Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case
By David Navetta
One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the "damages" element for a negligence claim. Several courts have dismissed such suits, ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically, one of the landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance, may give plaintiffs' attorneys some additional ammunition.
The United States Court of Appeals for the Ninth Circuit ("Appellate Court") recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits. The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.
Stollenwerk Background & District Court's Ruling
In December 2002, Tri-West Healthcare Alliance ("Tri-West"), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program's members. Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona ("District Court") alleging numerous claims, including common law negligence. One of the plaintiffs, William Brandt, alleged that unknown individuals used his personal information after the burglary to open or attempt to open unauthorized credit accounts in his name. The two other plaintiffs, Michael Stollenwerk and Andrea DeGatica, while not alleging they suffered identity theft, did allege that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.
In its September 2005 opinion, the District Court dismissed all of the plaintiffs' claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. Stollenwerk and DeGatica attempted to analogize financial credit monitoring expenses to medical monitoring expenses in "toxic tort" cases (e.g., asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that Stollenwerk and DeGatica failed to provide evidence that such information was significantly exposed, or that they were at significantly increased risk of suffering identity fraud.
The District Court also dismissed Brandt's negligence claim. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.
The Appellate Court's Decision
In November 2007, the Appellate Court reversed the District Court's decision concerning Brandt, but upheld the lower court's ruling on Stollenwerk and DeGatica.
Stollenwerk and DeGatica
With respect to Stollenwerk and DeGatica, the 9th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that: "In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts."
The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, Stollenwerk and DeGatica had not established the requisite elements to support their claim, including:
- Significant exposure of sensitive personal information;
- A significantly increased risk of identity fraud as a result of that exposure; and,
- The necessity and effectiveness of credit monitoring in detecting, treating and/or preventing identity fraud.
The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs' expert failed to objectively quantify the reduction of risk that would result from credit monitoring.
The Appellate Court's opinion was much more forgiving for Brandt. In this case, the plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West's hard drives. The Court did not make a distinction between "attempts" to open accounts and successful account openings — the Court appeared to conclude that both constituted identity theft. Significantly, the Court's opinion appears to simply accept that "identity theft" constitutes an injury, and instead focused on whether Brandt established that the burglary was the proximate cause of the identity theft.
On the issue of causation, to survive a motion for summary judgment, the plaintiff needed to provide evidence from which a reasonable jury could conclude that Brandt's injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:
- Possession: The ID Theft Plaintiff provided Tri-West with his information
- Type of Information: The personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts
- Timing — Identity Theft Incidents: The six alleged identity theft incidents all occurred after the burglary, and the first began about six weeks after the burglary (the last happened about 3—4 months after the burglary)
- Timing — Prior Incidents: The plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier)
- Limited Opportunities for Other Causes: The plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.
The 9th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court's grant of summary judgment to the Defendants.
The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9th Circuit's decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.
The Court's ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation. The Court was lenient in its acceptance of purely circumstantial evidence — most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were or are the victims of identity theft will have a better chance to get their case in front of a jury in the 9th Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement. On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report, June 2007), plaintiffs' lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g., large successful class action suits) are still elusive for the plaintiffs' bar.
David Navetta operates InfoSecCompliance, LLC, a law firm providing services related to information security and privacy contract drafting, policy drafting, risk management and regulatory compliance. He previously worked as assistant general counsel for AIG's eBusiness Risk Solutions Group analyzing information security risks and drafting policies to cover such risks. Mr. Navetta serves as a Co-Vice Chairman of the ABA's Information Security Committee and Founder of the Facebook Information Security and Privacy Law Group. His blog is located at www.infoseccompliance.blogspot.com and he can be reached at 303-325-3528.