Recent Death of Data Breach Class Action Resuscitates Lack of Standing Arguments in Identity Exposure Cases

Posted on December 1, 2009 by Brendon Tavelli

On November 23, 2009, a federal court in Missouri bucked the recent trend in identity exposure lawsuits and refused to recognize Article III standing in a class action lawsuit that alleged simply an increased risk of identity theft resulting from a data breach. In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.” Consequently, the Court dismissed the plaintiff’s action – which included claims for negligence, breach of contract, violations of state data breach notification laws and violations of Missouri’s Merchandising Practices Act ("MPA”) – in its entirety for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. In doing so, the court breathed new life into the lack of standing argument that had begun to fall out of favor in identity exposure cases.

Prior to the Court’s decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People’s United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, “district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing.” After noting the Seventh Circuit’s lack of discussion in Pisciotta about applying the U.S. Supreme Court’s recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff’s standing to sue. Relying principally on the Supreme Court’s opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he “cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri’s MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff’s breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.
Tags: , , , , , , , , , ,

Show-Me State Finally Shows Its Residents a Data Breach Notification Law, Other States (TX, NC, ME) Make Changes

Posted on July 30, 2009 by Brendon Tavelli

On July 9, 2009, Missouri Governor Jay Nixon signed House Bill 62 ("HB 62”), making the Show-Me State the 45th state with an information security breach notification law on the books. The new law takes effect on August 28, 2009. But Missouri’s new law isn’t the only new data breach notification requirement on the horizon. Amendments to existing data breach notice laws in three other states, Texas, Maine and North Carolina, will also become effective soon.

Missouri: HB 62 includes many provisions that are similar to other state laws requiring notice to individuals when the security of their personal information has been compromised. For example, HB 62 includes a “material risk of harm” trigger. In other words, a business is not required to notify Missouri residents if, after an appropriate investigation or consultation with relevant law enforcement authorities, the business determines that identity theft is not likely to result from the breach. In addition, a business is not required to notify state residents if the personal information compromised was encrypted. Like some other state laws, HB 62 also requires notice to the Missouri Attorney General and national consumer reporting agencies if more than 1,000 Missouri residents are notified, and allows the Attorney General to seek actual damages or civil penalties from persons that fail to comply with the law.

HB 62 applies to the “typical” categories of personal information, including Social Security numbers, driver’s license numbers and information that would permit access to an individual’s financial accounts. But unlike most other state data breach notification laws, HB 62 also applies to medical and health insurance information, including an individual’s medical history, mental or physical condition, treatment or diagnosis, health insurance policy number and any other unique identifier used by a health insurer. Previously, only laws in California, Arkansas and Texas (see below) applied to this kind of information.

Texas:  On June 19, 2009, Texas Governor Rick Perry signed House Bill 2004 (“HB 2004”), which expanded the scope of Texas’ data breach notification law to include public sector entities and health information. Specifically, HB 2004 amends the definition of “sensitive personal information” to include health care information, such as information about an individual’s physical or mental health or payment for health care services. The bill also amends the definition of “breach of system security” to reach breaches of encrypted information “if the person accessing the data has the key required to decrypt the data.” Finally, HB 2004 makes the state’s breach notice obligations applicable to public sector entities and nonprofit athletic and sports associations.

North Carolina: As of October 1, 2009, entities doing business in North Carolina will be required to both provide more detailed data breach notices to individuals and be more forthcoming with the state’s attorney general. North Carolina Senate Bill 1017 (“SB 1017”), signed by Governor Bev Perdue on July 27, 2009, amends North Carolina’s data breach notification law in two significant ways. First, SB 1017 requires notice to the attorney general anytime a business notifies North Carolina residents of a breach. Previously, such notice had been required only for breaches affecting more than 1,000 people. Second, notices to individuals affected by a breach will now be required to include a telephone number for the business providing the notice; toll-free numbers and addresses for the national credit reporting agencies; and toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office along with a statement that individuals can learn about preventing identity theft from these sources. These new requirements build on top of existing mandates to (1) describe the incident, the type(s) of personal information unlawfully obtained and the actions being taken to prevent further unauthorized access; (2) provide a telephone number that the recipient may call for further information and assistance; and (3) advise affected individuals to remain vigilant by reviewing account statements and monitoring free credit reports.

MaineFor information about the recent amendment to Maine’s breach notification law, soon to become effective, see our prior blog post.

Since Missouri’s new law and these important updates need to be added to the smorgasbord of state data breach notification laws, it is probably a good time to revisit “The List” of such laws. Here it is!

Alaska (ALASKA STAT. § 45.48.010 et seq.)

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (D.C. CODE § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (HAW. REV. STAT. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (IOWA CODE § 715C.1 et seq.)

Kansas (KAN. STAT. ANN. § 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.; see also L.D. 970)

Maryland (MD. CODE ANN., COM. LAW § 14-3501 et seq.)

Massachusetts (MASS. GEN. LAWS ANN. ch. 93H, § 1 et seq.)

Michigan (MICH. COMP. LAWS ANN. § 445.72)

Minnesota (MINN. STAT. § 325E.61)

Missouri (HB 62, tentatively codified at MO. REV. STAT. § 407.1500)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT. § 75-65; see also SB 1017)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (OKLA. STAT. § 74-3113.1)

Oregon (OR. REV. STAT. § 646A.600 et seq.)

Pennsylvania (73 PA. STAT. § 2303)

Puerto Rico (P.R. LAWS ANN. tit. 10, § 4051)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3)

South Carolina (S.C. CODE ANN. § 39-1-90)

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COM. CODE ANN. § 521.001 et seq.; see also HB 2004)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia (Va. Code Ann. § 18.2-186.6)

U.S. Virgin Islands (V.I. CODE ANN. tit. 14, § 2209)

Washington (WASH. REV. CODE § 19.255.010)

West Virginia (W. Va. Code § 46A-2A-101 et seq.)

Wisconsin (WIS. STAT. § 134.98)

Wyoming (WYO. STAT. ANN. § 40-12-501 et seq.)
Tags: , , , , , , , , , , ,