Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In the first amended complaint, brought in the U.S. District Court for the Central District of California, the plaintiff claimed that Spokeo aggregated data from a variety of sources and sold consumer reports to subscribers. The plaintiff alleged that Spokeo uses the aggregated data to draw conclusions and make predictions relating to data subjects’ wealth, credit, and lifestyle choices, and that a “significant portion of the information that it reports is wholly inaccurate.” The plaintiff, who was unemployed at the time the lawsuit was brought, asserted that his Spokeo profile was incorrect and that this incorrect information caused him “actual harm” in his employment search because he was still unemployed.

After initially concluding in May 2011 that the plaintiff’s first amended complaint sufficiently alleged an injury-in-fact with respect to the FCRA claims, U.S. District Judge Otis D. Wright II reversed his prior ruling on September 19, 2011, concluding that the Plaintiff lacked standing for lack of a cognizable injury-in-fact. The Court concluded that “the alleged harm to Plaintiff’s employment prospects is speculative, attenuated and implausible.” The Court added that if complaints such as the plaintiff’s were allowed to proceed, “courts will be inundated by web surfers’ endless complaints.” This case demonstrates that even a strong legal defense will not necessarily prevent costly litigation.

In December 2009, hackers accessed a RockYou database containing customers’ personally identifiable information (“PII”), including Alan Claridge’s. Claridge’s sued RockYou for claims such as negligence, breach of contract and violation of various federal and California state laws.

While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.” 

The court, however, did note that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case,” and that “[i]f it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.”  So, while this may have been a small victory for data breach plaintiffs, the viability of the argument that PII has value and that data breaches may cause harm to that value remains uncertain.

Prior to the Court’s decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People’s United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, “district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing.” After noting the Seventh Circuit’s lack of discussion in Pisciotta about applying the U.S. Supreme Court’s recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff’s standing to sue. Relying principally on the Supreme Court’s opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he “cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri’s MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff’s breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.

Old National Bancorp (“ONB”) collected customer information online in connection with applications for accounts, loans, and other ONB banking services. This information included customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. In 2005, ONB’s website was hacked, compromising the personal information ONB maintained about its customers.

Plaintiffs Luciano Pisciotta and Daniel Mills filed a putative class action in the U.S. District Court for the Southern District of Indiana asserting claims for negligence, breach of contract and implied breach of contract against ONB and its website hosting partner NCR. Plaintiffs alleged that ONB’s failure to protect their personal confidential information caused each member of the class to suffer substantial potential economic damages and emotional distress and worry that third parties might misuse their personal information. But Plaintiffs did not allege that any completed direct financial losses had occurred or that any member of the putative class already had been the victim of identity theft as a result of the breach. Id. at *2.

After the district court dismissed all claims against NCR, ONB filed a motion for judgment on the pleadings. The district court granted ONB’s motion, finding that Plaintiffs “have not alleged that ONB’s conduct caused them cognizable injury.” Id. at *2. In reaching this conclusion, the district court found persuasive the decisions of other federal district courts which had rejected “the cost of credit monitoring as an alternative award to for what would otherwise be speculative and unrecoverable damages.” Pisciotta v. Old Nat’l Bancorp, No. 1:05-cv-668-LJM-WTL (S.D. Ind. 2006) (order granting defendant’s motion for judgment on the pleadings). The district court further noted that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.” Id. 

The Seventh Circuit, after concluding that Plaintiffs’ allegations satisfied constitutional standing requirements, considered the elements of Plaintiffs’ negligence and breach of contract claims, principally the requirement that Plaintiffs’ demonstrate legally cognizable damages. Pisciotta, 2007 WL 2389970, at *4. (Other courts considering similar claims have dismissed for lack of standing or ripeness, finding that the threat of damage fails to create a case or controversy.) 

The court rejected Plaintiffs’ argument that Indiana’s state security breach notification law evidenced the Indiana legislature’s belief that an individual suffers a completed harm at the moment his information is exposed. The court also rejected Plaintiffs’ analogies to medical monitoring cases and several Indiana cases concerning disclosures of personal information by banks. The court pointed out that no Indiana authority had allowed recovery for medical monitoring costs. Id. at *7. In the bank disclosure cases, the plaintiffs suffered direct and immediate reputational injuries and sought to be compensated for that harm, not for their efforts to protect against some future, anticipated injury. Id. at *6.

Ultimately, the Seventh Circuit, like the district court, found the overwhelming weight of authority from other jurisdictions denying recovery for credit monitoring costs persuasive. The court stated:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

Id. at *8. 

Pisciotta is the latest in a series of cases that refuse to recognize damages stemming from “identity exposure” absent some evidence of actual identity theft.  See, e.g., Kahle v. Litton Loan Serv. LP, No. 1:05cv756, 2007 U.S. Dist. LEXIS 35845, at *22 (S.D. Ohio May 16, 2007); Randolph v. ING Life Ins. and Annuity Co., No. 06-1228 (CKK), 2007 U.S. Dist. LEXIS 11523, *25 (D.D.C. Feb. 5, 2007); Giordano v. Wachovia Sec., LLC, Civ. No. 06-476, 2006 U.S. Dist. LEXIS 52266, at *12 (D.N.J. July 31, 2006); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D. Minn. 2006); Guin v. Brazos Higher Educ. Servs. Corp., No. 05-688 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846, at *15 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 03-0185-PHX-SRB, 2005 U.S. Dist. LEXIS 41054, at *10 (D. Ariz. Sept. 8, 2005).