Addressing a purported class action filed after laptops containing health care patients’ private data were stolen, the Eleventh Circuit recently issued one of its more consumer-friendly class action decisions, Resnick v. AvMed, Inc., 11-13694, 2012 WL 3833035 (11th Cir. Sept. 5, 2012). The case spotlights an important question: what level of actual injury and what causation are required in order for a data breach class action to survive dismissal?
Data breaches occur when personally identifiable information (“PII”) typically held by a business entity in confidence—ranging from names and addresses to social security numbers and financial account numbers—makes its way into the hands of a third party. Data breaches can be intentional—hackers, stolen laptops or devices, etc.—or unintentional—system glitches, employee negligence, etc. Human error and glitches constitute the root cause of most data breaches. But those caused by malicious hacking and other deliberate misdeeds may be increasing. See PONEMON INSTITUTE LLC, 2011 COST OF DATA BREACH STUDY (March 2012). Generally, plaintiffs have struggled to demonstrate actual harm stemming from a company’s lapse in data security.
To head off a jurisdictional standing challenge based upon the absence of actual injury, plaintiffs frequently allege that intentional maliciousness caused the data breach and that identity theft was the motive. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d. Cir. 2011) (finding no standing where no evidence “that the data has been—or will ever be—misused”); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (finding sufficient injury-in-fact under Article III but cautioning that “[w]ere Plaintiffs–Appellants' allegations more conjectural or hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—we would find the threat far less credible”): Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (where the breach was “sophisticated, intentional, and malicious . . . the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced”).
But surviving a standing challenge at the pleading stage often proves a short reprieve in some jurisdictions, as many cases soon end in a dismissal on the merits for inadequate poof of injury and causation. See, e.g., Pisciotta, 499 F.3d 635-36 (finding plaintiffs had no compensable damages under state law even though plaintiffs undertook credit monitoring to prevent identity theft); Holmes v. Countrywide Financial Corp., No. 5:08-00205, 2012 WL 2873892, at *5 (W.D. Ky. July 12, 2012) (no compensable damages under state law for “the risk of future identity theft, payments for credit monitoring, telephone cancellation charges, and time spent monitoring credit and financial accounts”).
Plaintiffs’ clearest path to avoid dismissal for lack of injury in data breach cases is to allege, and ultimately prove, actual identity theft resulting from the breach—fraudulent charges for example—thus creating compensable damages. See Anderson v. Hannaford Bros. Co., 659 F.3d 151, 164-65, 167 (1st. Cir. 2011) (allowing claims for negligence and breach of implied contract because “Plaintiffs’ claims for identity theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse.”); but see Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 865 (N.D. Cal. 2011) (allowing claims for negligence and contractual breach by finding that “the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII” even though plaintiffs did not allege any third-party use of that PII).
The Eleventh Circuit’s Resnick decision permits claims with little evidence of actual identify theft resulting from the breach. The defendant in Resnick, AvMed, delivers healthcare services through various health plans. According to Resnick’s complaint, in late 2009, someone entered AvMed’s Gainesville, Florida office and stole two laptops, both of which held AvMed customer’s PII—protected health information, social security numbers, and other contact information. Two customers—the named plaintiffs—became victims of identity theft ten and fourteen months after the laptop theft. They both alleged that they’d never before been identity theft victims and that they guarded their PII. In particular, bank and investment accounts were opened, credit cards activated, addresses changed, and purchases made.
In response, AvMed sought dismissal, arguing that there was no allegation of facts sufficient to show that the laptop theft had anything to do with the identity theft. After all, the thieves may just have wanted the laptops to pawn them, sell them, or use them personally. AvMed also argued that there was no allegation of facts sufficient to conclude that the laptop thieves even had the necessary equipment to retrieve the PII. Finally, AvMed argued that the PII used in the identity thefts could have been acquired from sources other than the laptops, and the complaint did not negate that possibility. The Resnick trial court agreed with AvMed and summarily dismissed plaintiffs’ claims, ruling that most of their claims did not rely on a cognizable injury and that any claims of actual identity theft failed federal pleading standards. Resnick v. AvMed, Inc., 10–cv–24513, 2011 WL 1303217 (S.D. Fla. April 5, 2011). On appeal, the Eleventh Circuit reversed in part, with one judge dissenting. Dispensing quickly with AvMed’s “specious” argument that plaintiffs never alleged “un-reimbursed losses,” the court considered whether plaintiffs had standing and whether they had any substantive claims. On standing, the court found that allegations of actual identity theft after a defendant failed to secure sensitive information created the requisite injury fairly traceable to defendant’s conduct.
On the substantive contract and negligence claims, the court considered whether plaintiffs had plausibly alleged causation. The court concluded from the allegations that the PII lost was the same PII used in the identity theft, thus creating the required nexus between the data theft and the identity theft.
The dissenting judge agreed that standing existed but found the substantive causation less than plausible because other scenarios existed to cause the identity theft—a third party selling plaintiffs’ PII for example. The dissenting judge also pointed out that the complaint did not explicitly state that the same PII gleaned from the data theft was used in the identity theft.
The extent of actual injury required to be pleaded and proved in data breach class actions is a rapidly evolving area of the law. This decision will not be welcomed by data breach defendants, but one thing is clear: causation and damages will remain vulnerable areas suitable for early dispositive motion practice in data breach class actions for the foreseeable future.