A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.
On August 27, 2005, the defendant, Litton Loan Servicing LP, experienced a break-in involving the theft of more than $60,000 of computer equipment. The perpetrators took six unmarked hard drives, four of which contained the personal information of 229,501 people, including the plaintiff Patricia Kahle. The police conducted an investigation and Litton hired a private investigator who conducted a separate investigation. Litton provided notice of the theft to each person whose information was on the stolen hard drives approximately four weeks after the break-in. The notice included the type of information stolen, a Federal Trade Commission website that could be of assistance, and a toll free contact number at Litton. The notice also recommended that affected consumers place a fraud alert on their credit file.
Kahle did not place a fraud alert on her credit report after the theft, and had no knowledge of unauthorized use of her personal information. There was some evidence to suggest that Kahle had purchased credit monitoring services before the theft. Kahle claimed she would need credit monitoring for many years, at great financial expense to her, as a result of the Litton incident.
The Court relied heavily on Key v. DSW, Inc., 454 F.Supp.2d 684 (D. Ohio 2006), and Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018 (D. Minn. 2006), in granting Litton’s motion for summary judgment. In Key, unauthorized persons obtained access to DSW’s confidential financial information. The plaintiff alleged negligence, breach of contract, conversion and breach of fiduciary duty. The Key court dismissed the plaintiff’s claims for lack of standing, finding that the plaintiff had presented no evidence that anyone planned on using her financial information or identity, and that any potential injury depended on the plaintiff’s information being accessed and used for unlawful purposes. The Forbes Court ruled against the plaintiffs because, like Kahle, they did not show a present injury or a reasonably certain future injury to support damages for alleged increased risk of harm.
Kahle claimed her case was different from Key and Forbes. She pointed out that, in those cases, the defendant had offered free credit monitoring, and that the Forbes plaintiffs were notified immediately of the breach, whereas Litton took four weeks to issue notifications. The Court rejected these arguments, noting that Forbes did not consider whether credit monitoring was offered when it granted summary judgment to the defendant, and that Key was silent on the issue.
The court concluded that “any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.”
Thus, district courts continue to reject attempts by consumers to impose tort liability on businesses experiencing data breaches. However, as explained in our May 29 post here, legislators in a number of states are considering bills – and Minnesota has already passed legislation – that would transfer the risk of such incidents to merchants by allowing card-issuing financial institutions to recover for the “costs of reasonable actions” to protect its cardholders’ information and continue to provide services to its cardholders after a breach.