X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
In the past two years highly publicized security breaches at major businesses, universities and government agencies have generated class actions and other civil lawsuits seeking to impose liability on organizations whose security practices enable consumer identity theft. Theories of liability asserted by the plaintiffs include breach of contract, breach of fiduciary duty, and negligence, as well as various state and federal statutory claims. Recent decisions in these cases show that plaintiffs face significant obstacles in trying to impose minimum standards of data security on businesses whose systems are vulnerable to identity theft. In particular, plaintiffs in security breach cases have generally been unable to persuade courts of their injury or prove damages merely based upon the unauthorized theft or loss of their personal information. This is even true where the underlying breach has later led to criminal convictions of identity thieves or regulatory penalties for the companies involved. One of the first highly publicized identity breaches occurred at the data broker ChoicePoint and involved systematic unauthorized access by identity thieves of more than 145,000 customer records. The thieves established phony accounts with ChoicePoint to obtain online access to names, addresses, Social Security Numbers and other identifying information of ChoicePoint data subjects. Because many of the affected individuals were California residents, ChoicePoint was obligated to provide them with written notice of the incident pursuant to California’s breach notification statute, S.B. 1386, which went into effect July 1, 2003. These notices prompted the filing of several class action lawsuits seeking damages for the thousands of individuals whose data had been revealed to the identity thieves. But in October 2006 the consolidated ChoicePoint class action suits were dismissed by a district judge in California. Harrington v. ChoicePoint, Inc. , No. 2:05-cv-01294-MRP-JWJ (C.D. Cal. Oct. 11, 2006). The decision, based mainly on plaintiffs’ failure to state claims under the federal Fair Credit Reporting Act, was the latest of in a series of reverses for plaintiffs attempting to pursue consumer injury claims against businesses that experience data security failures. Two other high profile security breaches at Wachovia Bank and CardSystems Inc. also resulted in class actions. However, Mingo v. Wachovia Bank , No. 2:05-cv-06308-RBS (E. D. Pa. Dec. 6, 2005) was voluntarily dismissed by the plaintiffs and in Parke v. CardSystems Solutions, Inc., No. CGC-05-442624 (Cal. Super. Ct. Oct. 18, 2005) the defendant CardSystems filed a notice of stay of proceedings. Lack of Standing A fundamental weakness in most cases brought by consumers is the lack of standing. Under Article III of the Constitution, a plaintiff must establish: (a) that the plaintiff has suffered an injury-in-fact which is actual, concrete, and particularized; (b) a causal connection between the conduct complained of and the injury suffered by the plaintiff; and (c) that the injury will be redressed by a court’s favorable decision. Bell v. Acxiom Corp. , No. 4:06CV0045-WRW, 2006 WL 2850042, slip. op. (E.D. Ark. Oct. 3, 2006). The plaintiffs in most data breach cases are individuals whose personally identifying information may have been accessed or otherwise exposed, without authorization, as a result of computer hacking or the theft or loss of hardware or files containing unencrypted personal data. This was the situation in Bell v. Acxiom, a federal class action brought against another data brokerage giant. Ms. Bell alleged that her privacy had been jeopardized and that she was at an increased risk of identity theft as result of the hacking of Acxiom’s computers. The hacker, who was later convicted of criminal identity theft, sold some of the information he had stolen to a direct marketing company. However, discovery in the case did not disclose whether the plaintiff’s specific information was actually included in the stolen data, and her allegation of harm was therefore limited to claims of increased risk of identity theft. The court held that such an allegation fails to meet the Article III standing requirement of a concrete or particularized harm because it merely asserts a potential future injury rather than an injury-in-fact. Key v. DSW Inc. , 2006 WL 2794930 (S.D. Ohio Sept. 27, 2006), was one of three class actions brought in the wake of a major data security failure at a discount shoe retailer resulting from allegedly inadequate technical and administrative security measures. The court dismissed the case for lack of standing finding that Ms. Key’s claims “are based on nothing more than a speculation that she will be a victim of wrongdoing at some unidentified point in the indefinite future . . . .” The court also rejected the plaintiff’s attempt to analogize the need for credit monitoring in security breach cases to the need for medical monitoring in product liability cases, in which imminent harm arising from a defective device implanted in a plaintiff’s body, or from a plaintiff’s exposure to toxic chemicals, may meet federal standing requirements. A similar argument was rejected in Stollenwerk v. Tri-West Healthcare Alliance , 2005 WL 2465906 (D. Ariz. Sept. 6, 2005). Plaintiffs sued a government health insurance contractor after computers containing their personal information were stolen from the contractor’s offices. The injury alleged by some of the plaintiffs was that they had to procure credit monitoring services and identity theft insurance following the theft. Plaintiffs cited toxic tort and product liability cases for the proposition that they had suffered latent injuries, including anticipation of identity theft. The court held, however, that identity theft does not rise to the same level of public policy concern as does human health and safety in medical monitoring cases. Even if the purchase of credit monitoring was sufficient to state a claim in negligence, the court found that plaintiffs had failed to present adequate evidence that their risk of identity theft had actually increased by any quantifiable measure. Other plaintiffs have recently met with similar results when asserting that the cost of engaging credit monitoring services constitutes an injury-in-fact. Forbes v. Wells Fargo Bank, N.A. , 420 FSupp2d 1018, 1021 (D. Minn. 2006). Lack of Causation Another hurdle in establishing standing or showing damages in security breach cases is the difficulty of showing a causal connection between the defendants’ actions and the plaintiff’s alleged injury. Thus, even if the plaintiff can show that she has been a victim of identity theft, it is difficult to establish that this injury was reasonably likely (and not merely possible) to have occurred because of the defendant’s information security breach. In Stollenwerk v. Tri-West Healthcare Alliance,2005 WL 2465906 (D. Ariz. Sept. 6, 2005), the fact that the plaintiff’s information was used in opening fraudulent accounts did not, in and of itself, establish causality because plaintiff had disclosed this same information to other parties. Given that most consumers divulge their personal information to several financial institutions, credit card companies, and employers, plaintiffs may have a difficult time meeting the causality requirement under this reasoning. To succeed, plaintiffs will need to produce evidence of the misuse of the data accessed by identity thieves or make a convincing statistical showing that a security breach will necessarily lead to injury. Fiduciary Duties, State Claims State claims may be a more promising avenue for security breach plaintiffs. In Richardson v. DSW, Inc ., 2006 WL 163167 (N.D. Ill. Jan. 18, 2006), two claims brought in a class action under state law (breach of implied contract and claims under the Illinois Consumer Fraud and Deceptive Practices Act) survived a motion to dismiss. The basis of the claims in Richardsonalso arose out of the aforementioned DSW incident. In Walters v. DHL Exp. , 2006 WL 1314132 (C.D. Ill. April 21, 2006), the court dismissed the plaintiff’s claim for damages based on an increased risk of future identity theft but noted that the plaintiff could have made a claim under the general state tort law. Individual plaintiffs have had some measure of success in cases where the defendant owed a fiduciary duty to protect the plaintiff’s information. In Remsburg v. Docusearch, Inc., 149 N.H. 148, 816 A.2d 1001 (N.H. 2003), a private investigatory firm was found liable for selling information, including the Social Security Number and work address of the plaintiff’s daughter, to a man who had been stalking and later killed the plaintiff’s daughter. The court reasoned that a private investigator owed a duty to exercise reasonable care to not subject a third party to an increased risk of criminal misconduct, including stalking and identity theft. Similarly, in Bell v. Mich. Council, 2005 WL 356306 (Mich. App. Feb. 15, 2005), union member plaintiffs were successful in alleging that a union was liable for not safeguarding their personal information and that the union’s negligence facilitated the identity theft perpetrated by a third party (the treasurer’s daughter). A jury awarded damages to the union members for the mental anguish and inconvenience they experienced as a result of the opening of fraudulent accounts by the treasurer’s daughter and the defendants appealed. The Michigan appellate court upheld the jury award, concluding that the union had a special relationship with its members giving rise to a duty to safeguard personal data that the members entrusted to the union. Among the distinguishing facts cited by the court in finding a duty-imposing relationship were the union’s obligation to act in the best interests of its members, the foreseeability (under the circumstances) of theft and misuse of the data, and the union’s lack of safeguards to prevent unauthorized access to members’ personal data. However, to date plaintiffs have generally failed to establish a breach of a duty of care to secure customer data based on the defendant’s purported statutory privacy obligations. In Guin v. Brazos Higher Educ. Serv. Corp., Inc. , 2006 WL 288483 (D. Minn. Feb. 7, 2006), the plaintiff argued that the defendant student loan company owed a duty to safeguard plaintiff’s personal information pursuant to the Gramm-Leach-Bliley Act (15 USC ?6801 et seq.), which governs the privacy practices of financial services companies, and that this duty was breached when a laptop containing customer data was stolen from an employee’s home. The court held otherwise, granting summary judgment for the defendant and noting that the defendant had appropriate security practices in place with which it had complied. The court also noted that neither the GLB Act nor its implementing regulations require data encryption during storage or transit by a regulated entity. As in the Stollenwerkcase, the court in Guinfound no injury in increased exposure to identity theft and no causation because the intervening criminal use of data on the stolen laptop was not reasonably foreseeable. Lessons From First Wave The security breach class action and individual civil cases reported to date suggest that data breaches alone are insufficient grounds for successful negligence and contract claims against owners or processors of customer data troves. With a new Congress and key committee chairmanships in both houses changing hands, the many pending bills in Congress relating to information security and breach notification may actually coalesce and move toward passage. Whether federalizing breach notice and information security obligations will help or hurt plaintiffs in the quest to discipline businesses for lax security remains to be seen. Does this mean that potential defendants in security breach cases can sit back and relax in view of the plaintiffs’ weak scorecard so far in these types of cases? Not really. The real penalties for customer data breaches have been the costs of managing compliance with the now more than 35 state consumer breach notification laws, launching public relations and damage control campaigns, and, for an unlucky few, responding to Federal Trade Commission or state attorney general investigations and complying with the subsequent consent decrees or orders. In the ChoicePointand DSWmatters, for example, where plaintiffs have so far struck out, the FTC imposed substantial sanctions, including fines totaling $15 million. The addition of a real threat of class action damages awards to this current mix of sanctions would convert what is already a throbbing corporate risk management headache into a full-scale migraine. John Kennedy is a partner in the intellectual property and information technology practice group at LeBoeuf, Lamb, Greene & MacRae. Parishi Sanjanwala is an associate in the intellectual property and information technology practice group at LeBoeuf, Lamb. Darrelle M. Spears and Anne E. Kennedy, also associates at LeBoeuf Lamb, assisted in the preparation of this article.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.