Finding there was no more than speculative injury, a federal judge has dismissed a class action suit against Aetna Inc. filed in the wake of news that the insurer's computer database may have been hacked and that personal data of up to 450,000 job applicants were potentially at risk.
In Allison v. Aetna, U.S. District Judge Legrome D. Davis added his voice to a growing chorus of judges who have held that such a claim of "increased risk of identity theft" is not enough to confer standing to sue.
"At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft," Davis wrote.
In his 14-page opinion, Davis surveyed the legal landscape, noting that the case was "part of a burgeoning area of law," and that the courts are divided on whether plaintiffs in such cases have standing.
The analysis is ultimately a fact-specific one, Davis found, that turns on whether the plaintiff is able to show more than a mere possibility of future harm.
The ruling is a victory for attorneys John M. Elliott, Mark J. Schwemler, Timothy T. Myers and Stewart J. Greenleaf Jr. of Elliott Greenleaf & Siedzikowski in Blue Bell, Pa., who argued that the plaintiffs were asking the courts to invent new and novel tort and contract theories.
But the plaintiffs lawyers -- Sherrie R. Savett and Michael T. Fantini of Berger & Montague -- insisted in court papers that the suit was firmly grounded on actual injury suffered by the lead plaintiff and the class.
"This case is about whether plaintiff and the class can recover for: (i) out-of-pocket costs necessarily incurred as a result of the data breach; (ii) time spent responding to the breach; and (iii) an increased risk of identity theft," the plaintiffs lawyers argued.
According to court papers, Aetna learned in May 2009 that its job application Web site had been hacked when some applicants reported receiving "phishing" e-mails purporting to be from Aetna and seeking additional personal information.
The site contained the e-mail addresses of about 450,000 job applicants, as well as the Social Security numbers of 65,000 current and former employees. For a smaller number of applicants who had been offered a job, the site contained even more data, including telephone numbers, addresses and employment histories.
Aetna mailed letters to the 65,000 individuals whose Social Security numbers were at risk. The letter "urged" them to take numerous steps to protect themselves from identity theft, including monitoring their personal accounts -- bank statements and credit card bills -- for fraud, placing a fraud alert on their credit files, and reviewing their credit reports for accounts they did not open.
The letter also said Aetna was offering free credit monitoring for one year.
But in the suit, plaintiff Cornelius Allison, a former Aetna employee, claimed that Aetna wasn't offering enough to solve his problems. One year of credit monitoring was not enough, his lawyers argued, for an event in which Aetna itself had acknowledged there was a significant risk of identity theft.
Defense lawyers, in their motion to dismiss, argued that Allison's claims are fatally flawed because the entire case is built on a claim that his personal data "might" have been accessed.
"Based on this pure conjecture," the defense team argued, "plaintiff speculates that maybe, some day, perhaps more than a year from now, he might suffer some kind of harm. As numerous federal courts have already recognized, such allegations of speculative harm do not state a valid or cognizable claim."
Davis agreed, saying "plaintiff's alleged injury of an increased risk of identity theft is far too speculative."
Since Allison never received one of the phishing e-mails, Davis said, the "allegation that his personal information was even accessed is conjecture."
The evidence, Davis said, also hinted that the hackers may have been able to retrieve only e-mail addresses and were therefore using phishing e-mails to access more sensitive data.
The plaintiffs lawyers urged Davis to draw the opposite inference from the phishing e-mails, arguing that such post-hacking conduct revealed the hackers' nefarious purposes.
Davis disagreed and found instead that the more logical conclusion was that the hackers had come up short and were unable to commit any identity theft crimes with the data they had retrieved unless they used trickery to augment it with more valuable information.
"It would not be a reasonable inference for the court to presume that hackers would seek such information, thereby risking exposure of their nefarious activities, if they had already obtained the same through unlawful means. Accordingly, even assuming that the hackers obtained plaintiff's email address, it is highly speculative that they obtained any other information that would be necessary to commit identity theft," Davis wrote.
Savett and Fantini did not return calls seeking comment.