Calling an alleged data breach victim’s assertion of injury-in-fact as “far too speculative,” a Pennsylvania federal district court recently dismissed a class action suit filed against Aetna, Inc. for lack of standing. In Allison v. Aetna, the court indicated that while a plaintiff in a data breach case may assert an increased risk of harm to satisfy the injury-in-fact requirement for standing, the threat of harm must be credible rather than a mere possibility of future harm.
The suit arose out of a security incident involving Aetna’s job application website. In May 2009, Aetna became aware that the website may have been hacked when job applicants reported receiving “phishing” emails purporting to be from Aetna and asking for additional personal information. The website contained applicants’ email addresses as well as more sensitive information, such as Social Security Numbers and employment histories. Aetna mailed notification letters to those individuals potentially affected by the breach, including the plaintiff. Aetna informed the plaintiff that although his data could have been exposed, Aetna could not verify if it had been accessed. Plaintiff filed suit.
The plaintiff claimed that he alleged injury-in-fact because he suffered an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with monitoring his credit. The court summarily rejected the latter argument, holding, in a footnote, that “time and money spent on credit monitoring due to a perceived risk cannot serve as the basis for an injury-in-fact.”
In turning to the plaintiff’s claim of an increased risk of identity theft, the court noted that, since the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, the recent trend in such cases has been towards finding standing. Nevertheless, in light of the plaintiff’s allegations and recent case law, including Amburgy v. Express Scripts, Inc., the court dismissed the case. According to the court, “[a]t best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.” Specifically, the plaintiff could not confirm whether his personal information was in fact accessed and the court held that such an allegation was “conjecture.” Moreover, the plaintiff could not even verify that his email address had been exposed since he never received one of the phishing emails that uncovered the breach. The court also made an important distinction between Pisciotta and this case. Whereas the security incident in Pisciotta was a “sophisticated” and “malicious” attack, the plaintiff here failed to demonstrate any “credible threat of increased risk of identity theft.” The plaintiff, therefore, lacked standing under “any standard of increased risk of harm.”