A Federal Court Dismisses a Suit Based on a Threat of Identity Theft and an Extortion Letter
By ANITA RAMASASTRY
|Wednesday, January 27, 2010|
In recent memory, a significant number of companies have had their servers hacked or their employees' laptops stolen -- and, as a result, large sets of employee or customer data have been compromised. Faced with public alarm over the situation, legislators, lawyers, and courts have worked hard to find solutions and to determine, when breaches do occur, who should bear the associated costs.
Businesses have also started offering certain remedies to their customers – both to preempt lawsuits and to try to mitigate the harms caused by breaches. Such remedies include free credit-report monitoring for a certain period of time. (Customers may be offered the chance to access their credit reports for free, or the company may pay to have a service monitor their reports.)
Yet not all companies offer these remedies, and not all consumers are satisfied with them. Some have sued the companies for negligence when a breach occurs, contending that their data should have been better safeguarded.
Moreover, among those who have sued, some have done so even before any actual identity theft has occurred. Are such suits viable? In this column, I'll examine why one federal court recently said no, and comment on the general trend of the analysis of courts that have faced similar issues.
A Novel Case Based on an Extortionist's Threat to Use Consumer Data
Typically, judges do not see the risk of identity theft as the kind of injury on which a suit can be predicated. When a hacker breaks into a company's network and steals customer data, it may or may not lead to identity theft and information travels quickly. Social Security numbers may be compromised in Seattle only to be used to commit some sort of identity theft in Miami months later, or to be posted on a website where people from around the globe can access them.
Moreover, even if identity theft does occur, courts have required that it must be connected to a particular data breach before suit can be brought. A consumer would have to show that indent theft was directly linked to a particular breach. And this is nearly impossible for most people. In some rare instances, the connection between a breach and a customer's harm can be established, as in the case when Nigerian fraudsters posed as business subscribers to access Choicepoint's customer database in order to steal and exploit sensitive consumer information.
However, a recent data-breach case posed a novel angle on this type of problem, raising an interesting question: What happens when a company that has been subject to a breach receives an anonymous letter from someone who claims to have access to the stolen data and who states that, unless there is a payoff, he or she will use the data to commit large-scale identify theft? Such a situation is more serious than a data breach alone, but less serious than a data breach combined with fully-realized identity theft.
Of course, under the criminal law, the letter's demand is extortion, and its victim is the company. But is there also a civil remedy that consumers whose data is compromised can invoke in such a situation?
That was the question posed in Amburgy v. Express Scripts. Last month, a Missouri federal court hearing the case held that even such a threat is not enough to form the kind of injury that gives a consumer standing to sue the company for negligence.
The suit, a consumer class action, had been filed in 2009. The defendant -- the company that had received the extortionist's letter and that had previously suffered a data breach -- was Express Scripts, which provides prescription-management services for employee benefit plans. The complaint alleged that the company breached its duty to maintain adequate security measures, and that this failure resulted in the data breach where millions of customer records were compromised. As a result, it alleged, plan members had been exposed to an increased risk of becoming victims of identity theft crimes, as well as fraud and extortion. The plaintiffs sought damages for emotional distress resulting from the fear of future identity theft. They also sought damages for costs incurred by plan members who had incurred costs for credit monitoring to prevent such losses. The suit claimed that the company's actions constituted negligence and breach of contract, and that these actions had also violated state consumer statutes.
The letter that the extortionist had sent included details on 75 Express Scripts members, including their names, dates of birth, Social Security numbers and confidential prescription data. The lawsuit's named plaintiff, Mr. Amburgy, was not among the 75, nor did he allege that his own personal information had been breached; he only alleged that such a breach was possible in the future. But he did claim that he and his fellow putative class members feared an "increased risk of future injury" following the extortion threat.
The Court's Holding: The Named Plaintiff Lacked Standing to Sue
In rejecting the claim, the court invoked the law of standing – that is, the body of law that examines whether a would-be plaintiff has suffered the type of injury that the court deems a valid basis on which to ground a lawsuit. The Amburgy court found that the injury at issue was not sufficiently concrete to be the basis to sue for a negligence claim, and strongly suggested that this problem would doom the plaintiff's contract claims as well.
Standing requires "injury in fact" and the court held that a possibility of injury is did not meet the standard. The court reasoned as follows:
"For plaintiff to suffer the injury and harm he alleges here, many 'if's' would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured 'if' his personal information was compromised, and 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen, and 'if' the use of his stolen identity caused him harm."
These multiple "ifs," the court held, "squarely place plaintiff's claimed injury in the realm of the hypothetical."
Did the Court Get it Right?
The court in Amburgy did note that some recent judicial decisions had reached a contrary conclusion -- holding that an increased risk of identity theft was itself enough to confer standing. Notable among these are the U.S. Court of Appeals for the Seventh Circuit's 2007 decision in Pisciotta v. Old Nat'l Bankcorp., and the U.S. District Courts' decisions in the Hannaford Bros. and People's United Bank class actions. The distinction the Amburgy court may be making, is that Amburgy's personal data was not ever reported as compromised – hence, his claims were more speculative than those of consumers who at least knew that their data had been released to unknown third parties. What's more, in many of the court decisions holding that an allegation of increased risk of identity theft is sufficient to confer standing, the court also held that such an allegation was not sufficient to state a claim for damages -- and therefore dismissed the cases on this separate ground. The bottom line, then, is that such claims are apt to be losers in court, one way or another.
Readers may wonder, Why didn't the extortion letter make a difference in the Amburgy v. Express Scripts case? After all, didn't the letter substantially strengthen the risk that a breach would occur?
Perhaps – but there are some caveats. First, it is unclear whether the extortionist was really in possession of huge volumes of data – or just had the information of the 75 people he mentioned. If he had more data, why didn't he prove that somehow in the letter? Second, recall that the named plaintiff was not among those 75 people, making it unclear whether his risk was as high as theirs.
Finally, the courts that have rejected "identity theft risk" cases may feel that the courts should not be the only -- and may not be the best -- place for developing new risk- mitigation principles and tools. Congress may be the best place to develop a unified solution for a problem with the potential to cross state lines (in the case of a company serving consumers in multiple states). And regardless of what Congress and the courts may do, companies are well-advised to protect their reputations and data by using excellent security measures and following up with credit monitoring if a breach still occurs. If government and industry respond effectively, it is possible the courts need not get involved, especially in cases where the harm of identity theft has not yet occurred.
Ramasastry is currently on leave from the University to work for the federal government. The views expressed in this column aresolely those of Ramasastry in her personal capacity anddo not necessarily represent the views of any of her employers, past or present.