September 08, 2011 Articles

Proving Damages in Database-Breach Class Actions

Many victims of database breaches point fingers at the entities holding their information, complaining that too little is being done to safeguard it from theft.

By Alan R. Poppe

Recently, Citigroup announced that hackers had breached its security and gained access to the data of more than 200,000 of its credit-card customers in North America. The bank said that while information concerning customers’ names, credit-card numbers, addresses, and email addresses was obtained by the hackers, data such as Social Security numbers, date of birth, card expiration date, and card security codes were not compromised, making it less likely, claimed the bank and security experts, that the exposed customers would become victims of fraud. That may be of little assurance, however, to those customers affected by the Citibank breach or the millions of Americans whose private information has been stolen in recent years. Initial news accounts of the breach reported that the hackers gained access to the records by first logging on to the Citigroup customer website. Nelson D. Schwartz & Eric Dash, “Thieves Found Citigroup Site an Easy Entry,” N.Y. Times, June 13, 2011, at A1.

Reports have indicated that in 2010, approximately 3.8 million records containing personal information were compromised and that more than a third of those records were from banks and other financial institutions. Id. Many victims of database breaches are pointing fingers at the entities that hold their personal information, complaining that too little is being done to safeguard that information from theft.

Legal Remedies for Database-Breach Victims
But what legal remedy, if any, do the victims of a database breach have against the bank, credit-card company, employer, retailer, or countless other entities that hold their personal information? As one district court explained, “[d]atabase breaches appear to provide the basis for a new breed of lawsuits, and especially class action lawsuits, in which plaintiffs allege . . . that the database handlers’ negligence in developing and maintaining security measures [has] resulted in otherwise personal and confidential information being compromised.” Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1050 (E.D. Mo. 2009). Indeed, to the extent database breaches involve small harms to a large number of people, they have qualities that on their surface may appear to be most appropriate for class-action treatment.

Database-breach litigation, whether brought by a single plaintiff or as a putative class action, typically involves claims based either in contract or tort, each of which requires damages as an element of the claim. It is yet to be learned whether any of the hundreds of thousands of victims of the recent Citibank breach will ultimately be a victim of identity theft or fraud—most certainly, one hopes that will not occur. However, absent proof that any personal information has actually been misused, many plaintiffs suing database handlers have found themselves without a remedy because no one has suffered an injury or been damaged as a result of the breach. Plaintiffs commonly allege an “increased risk of harm” that may occur if their compromised personal data is used to commit identity fraud or is otherwise misused in some fashion, along with the cost of measures aimed at preventing harm that has yet to occur, such as credit-monitoring services. In such cases, however, the courts have routinely refused to impose civil liability on the handler of the personal data because of either the plaintiffs’ lack of Article III standing or a failure to state one of the required elements of a cause of action in contract or tort law. See Hammond v. Bank of N.Y. Mellon Corp., No. 08 Civ. 6060, 2010 WL 2643307, at *1 (S.D.N.Y. June 25, 2010) (“While there is a split in authority as to how to analyze these cases, every court to do so has ultimately dismissed under Rule 12(b)(6) . . . or under Rule 56 after submission of a motion for summary judgment.”).

Pisciotta Plaintiffs Had Standing but Failed to Plead Damages
Prior to the Seventh Circuit’s decision in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007), a majority of courts concluded that the plaintiffs lacked Article III standing. See, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 1, 7–8 (D.D.C. 2007) (plaintiff who alleged that laptop containing personal information was stolen, but did not allege any misuse, lacked standing); Key v. DSW, Inc., 454 F. Supp. 2d 684, 690 (S.D. Ohio 2006) (plaintiff who alleged that personal information was compromised, but did not allege any misuse, lacked standing); Bell v. Acxiom Corp., No. 06-0485, 2006 WL 2850042, at *1 (E.D. Ark. Oct. 3, 2006) (plaintiff who alleged increased risk of unsolicited mailing advertisements and identity theft lacked standing). Standing is a constitutional issue under Article III, and the party invoking federal jurisdiction bears the burden of establishing that the plaintiff suffered an “injury in fact” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” a causal connection between the injury and the conduct in the complaint, and that it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992). Article III’s standing requirements are not mere pleading formalities; they constitute a threshold issue to be addressed before a federal court “proceeds at all in any cause.” Id. at 560.

In Pisciotta, the plaintiffs brought a putative class action against Old National Bancorp alleging that the bank, through its website, solicited personal information from applicants for banking services but failed to secure it adequately, which allowed a hacker to obtain confidential information of tens of thousands of the website’s users. The plaintiffs alleged claims for breach of implied contract and negligence, asserting that they and others in the putative class incurred and will continue to incur expenses associated with preventing their confidential information from being misused. The plaintiffs did not assert, however, that they or any members of the class had been a victim of identity theft or fraud as a result of the breach.

The Seventh Circuit began its analysis by acknowledging that a number of courts have held that a threat of future harm did not confer Article III standing but concluded, nevertheless, that it was “not persuaded by the reasoning of these cases.” Pisciotta, 499 F.3d at 634. The court looked to cases involving toxic torts, environmental harm, and medical monitoring, and it held that “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” Id.

Turning to the merits of the plaintiffs’ claims, the Seventh Circuit noted that, under Indiana law, both claims for negligence and breach of implied contract required compensable damages caused by either the defendants’ breach of duty or breach of contract, respectively. The court stated that it could find no state statute or case law holding that the “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing cognizable injury.” Id. at 635. Therefore, the Seventh Circuit affirmed the district court’s dismissal for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).

Since Pisciotta, Courts Have Differed on Standing
Since the decision in Pisciotta, the courts have split on the issue of standing. See, e.g., Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1050 (E.D. Mo. 2009) (lacked standing); Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 912–13 (N.D. Cal. 2009) (plaintiff whose laptop containing his personal information was stolen, but who did not allege misuse, had standing); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 80 F. Supp. 2d 273, 280 (S.D.N.Y. 2008) (same). Recently, in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the Ninth Circuit Court of Appeals held that the increased risk of future misuse of personal data was sufficient to confer Article III standing, but the court nonetheless affirmed the district court’s dismissal of the plaintiffs’ state-law claim for negligence because they failed to allege a cognizable injury under state law.

In Krottner, a laptop computer containing names, addresses, and Social Security numbers of approximately 97,000 current and former Starbucks employees was stolen. Starbucks notified those concerned and encouraged the affected employees to monitor their credit and take steps to protect themselves from identity theft. Starbucks also offered one year of free credit-monitoring services. Two groups of employees filed nearly identical class-action lawsuits. One named plaintiff allegedly suffered from anxiety and stress as a result of the theft, while a second named plaintiff alleged that his bank had notified him that someone had attempted to open a new account using his Social Security number, but the bank had already closed the account, and the plaintiff did not allege that he suffered any financial loss. The second named plaintiff, along with a third plaintiff, alleged that after receiving notification of the breach, they expended significant time and energy monitoring their financial accounts and will pay out of pocket for credit-monitoring services once the free service expires.

The district court held that all three plaintiffs had standing, but the court dismissed their complaints for failure to allege a sufficient injury. On appeal, the Ninth Circuit reasoned that in other contexts, such as environmental claims, “‘the possibility of future injury may be sufficient to confer standing’” where the plaintiff “‘is immediately in damage of sustaining some direct injury as a result of the challenged . . . conduct.’” Id. at 1142 (citation omitted). The court went on to hold that the plaintiffs “have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.” Id. at 1143.

In a separate but concurrent opinion, Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010), the Ninth Circuit explained that “Article III standing does not establish that [a plaintiff] adequately pled damages for purposes of their state-law claims.” Id. (citations omitted). Under the applicable state law, the court held that “[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” reasoning that the only plaintiff who claimed that his personal information had been misused did not suffer any loss related to the attempt to open a bank account in his name. Id.

While the Ninth Circuit held that the theft of the laptop containing the personal information was sufficient to allege a credible threat of “real and immediate harm,” other courts have required allegations of actual misuse of the data. In Allison v. Aetna, Inc., No. 09-02560, 2010 WL 3719243 (E.D. Pa. Mar. 9, 2010), hackers purportedly breached the insurance company’s online job application database, which contained the email addresses of job applicants; the Social Security numbers of current and former employees; and the Social Security numbers, addresses, and employment histories of individuals who had received job offers from Aetna. The company first became aware of the data breach when applicants reported receiving “phishing” emails pretending to be from Aetna, asking the applicants for additional personal information to supposedly add to their job applications. Upon learning of the data breach, Aetna notified the public and sent notification letters to those potentially affected by the breach. In addition, Aetna offered one year of free credit-monitoring assistance and identify-theft insurance.

The named plaintiff, however, did not allege that he personally received the phishing email, nor did he allege any sort of misuse of his personal information specifically. The only allegation of “misuse” solely involved the phishing emails sent to others. The named plaintiff attempted to state claims against Aetna for negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy, and sought damages for the various remedial measures that he and the putative class members were forced to undertake, including time spent reviewing bank statements and credit reports, as well as out-of-pocket expenses for additional identity-theft protection. In addition, the named plaintiff alleged that he and the putative class face a significant risk of identity theft and that they suffer anxiety, emotional distress, and loss of privacy.

The district court dismissed the case for lack of standing, concluding that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing.” Id. at *5. The court analyzed the division in the case law as to whether the plaintiffs in database-breach cases have standing but found that the pleading in this case described “only harm that might befall Plaintiff, sometime in the future, and only if Plaintiff’s private data was in fact stolen by some unauthorized person and is some day used to commit identity theft.” Id. at *3. The court emphasized that the pleading “does not allege that Plaintiff, or anyone else, has actually become the victim of identity theft as a result of the reported breach.” Id. Because the named plaintiff never received the “phishing” email, the district court concluded that “Plaintiff’s allegation that his personal information was even accessed is conjecture.” Id. at *5. Even if the named plaintiff had received a phishing email, the court reasoned that it was “highly speculative” that the hackers obtained any other useful personal information or they would not have risked exposure by sending the phishing email, noting further that the plaintiff did not allege that the hackers were successful in obtaining that additional information from anyone. Id. at *5–6. Because the plaintiff did not allege a credible threat of an increased risk of identity theft, the court determined that the time and money spent on credit monitoring “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.” Id. at *5 n.7.

The district court acknowledged that Pisciotta and other courts have held that an increased risk of harm was sufficient to confer standing by looking to cases in other contexts, such as environmental, medical, or health-related harms. But the court cautioned against applying such cases because they involve public-policy concerns of protecting the public health: “[W]e would caution that while environmental and medical harms are instructive, the harm resulting from identity theft is qualitatively different.” Id. at *5 n.5. The court further distinguished Pisciotta on the basis that the scope and manner of the theft in that case “suggest[] that the intrusion was sophisticated, intentional, and malicious,” but the court offered no explanation as to how or why the breach of the bank’s marketing website was any more sophisticated or malicious than the breach of the insurance company’s job application website. Id. at *6.

In Hammond v. Bank of New York Mellon Corp., 2010 WL 2643307 (S.D.N.Y. 2010), the Southern District of New York granted summary judgment in favor of the defendant bank in a putative consumer class action arising from two separate incidents in which unencrypted backup computer tapes containing personal and financial information were lost or stolen. In that case, four of the seven named plaintiffs conceded that they suffered no injury other than an increased fear that their personal information may be used improperly; a fifth named plaintiff claimed that her personal information was improperly used after the tape losses but admitted that the misuse was unrelated to the tape losses. The remaining two named plaintiffs claimed that their information was misused but that they were reimbursed for the unauthorized charges. See id. at *8.

Plaintiffs Need to Establish Article III Standing and Plead Damages
As a practical concern for the plaintiffs, it matters little if a court finds standing if it then dismisses the claim for lack of a cognizable harm. Plaintiffs have argued, and will continue to argue, that the increased risk of identity theft is analogous to the increased risk of harm present in environmental and medical/health cases and is therefore sufficient to confer standing. However, where the plaintiff alleges nothing more than the fear of potential identity theft or fraud in the future and the cost of monitoring services for harm that may occur, but has not yet occurred, the required common-law element of damages will likely be found lacking.

The mere fact that a plaintiff’s personal information may have fallen into the hands of a third party is not a cognizable injury itself; rather, the injury occurs when the compromised data is actually misused by the third party to the plaintiff’s detriment. Even then, a plaintiff may not establish damages if, for example, a bank reimburses the plaintiff for any loss. See id. And even if the plaintiff’s personal data was used illegally and he or she suffered a loss, it is likely that the plaintiff must also show that the loss was a proximate result of the particular breach of data held by the defendant, and not some other reason. See id.

Each case concerning a database breach is obviously decided on its individual facts and the law of the particular jurisdiction. Some states may have applicable statutes that do not require the same compensable injury required under the common law. In some limited circumstances, a plaintiff may recover any fees paid to the defendant to maintain the confidentiality of his or her personal information. In the end, however, plaintiffs must overcome not only the hurdle presented by Article III standing but also the fact that database litigation is often based in either contract or tort theories, each of which requires damages as an element of the claim.

Keywords: litigation, class actions, derivative suits, database breaches, standing, damages

Alan R. Poppe – September 8, 2011

Copyright © 2011, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).