Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

New Jersey law, like California law, does restrict the collection of personal information in connection with credit card purchases in some ways. However, New Jersey’s law does not provide for a private right of action. Therefore, the plaintiff in this case attempted to invoke the New Jersey law though the TCCWNA, which does provide for a private right of action. But unfortunately for the plaintiff, her complaint failed to allege the existence of a written contract containing a provision that explicitly violated the applicable New Jersey law on the subject so as to trigger the TCCWNA. Rather, Judge Walls rightly concluded that even assuming that the credit card transaction form constituted a written consumer contract, as plaintiff alleged it did, the “existence of the recorded zip code itself, which consists solely of numbers, does not constitute a contract provision that violates the plaintiff’s rights.” As such, the complaint failed to state a claim under the TCCWNA and required dismissal. The court also denied the plaintiff’s request to file an amended complaint because, in his opinion, the proposed amended complaint failed to either set forth any additional factual support for plaintiff’s allegation that the credit card transaction form constituted a written contract or allege any written provision of such “contract” violated her rights. Thus, according to Judge Walls, the amended complaint would fail for the same reasons as the original complaint.

The district court’s decision in this case supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see this blog post) into other jurisdictions.

In the first amended complaint, brought in the U.S. District Court for the Central District of California, the plaintiff claimed that Spokeo aggregated data from a variety of sources and sold consumer reports to subscribers. The plaintiff alleged that Spokeo uses the aggregated data to draw conclusions and make predictions relating to data subjects’ wealth, credit, and lifestyle choices, and that a “significant portion of the information that it reports is wholly inaccurate.” The plaintiff, who was unemployed at the time the lawsuit was brought, asserted that his Spokeo profile was incorrect and that this incorrect information caused him “actual harm” in his employment search because he was still unemployed.

After initially concluding in May 2011 that the plaintiff’s first amended complaint sufficiently alleged an injury-in-fact with respect to the FCRA claims, U.S. District Judge Otis D. Wright II reversed his prior ruling on September 19, 2011, concluding that the Plaintiff lacked standing for lack of a cognizable injury-in-fact. The Court concluded that “the alleged harm to Plaintiff’s employment prospects is speculative, attenuated and implausible.” The Court added that if complaints such as the plaintiff’s were allowed to proceed, “courts will be inundated by web surfers’ endless complaints.” This case demonstrates that even a strong legal defense will not necessarily prevent costly litigation.

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.