Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In March 2007, Craig E. Kleffman initiated a class action suit in California state court against Vonage Holdings Corp. and certain of its subsidiaries (collectively “Vonage”). Kleffman’s claim arose because Vonage sent him 11 unsolicited commercial e-mail advertisements using 11 different domain names. Id. at 3.

Kleffman alleged that Vonage used these multiple domain names in order to deliberately trick e-mail filters into believing that there were multiple senders (when in fact, all sites were under the control of Vonage). Kleffman alleged that this violated California Business and Professions Code § 17529.5(a)(2), which states that it is unlawful to advertise in a commercial e-mail if the e-mail “contains or is accompanied by falsified, misrepresented, or forged header information.” Id. at 1.

Vonage removed the case to the U.S. District Court for the Central District of California and was granted a dismissal. Kleffman appealed to the U.S. Court of Appeals for the Ninth Circuit which certified the central issue to the Supreme Court of California: “Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under . . . § 17529.5(a)(2)?” Id. at 5.   

Noting that the domain names from which Vonage sent its e-mail advertisements were fully traceable to Vonage’s marketing agents, the Supreme Court of California found that “. . . an e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false.” Id. at 16. The court also wrote that the state legislature did not intend to prohibit the use of multiple domain names and did not “make it unlawful to use a domain name in a single e-mail that does not make it clear the identity of either the sender or the merchant-advertiser on whose behalf the e-mail advertisement is sent.” Id. at 14.     

In February 2008, the archive vendor transporting back-up tapes associated with The Bank of New York Mellon Shareowner Services, a business unit of The Bank of New York Mellon (“BNY Mellon”), discovered that one of ten boxes was missing. Those tapes contained certain shareowner, plan participant, and payment information, including Social Security numbers and other personally identifying information. Customers of People’s United Bank, another financial institution and a client of Shareowner Services, were among the persons whose data was contained on the missing tapes. Shortly after the tape loss, BNY Mellon alerted affected individuals and offered them two years of credit monitoring, $25,000 in identity theft insurance, and a free credit freeze.

In May 2008, several individual plaintiffs brought a putative class action against People’s United Bank and BNY Mellon, claiming that the loss of the tapes compromised their personal information. They sought damages based on an alleged violation of the Connecticut Unfair Trade Practices Act (“CUTPA”), negligence, and breach of fiduciary duty. Notably, plaintiffs did not allege that any direct financial losses had occurred or that any member of the putative class had been the victim of identity theft as a result of the breach. Plaintiffs instead alleged that the increased risk of identity theft constituted cognizable harm because they would have to pay for future credit monitoring (beyond the two years offered by the defendants) and take other steps to protect against an increased risk of identity theft arising from the incident. Additionally, although not alleged in the complaint, Plaintiffs later argued that the fees paid to People’s United Bank represented additional actual harm (an argument which was roundly rejected by the court as an improper amendment of the pleadings in motion papers).

Judge Bryant rejected plaintiffs’ arguments and granted defendants’ motions to dismiss as to all claims. In dismissing the negligence claim, the court relied chiefly on two recent Southern District of New York decisions, Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 573 (S.D.N.Y. 2008) (dismissing claims for negligence and breach of fiduciary duty brought by plaintiffs whose identities had not been stolen), and Shafran v. Harley Davidson, Inc., 2008 WL 763177, at *3 (S.D.N.Y. Mar. 20, 2008) (“an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy. Plaintiff’s alleged injuries are solely the result of a perceived and speculative risk of future injury that may never occur.”). As Judge Bryant explained in her opinion:

[T]he Plaintiffs have pointed to no case decided anywhere in the country where a court allowed a negligence claim to survive absent an allegation of actual identity theft . . . . The Court concludes that the courts of Connecticut, like those of New York, would not recognize a negligence claim founded solely on the fear, unsupported by any allegation of malfeasance, of identity theft . . . .

Judge Bryant followed similar reasoning in dismissing the CUTPA and breach of fiduciary duty claims, both of which require an actual, ascertainable loss or harm.

McLoughlin is the latest in a series of data loss cases that refuse to recognize damages stemming from mere “increased risk of harm” absent some evidence of actual fraud or identity theft. See, e.g., Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007); Stollenwerk v. Tri-West Health Care Alliance, No. 05-16990, 2007 U.S. App. LEXIS 27164 (9th Cir. Nov. 20, 2007); Willey v. J.P. Morgan Chase, N.A., No. 09 Civ. 1397 (CM), 2009 WL 1938987 (S.D.N.Y. July 7, 2009); Randolph v. ING Life Ins. & Annuity Co., No. 07-CV-791 (D.C. Jun. 18, 2009); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162 (N.D. Cal. Apr. 6, 2009); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760 (E.D. La. Mar. 24, 2009); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006); Bell v. Acxiom Corp., 4:06CV00485-WRW, 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. Oct. 3, 2006); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476 (JBS), 2006 U.S. Dist. LEXIS 52266 (D.N.J. July 31, 2006).

Special thanks to this week’s guest author, Jason Gerstein, a member of Proskauer’s litigation team for the McLoughlin case, for preparing this post.

Old National Bancorp (“ONB”) collected customer information online in connection with applications for accounts, loans, and other ONB banking services. This information included customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. In 2005, ONB’s website was hacked, compromising the personal information ONB maintained about its customers.

Plaintiffs Luciano Pisciotta and Daniel Mills filed a putative class action in the U.S. District Court for the Southern District of Indiana asserting claims for negligence, breach of contract and implied breach of contract against ONB and its website hosting partner NCR. Plaintiffs alleged that ONB’s failure to protect their personal confidential information caused each member of the class to suffer substantial potential economic damages and emotional distress and worry that third parties might misuse their personal information. But Plaintiffs did not allege that any completed direct financial losses had occurred or that any member of the putative class already had been the victim of identity theft as a result of the breach. Id. at *2.

After the district court dismissed all claims against NCR, ONB filed a motion for judgment on the pleadings. The district court granted ONB’s motion, finding that Plaintiffs “have not alleged that ONB’s conduct caused them cognizable injury.” Id. at *2. In reaching this conclusion, the district court found persuasive the decisions of other federal district courts which had rejected “the cost of credit monitoring as an alternative award to for what would otherwise be speculative and unrecoverable damages.” Pisciotta v. Old Nat’l Bancorp, No. 1:05-cv-668-LJM-WTL (S.D. Ind. 2006) (order granting defendant’s motion for judgment on the pleadings). The district court further noted that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.” Id. 

The Seventh Circuit, after concluding that Plaintiffs’ allegations satisfied constitutional standing requirements, considered the elements of Plaintiffs’ negligence and breach of contract claims, principally the requirement that Plaintiffs’ demonstrate legally cognizable damages. Pisciotta, 2007 WL 2389970, at *4. (Other courts considering similar claims have dismissed for lack of standing or ripeness, finding that the threat of damage fails to create a case or controversy.) 

The court rejected Plaintiffs’ argument that Indiana’s state security breach notification law evidenced the Indiana legislature’s belief that an individual suffers a completed harm at the moment his information is exposed. The court also rejected Plaintiffs’ analogies to medical monitoring cases and several Indiana cases concerning disclosures of personal information by banks. The court pointed out that no Indiana authority had allowed recovery for medical monitoring costs. Id. at *7. In the bank disclosure cases, the plaintiffs suffered direct and immediate reputational injuries and sought to be compensated for that harm, not for their efforts to protect against some future, anticipated injury. Id. at *6.

Ultimately, the Seventh Circuit, like the district court, found the overwhelming weight of authority from other jurisdictions denying recovery for credit monitoring costs persuasive. The court stated:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

Id. at *8. 

Pisciotta is the latest in a series of cases that refuse to recognize damages stemming from “identity exposure” absent some evidence of actual identity theft.  See, e.g., Kahle v. Litton Loan Serv. LP, No. 1:05cv756, 2007 U.S. Dist. LEXIS 35845, at *22 (S.D. Ohio May 16, 2007); Randolph v. ING Life Ins. and Annuity Co., No. 06-1228 (CKK), 2007 U.S. Dist. LEXIS 11523, *25 (D.D.C. Feb. 5, 2007); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266, at *12 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Servs. Corp., No. 05-688 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846, at *15 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).