Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

McCoy v. Fisher

United States District Court, D. Maryland

October 18, 2016

JEFFREY B. FISHER et al., Defendants.


          Paula Xinis United States District Judge

         I. BACKGROUND

         Plaintiff Antonio McCoy (“Plaintiff”) and his former wife, LaAngela McCoy held title to real property located at 4813 Ocean Gateway, Vienna, Maryland. ECF No. 37-1. On June 19, 2007, LaAngela executed a Note in the amount of $90, 000 to HSBC Mortgage Corporation (“HSBC”). ECF No. 37-2. The Note was secured by a Deed of Trust to HSBC executed by LaAngela and Plaintiff on the same date, and which was recorded among the Land Records of Dorchester County, Maryland. ECF No. 37-3. LaAngela and Plaintiff eventually defaulted on the Note and Deed of Trust. On April 6, 2015, Defendants Jeffrey Fisher and The Fisher Law Group, acting as substitute trustees for HSBC, commenced a foreclosure action in the Dorchester County Circuit Court against LaAngela and Plaintiff. ECF No. 37-4.

         During the foreclosure action, the Fisher Law Group and Jeffrey Fisher attached an Affidavit of Debt to one of their filings which Plaintiff alleges included his loan number and social security number.[1] Pursuant to Maryland Rule 1-322.1, the filer of any paper or electronic filing with a Maryland court must redact or omit certain “personal identifier information” from the document before it is filed, including an individual's social security number. The Fisher Law Group and Jeffrey Fisher admit that they failed to redact personal identifier information from the Affidavit of Debt before filing it with the Dorchester County Circuit Court. ECF No. 37 at 8. On May 29, 2015, the Fisher Law Group sent Plaintiff a letter notifying him of the inadvertent disclosure of his personal information, and stated that the unredacted documents “may have included your loan number and your social security number.” ECF No. 33-1. HSBC sent its own letter to Plaintiff on June 1st, acknowledging that its law firm “filed documents with the court which inadvertently contained information that should have been hidden.” ECF No. 33-2. On June 5, 2015, the substitute trustees filed a motion with the circuit court to restrict access to the circuit court's file also seeking a protective order. The circuit court granted the motion by order on June 8, 2015. ECF No. 37-4 at 6.

         As a result of Defendants' acknowledged mistake, Plaintiff filed a Complaint in this Court against Jeffrey B. Fisher, the Fisher Law Group, and HSBC on February 4, 2016. ECF No. 1. He filed an Amended Complaint on June 29, 2016 alleging six causes of action. ECF No. 32. The first two Counts allege that HSBC, Jeffrey Fisher, and The Fisher Law Group violated what appears to be a section of the Gramm-Leach-Bliley Act: “Title V-Privacy Subtitle A Disclosure of Non-Public Personal Information.” Counts three and four allege that Jeffrey Fisher and The Fisher Law Group violated the Ninth Amendment of the United States Constitution. Counts five and six allege that Jeffrey Fisher and the Fisher Law Group acted negligently in submitting the Affidavit of Debt without redacting Plaintiff's personal information. On July 19, 2016, Defendants Jeffrey Fisher and The Fisher Law Group (hereinafter, “Defendants”) moved to dismiss Plaintiff's Amended Complaint.[2] ECF No. 37.


         Defendants move to dismiss Plaintiff's Amended Complaint pursuant to Fed.R.Civ.P. 12(b), without specifying a particular subsection, and Fed.R.Civ.P. 54. This Opinion addresses only Defendants' challenge to Plaintiff's standing, or lack thereof, which is an element of subject matter jurisdiction. White Tail Park, Inc. v. Stroube, 413 F.3d 451, 459 (4th Cir. 2005); ECF No. 37 at 10-13. Thus, Defendants' motion to dismiss should be treated under Rule 12(b)(1). Under this Rule, the plaintiff bears the burden of proving that subject matter jurisdiction properly exists in the federal court. See Evans v. B.F. Perkins Co., a Div. of Standex Int'l Corp., 166 F.3d 642, 647 (4th Cir. 1999). In a 12(b)(1) motion, the court “may consider evidence outside the pleadings” to help determine whether it has jurisdiction over the case before it. Richmond, Fredericksburg & Potomac R.R. Co. v. United States, 945 F.2d 765, 768 (4th Cir. 1991); see also Evans, 166 F.3d at 647. The court should grant the 12(b)(1) motion “only if the material jurisdictional facts are not in dispute and the moving party is entitled to prevail as a matter of law.” Richmond, 945 F.2d at 768. Occasionally, jurisdictional facts are so intertwined with the merits of a claim that the jury is the proper trier of contested facts. U.S. ex rel. Vuyyuru v. Jadhav, 555 F.3d 337, 348 (4th Cir. 2009).

         III. ANALYSIS

         A. Standing

         To prove standing, a plaintiff must establish (1) an injury in fact (2) fairly traceable to the challenged conduct (3) that is likely to be “redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S.Ct. 2652, 2661 (2013). Here, the Defendants argue that Plaintiff has failed to establish the first element, injury in fact, because he alleges only a risk of possible future identity theft. See, e.g., ECF No. 37 at 11 (explaining that nowhere in Plaintiff's Amended Complaint does he allege that disclosure of plaintiff's personal information actually occurred). An injury in fact requires “an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992) (citations omitted). However, the United States Supreme Court in Clapper v. Amnesty International USA, 133 S.Ct. 1138 (2013) recently acknowledged that standing can be based on the “substantial risk” that harm will occur, so long as the future injury is “certainly impending.” Allegations of “possible future injury are not sufficient.” Id. at 1147 (emphasis in original). See also Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1549 (2016), as revised (May 24, 2016) (noting that “the risk of real harm” may satisfy the concreteness requirement of the injury-in-fact prong).

         Plaintiff alleges that the documents improperly provided to the circuit court included his name, mailing address, social security number, and other personal information. ECF No. 32 at 3. He believes that Defendants' disclosure of his information “subject[s] plaintiff to identity theft for the rest of his life.” ECF No. 32 at 3. This disclosure “will cost plaintiff thousands of dollars to take the necessary steps to prevent identity theft.” See, e.g., id. at 7. However, Plaintiff never alleges that his personal information has been stolen or misused.

         The Fourth Circuit has yet to address whether standing is conferred based on the potential for future victimization of identity theft, but our lower court has recently addressed standing in the data breach context. See Khan v. Children's Nat'l Health Sys., No. TDC-15-2125, 2016 WL 2946165, at *3 (D. Md. May 19, 2016); Chambliss v. Carefirst, Inc, No. RDB-15-2288, 2016 WL 3055299, at *4 (D. Md. May 27, 2016). In Khan v. Children's National Health System, hackers gained access through phishing emails to the accounts of certain hospital employees. The email accounts contained patient names, addresses, dates of birth, social security numbers, telephone numbers and private health care information. The named plaintiff in Khan alleged she was injured because of the concern that her “personal information will be misused.” But she did not “claim that she or anyone else affected by the data breach has learned of any misuse to date.” Id. at *1. After a thorough analysis, the Khan Court concluded that “in the data breach context, plaintiffs have properly alleged an injury in fact arising from increased risk of identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs' personal data to engage in identity fraud.” Khan, 2016 WL 2946165, at *5. Based on this framework, the Court found that the named plaintiff could not prove injury in fact because the plaintiff failed to allege “facts indicating that the hackers have attempted to engage in any misuse of [the hospital] patients' personal information since the breach was discovered.” Id. See also Chambliss, 2016 WL 3055299, at *4 (“‘the mere loss of data-without any evidence that it has been either viewed or misused-does not constitute an injury sufficient to confer standing.'”) (quoting In re Science Applications Int'l Corp. Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 19 (D.D.C. 2014)) (listing cases in accord).

         In this case, Plaintiff has failed to plead sufficient facts to demonstrate that future injuries are anything more than remote and speculative at best. First, and perhaps most fatally, Plaintiff's personal information was not compromised as a result of individuals actively seeking and obtaining his information for personal gain. At most, Plaintiff alleges that his information was accidently made publicly available for a period of time, introducing the risk that a bad actor could obtain such information. Thus, the risk of harm here is far more remote than in Khan, where hackers actively sought and obtained the victim's personal information.

         Second, Plaintiff does not allege his information was obtained by a third party or misused in any way. Plaintiff's personal information remained publicly available for just two months. Sixteen months have passed since the circuit court granted Defendants' motion to restrict access to the unredacted document. Yet, to this day, Plaintiff posits no facts that his personal information has been misused or that such misuse is impending. See Chambliss, 2016 WL 3055299, at *3-4 (finding instructive that plaintiff had suffered no injury since the data breaches occurred one to two years earlier); In re Davis, 430 B.R. 902, 907 (Bankr. D. Colo. 2010) (“[T]here is no evidence that ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.