Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

As many of our readers know, state data breach notification requirements have spawned a number of private lawsuits, including class actions. The vast majority of courts have found that the injury allegedly associated with the breach is too speculative and have refused to allow these cases to proceed. See, e.g., Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. Aug. 21, 2007); Stollenwerk v. Tri-West Healthcare Alliance, Case No. 05-16990, 2007 WL 4116068 (9th Cir. Nov. 20, 2007) (unpublished); Shafran v. Harley-Davidson, Inc., No. 07 Civ. 01365, 2008 WL 763177 (S.D.N.Y. Mar. 20, 2008); Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 712-13 (S.D.Ohio 2007); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1 (D.D.C. 2007); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn. 2006); Hendricks v. DSW Shoe Warehouse, 444 F.Supp.2d 775, 783 (W.D.Mich.2006); Key v. DSW, Inc., 454 F.Supp.2d 684 (S.D. Ohio 2006); Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. Civ. 05-668, 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished); Bell v. Acxiom Corp., No. 4:06CV00485, 2006 WL 2850042 (E.D. Ark. Oct. 3, 2006) (unpublished); Giordano v. Wachovia Sec., LLC, Civil No. 06-476, 2006 WL 2177036 (D.N.J. July 31, 2006) (unpublished).

That is why many took notice when, last year, in Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D. Cal. 2008), the Northern District of California granted the Gap’s Rule 12(c) motion for judgment on the pleadings on three of five counts asserted by the plaintiff but allowed the plaintiff to proceed with a negligence claim and a statutory claim under state law. In last year's decision, the court found that an allegation of "increased risk of identity theft" from a lost Social Security number was sufficient "injury in fact" to establish standing and survive a motion to dismiss the negligence claim.

In Ruiz, a thief gained entry to the Chicago offices of Gap's job application processing vendor, Vangent, and stole two laptops. At the time of the theft, one of the computers was downloading information about Gap job applicants. The laptop in question contained personal information, including Social Security numbers, of approximately 750,000 Gap job applicants. Gap sent a notification letter to the applicants whose personal information was on the computer 11 days following the theft. Gap offered to provide the applicants with 12 months of credit monitoring with fraud assistance at no cost. Gap also advised job applicants to notify their banks and sign up for a free credit report from one of the three major credit reporting agencies. Ruiz did not enroll for the credit monitoring and did not contact his bank; he did attempt to sign up for a free credit report.

Noting that an essential element of a negligence claim under California law is "appreciable, nonspeculative, present harm", the court found that an increased risk of identity theft "does not rise to the level of . . . harm necessary to assert a negligence claim under California law" (emphasis added). In fact, Ruiz testified that he has never been a victim of identity theft. The court also rejected Ruiz's reliance on medical monitoring cases, expressing doubt that a California court "would view these two types of cases as analogous" given that there is no public health interest at stake in lost-data cases and noting that toxic exposure plaintiffs seeking to recover the costs of future medical monitoring face significant evidentiary burdens. "Ruiz presents no evidence showing there was an actual exposure of his personal information, much less that it was significant and extensive."

Thus, the Northern District of California joins the many other courts that have rejected negligence claims arising from lost data cases in the absence of a showing of actual harm.