The Law of Torts § 33 n.78, at 201 (5th ed. 1984)).
The Health District maintains that the Plaintiffs are alleging nonfeasance instead of misfeasance. In support of this position, the Health District points to the Plaintiffs' allegations that the Health District failed to take steps to protect the records. But similar to the Supreme Court's analysis in Washburn, the Plaintiffs' allegations highlight ways in which the Health District improperly stored and secured the personal information.
Imposing a duty on companies that collect and store PII and PHI to use reasonable care is supported not only by the Restatements and our existing case law, but it is also supported by policies already established in Washington.
Washington has a strong public policy of protecting people from identity theft. The legislative findings supporting the penal statute declare that a person's "means of identification and financial information are personal and sensitive information such that if unlawfully obtained, possessed, used, or transferred by others may result in significant harm to a person's privacy, financial security, and other interests." RCW 9.35.001(1).
In the civil arena, businesses are required to notify any resident whose unencrypted personal information "was, or is reasonably believed to have been, acquired by an unauthorized person." RCW 19.255.010(1), (2); RCW 42.56.590(1), (2). The chapter provides that consumers who are injured by a business's failure to comply with the notice requirement have a cause of action to recover damages. RCW 19.255.040(3)(a).
There are numerous other examples of Washington's policy on preventing identity theft and the corresponding requirements on entities that collect this information. See Wash. Pub. Emps. Ass'n v. Wash. State Ctr. for Childhood Deafness & Hr'g Loss, 194 Wn.2d 484, 501, 497, 450 P.3d 601 (2019) (recognizing that "preventing identity theft and the misuse of personal information is an important policy objective"; "No Washington case has ever held that employee birth dates associated with names are private."); RCW 46.22.010(2) (imposing an affirmative duty on data recipients from the department of licensing "to take all reasonable actions necessary to prevent the unauthorized disclosure and misuse of personal or identity information").
We hold that the Health District owed the Plaintiffs a duty to use reasonable care in the collection and storing of their PII and PHI, and this duty includes taking reasonable steps to prevent unauthorized access and disclosure of the information.
3. Cognizable Injury
Alternatively, the Health District contends that dismissal for failure to state a claim was proper because the Plaintiffs have failed to allege injuries that are recoverable under a claim of negligence. The Plaintiffs allege that their identity has been stolen and as a result they have suffered harm in the form of (1) increased risk of monetary loss due to misuse of their identity, (2) fear that their PII and PHI will be misused to commit fraud, (3) time and effort spent monitoring their identity and mitigating the risk of misuse, and (4) a decrease in the value of their identity. The Health District responds that the Plaintiffs are largely claiming "an injury they have not suffered and may never suffer: identity theft." Br. of Resp't at 16.
As we noted above, a resulting injury is one of the elements of negligence. Pitoitua, 28 Wn.App. 2d at 151. A cause of action for negligence does not accrue until the plaintiff has suffered actual loss or damages. Gazija v. Nicholas Jerns Co., 86 Wn.2d 215, 219, 543 P.2d 338 (1975).
For purposes of clarity, we use the definition of the terms "injury," "harm," and "damages," as provided in the Restatements. Our reference to "injury" denotes "the invasion of any legally protected interest." Restatement (Second) § 7(1). "Harm," on the other hand, is broader and "denote[s] the existence of loss or detriment in fact of any kind to a person resulting from any cause." Restatement (Second) § 7(2). Finally, "damages" refers to an award from a court to compensate for a legal wrong. Restatement (Second) § 902. "Damages flow from an injury." Restatement (Second) § 902 cmt. a; see also Lavington v. Hillier, 22 Wn.App. 2d 134, 149, 510 P.3d 373 (2022); Huff v. Roach, 125 Wn.App. 724, 729, 106 P.3d 268 (2005); Lavigne v. Chase, Haskell, Hayes & Kalamon, PS, 112 Wn.App. 677, 684, 50 P.3d 306 (2002).
As a preliminary matter, we note that the Health District relies in large part on federal cases to support its position that the types of damages alleged by the Plaintiffs are not recoverable in a claim of negligence. While these federal cases are informative, they are not directly on point. Most of them address whether plaintiffs have alleged an injury-in-fact for purposes of establishing standing under article III of the Unites States Constitution. For the most part, these cases are not addressing the elements of negligence under Washington law. To the extent that the analysis for determining standing is similar to the analysis for determining whether a cognizable injury has been alleged, we note that Washington has not adopted the heightened "plausibility" pleading standard required to prove standing in federal court. McCurry v. Chevy Chase Bank, FSB, 169 Wn.2d 96, 102-03, 233 P.3d 861 (2010). Instead, we must consider the issue under the state civil rule, which provides that a complaint should not be dismissed so long as it is possible the plaintiffs could establish facts to support their claim. Id. at 101; CR 12(b)(6).
Here, it is possible that the Plaintiffs will be able to prove that they are victims of identity theft and that they have been injured. Our legislature has defined the crime of identity theft to occur when a person's means of identification is taken or possessed by someone with the intent to commit any crime. RCW 9.35.020(1). The crime of second degree identity theft does not require proof that a defendant misused the identity of another. State v. Sells, 166 Wn.App. 918, 926, 271 P.3d 952 (2012). Possession with intent is enough.
A "victim" of identity theft includes "a person whose means of identification . . . has been used or transferred with the intent to commit . . . any unlawful activity." RCW 9.35.005(6). There are several alternative ways to define a person's "means of identification," including possession of the person's name, telephone number, email address or an identifier of the individual or their family member. RCW 9.35.005(3). While a person's "means of identification" may include their Social Security number, a person's identity can be stolen even when their Social Security number is not included in the information taken. Sells, 166 Wn.App. at 924. Finally, a person who steals another's identity is liable for damages in the amount of $1,000 or actual damages, whichever is greater. RCW 9.35.020(7).
In deciding a CR 12(b)(6) motion, a court is to consider all conceivable facts in support of the plaintiffs' allegations, including hypothetical facts. Gorman v. Garlock, Inc. 121 Wn.App. 530, 538, 89 P.3d 302 (2004). This is true even if the facts are presented for the first time on appeal. Id. Therefore, although Nunley did not specifically allege she provided Health District with her Social Security number in the complaint, we may assume this fact because she has presented it on appeal.
The Plaintiffs allege that their PII and PHI was taken by hackers from the Health District's system. The information taken can qualify as the Plaintiffs' means of identification. We can assume that the hackers took the information with the intent to use it for illegal purposes. As defined by Washington's criminal statute, the Plaintiffs have alleged that their identity has already been stolen. Thus, the Plaintiffs have alleged a current injury because they have alleged the invasion of a legally protected interest. For this reason, we disagree with the Health District that the Plaintiffs are alleging only the potential for future identity theft.
Nonetheless, injury and damages do not always occur simultaneously and a plaintiff's claim for negligence does not accrue until there has been an actual loss. Gazija, 86 Wn.2d at 219-20. "The mere danger of future harm, unaccompanied by present damage, will not support a negligence action." Id. at 219. Given this rule, the more succinct question in this case is whether the Plaintiffs have alleged a current harm from having their identity stolen when there are no allegations that they have suffered any out-of-pocket losses as a result of the injury. We consider the types of harm alleged by the Plaintiffs below.
Fear and Inconvenience
We first consider whether the Plaintiffs could recover for increased anxiety due to the possibility that someone will use their stolen identity to commit fraud as well as the time they spent monitoring their credit and mitigating the potential risk.
Damages for mental anguish, pain, and suffering, are available in a claim of negligence when a plaintiff has suffered physical injury. Schmidt v. Coogan, 181 Wn.2d 661, 673, 335 P.3d 424 (2014). In cases where physical injury is also alleged, courts have allowed plaintiffs to recover for anxiety over the fear that the future injury will manifest. "Our courts long have recognized that a plaintiff may recover for anxiety, arising from a current reasonable fear of future injury or illness, and resulting from an injury caused by the defendant." Sorenson v. Raymark Indus., Inc., 51 Wn.App. 954, 958, 756 P.2d 740 (1988). Thus, a plaintiff who was exposed to asbestos could recover for the anxiety he suffered before developing asbestosis because he was aware of the possibility of contracting cancer from the exposure. Id. A plaintiff who drank from a bottle containing shards of glass, and was told that future surgery may be needed, could recover for the fear this engendered. Brown v. Coca-Cola Bottling, Inc., 54 Wn.2d 665, 668-69, 344 P.2d 207 (1959). After establishing that a hospital had improperly placed a catheter in his arm, a plaintiff could recover for mental anxiety based on the fear that the catheter could slip into his cardiovascular system. Dickerson v. St. Peter's Hosp., 72 Wn.2d 196, 432 P.2d 293 (1967). In this case, however, the Plaintiffs are not alleging physical injury.
Damages for inconvenience, discomfort and mental anguish are available for intentional torts. See Thorley v. Nowlin, 29 Wn.App. 2d 610, 624, 542 P.3d 137 (2024) (noneconomic damages available for intentional interference with a plaintiff's property interests); Brower v. Ackerley, 88 Wn.App. 87, 98, 943 P.2d 1141 (1997) (emotional distress damages are available for the intentional tort of outrage); see Lavington, 22 Wn.App. 2d at 152 ("general rule is that a plaintiff can recover damages for emotional distress resulting from an intentional tort like trespass"). But again, the Plaintiffs here are not alleging an intentional tort.
"When emotional distress is the sole damage resulting from negligent acts, our court is cautious in awarding damages." Schmidt, 181 Wn.2d at 671. Whether such damages are available depends in part on whether the plaintiff and defendant had a preexisting relationship. Price v. State, 114 Wn.App. 65, 71, 57 P.3d 639 (2002).
If the parties lacked a preexisting relationship, and the defendant's breach was negligent rather than intentional, emotional distress damages are available only if the plaintiff proves "objective symptomatology." If the parties had a preexisting relationship, the availability of emotional distress damages turns generally on the characteristics of the particular relationship. If the relationship was primarily economic, emotional distress damages may not be available. If the relationship was not primarily economic, emotional distress damages may be available.Id. (citations omitted).
Noneconomic damages may also be awarded when a plaintiff was a bystander within the zone of danger. Repin v. State, 198 Wn.App. 243, 259-60, 392 P.3d 1174 (2017). Alternatively, plaintiffs can plead and prove theories of liability that allow for emotional distress damages without physical injury. See Bylsma v. Burger King Corp., 176 Wn.2d 555, 293 P.3d 1168 (2013); Schmidt, 181 Wn.2d 671-72 (citing examples where emotional distress damages are recoverable in the absence of physical damages, including wrongful discharge in violation of public policy, violation of the Washington Law Against Discrimination, ch. 49.60 RCW; medical malpractice, ch. 7.70 RCW, for the unauthorized disclosure of confidential information, breach of professional duty by a day care provider, wrongful adoption, and attorney malpractice).
At the complaint stage of the proceedings, plaintiffs are not required to allege the factors that might determine if emotional distress damages are available. Here, the Plaintiffs have not alleged a physical injury or an intentional tort, but they have alleged an injury: that their PII and PHI were misappropriated. Conceivably, they could produce evidence to support an award of damages for inconvenience and emotional distress under one of the scenarios outlined in Price. Thus, at this early stage in the case, the request for emotional distress damages is sufficient to allege a cognizable injury to support a negligence claim.
Decrease in Value of Identity
The Plaintiffs allege that the value of their personal identity has decreased and has been diluted due to the theft of their identity. Defendants contend that Washington has never recognized the loss of value of PII and PHI as a type of harm that is recoverable in negligence.
While Washington has not yet weighed in on this murky issue, it is well established in our state that a plaintiff can recover for the loss or damage to personal property in an action for negligence. See Grothe v. Kushnivich, 24 Wn.App. 2d 755, 766, 521 P.3d 228 (2022). "The purpose of awarding damages for injury to personal property is to place the injured party as nearly as possible in the condition in which he would have been had the wrong not occurred." 16 David K. DeWolf & Keller W. Allen, Washington Practice: Tort Law and Practice § 6:4 at 318 (5th ed. 2020). Whether our personal means of identification, PII, or PHI, are considered to be personal property that can be damaged or destroyed is an issue of first impression in Washington. In deciding this question, we take guidance from decisions from other jurisdictions and Washington law on related issues.
Several other courts have addressed whether a plaintiff can claim loss in the value of their personal identity as a cognizable injury under a claim of negligence. These decisions have reached varying results. In In re Marriott International, Inc., Customer Data Security Breach Litigation, 440 F.Supp.3d 447, 460-61 (D. Md. 2020), the federal district court addressed whether a claim of loss in value of PII was sufficient to allege an injury-in-fact for purposes of standing in federal court. The court noted the "growing trend across courts that have considered this issue is to recognize the lost property value of this information." Id. at 461. In concluding that injury-in-fact was alleged, the court took notice of statements made by the United States Attorney General that data stolen from companies has "economic value" to foreign nationals. Id. at 462. The court also noted that companies and consumers recognize the value of PII, and consumers offer their PII to companies in exchange for goods and services. Id. Finally, in concluding that a loss in value of personal information was sufficient to show injury-in-fact, the court found that
the value of personal identifying information is key to unlocking many parts of the financial sector for consumers. Whether someone can obtain a mortgage, credit card, business loan, tax return, or even apply for a job depends on the integrity of their personal identifying information.Id.
Several other courts have reached a similar result. See Collins v. Athens Orthopedic Clinic, PA, 307 Ga. 555, 562, 837 S.E.2d 310 (2019) (recognizing that an important part of the value of data to anyone attempting to buy it on the black market is its utility in committing identity theft); Calhoun v. Google LLC, 526 F.Supp.3d 605, 635 (N.D. Cal. 2021) (recognizing property interest in personal information); In re Accellion, Inc. Data Breach Litig., 713 F.Supp.3d 623, 637 (N.D. Cal. 2024) (recognizing loss of value of PII and consequential out-of-pocket expenses as cognizable categories of damages for negligence claims under California law).
On the other hand, several courts have found that a claim for loss of value of identity or personal information is not recoverable in an action for negligence. See In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F.Supp.3d 1243, 1257 (M.D. Fla. 2019) ("The Court rejects this theory of injury in fact because Plaintiffs have not alleged that their personal information has an independent monetary value that is now less than it was before the Data Breach."); B.K. v. Eisenhower Med. Ctr., __F.Supp.3d __, 2024 WL 878100, at *6 (C.D. Cal. Feb. 29, 2024), modified on reconsideration, __F.Supp.3d __, 2024 WL 2037404 (C.D. Cal. Apr. 11, 2024) (quoting John Doe v. Meta Platforms, Inc., 690 F.Supp.3d 1064, 1089 (N.D. Cal. 2023)) ("Courts in this [circuit] have dismissed cases where, like here, [plaintiff's] injury is based on 'the loss of the inherent value of their personal data,' as well as where it was undisputed that plaintiffs paid no money to the defendant.") (citation omitted); see also Saeedy v. Microsoft Corp., No. 23-CV-1104, 2023 WL 8828852, at *6 (W.D. Wash. Dec. 21, 2023) (court order) ("To establish standing for their claims of loss of value in their data as property, Plaintiffs must show that they personally lost money or property as a result of Microsoft's conduct.").
In Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), a company laptop containing the unencrypted data of company employees was stolen. Several employees sued, alleging the theft caused them to spend time protecting their identity, but did not allege any out-of-pocket expenses or losses. In the published portion of the opinion, the Ninth Circuit held that the allegations were sufficient to confer standing. Id. at 1143. But in the unpublished opinion, the court held that the plaintiffs failed to allege a cognizable injury because they were alleging only the danger of future harm. Krottner v. Starbucks Corp., 406 F. App'x. 129, 131 (9th Cir. 2010). The Krottner court did not consider whether increased anxiety or loss in value of personal information would constitute a cognizable injury.
In considering these competing interests, we note that the laws in Washington demonstrate a public policy that recognizes there is value in the security of our personal information. Beyond the criminal statute, there are numerous laws regulating the actions of companies and agencies who handle personal and health care information. The Uniform Health Care Information Act, ch. 70.02 RCW, "recognizes that '[h]ealth care information is personal and sensitive information that if improperly used or released may do significant harm to a patient's interests in privacy, health care, or other interests.'" Seattle Childs. Hosp. v. King County, 16 Wn.App. 2d 365, 379, 483 P.3d 785 (2020) (quoting RCW 70.02.005(1)). The Washington My Health My Data Act, ch. 19.373 RCW, requires "additional disclosures and consumer consent regarding the collection, sharing, and use of [health data]." RCW 19.373.005(3). The Washington Public Records Act, ch. 42.56 RCW, includes specific exemptions for personal information and requires agencies to disclose data breaches. See RCW 42.56.230 (exempting various personal information from a public records request); RCW 42.56.640 (exempts sensitive personal information of vulnerable individuals and home caregivers from disclosure in public records requests); RCW 42.56.590 (requires agency whose systems contain personal information to disclose any data breach); RCW 70.02.020 (prohibits health care providers from disclosing health care information without written authorization from the patient).
Washington has even created an "Office of Privacy and Data Protection" to serve as a resource for local governments and the public in developing best practices for handling personal information. RCW 43.105.369. If personal information had no value, the extensive efforts of criminals to steal it-and the substantial work by legislators and companies to protect it-would be pointless.
Considering Washington's existing law and the realities of the digital economy we live in now, we find the reasoning in the recent Marriott case to be persuasive. We follow the line of cases that hold that a person's means of identification, PII and PHI, can have value and conceivably that value can be diminished or destroyed when their identities are misappropriated for illegal purposes.
Here, Plaintiffs allege that their PII and PHI was stolen in a data breach of the Health District's computer systems. They allege that the theft caused their PII and PHI to lose value. They assert that after the data breach, the Plaintiffs received additional spam calls. One plaintiff was notified that her Social Security number was found on the dark web and an unauthorized business license was opened in her name. The loss in value of their PII and PHI is a current harm and a cognizable injury sufficient to support a cause of action for negligence. Whether and how the Plaintiffs can prove such damages is not a question before us.
Risk of Future Economic Harm from Identity Theft
Plaintiffs also allege that there is an imminent risk that their stolen identity will be misused in the future, which will likely cause them out-of-pocket losses. We distinguish this type of damage from Plaintiffs' allegation that they are suffering anxiety over the possibility that their stolen identity will be misused. Damages for future economic loss are different from damages for emotional distress.
The Health District contends that the Plaintiffs are precluded from recovering for this type of damage, arguing that these are future damages. If future economic damages were the only theory of recovery asserted by the Plaintiffs, we might agree. But because it is conceivable that the Plaintiffs will be able to demonstrate current harm, their claim for future harm survives a CR 12(b)(6) motion.
In Gazija, the court addressed when a cause of action accrued for purposes of the statute of limitations. 86 Wn.2d 215. The court noted that a claim of negligence does not accrue until there has been actual loss or damages, noting that "[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action." Id. at 219. However, once a plaintiff experiences actual harm, the statute of limitations begins to run even if all of the damages resulting from the injury have not been sustained. Steele v. Organon, Inc., 43 Wn.App. 230, 234, 716 P.2d 920 (1986).
Although Gazija was concerned with the accrual of a cause of action for purposes of the statute of limitations, the holding has been applied in determining if a plaintiff has alleged sufficient injury to state a claim for negligence. See Brewer v. Lake Easton Homeowners Ass'n, 2 Wn.App. 2d 770, 780-81, 413 P.3d 16 (2018).
Standing alone, the Plaintiffs' request for damages for the risk of future economic damages would not support a claim of negligence. But here, the relief requested is in addition to a request for damages from current harm.
We emphasize that our decision is based on the liberal standard applied to a motion to dismiss under CR 12(b)(6) for failure to state a claim. While we determine that under the facts as alleged in the complaint the defendant had a duty to use reasonable care in collecting and storing the Plaintiffs' PII and PHI, and that the Plaintiffs may be able to prove a cognizable injury, we make no determination on the likelihood of success. Nor do we evaluate the sufficiency of evidence. We merely hold that the facts alleged in the complaint are sufficient to state a claim of negligence.
We hold that the Plaintiffs have alleged a claim for negligence sufficient to meet the minimum requirements of CR 12(b)(6). We reverse the superior court's order of dismissal and remand for further proceedings.
WE CONCUR: Fearing, J. Cooney, J.