Privacy Advisor

Recent Ruling Could Prove Costly for Hacked Businesses

April 1, 2013

By Henry R. Chalmers

A recent ruling by the U. S. Court of Appeals for the Eleventh Circuit may make it easier for class-action plaintiffs to survive early motions to dismiss their data breach claims, thereby substantially expanding the costs of litigation and the risk of sizeable judgments against businesses that experience data breaches.

The Eleventh Circuit’s decision in Resnick v. AvMed, Inc. is a departure from most other court rulings in data breach lawsuits. The trend in courts has been to dismiss such lawsuits unless the plaintiffs can show the data breach led to identity theft and injury to the plaintiffs.

The Eleventh Circuit cited three key factors that were persuasive in ruling for the plaintiffs: The plaintiffs had never experienced identity theft prior to the data breach; they had taken “substantial precautions” to safeguard their personally identifiable information (PII), and the sensitive information on the stolen computers was the same type of sensitive information used in the identity theft.

Hackers can be overseas or within your own company. A laptop with unencrypted credit card information left behind by an absent-minded manager can lead to sensitive information being compromised. One thing is certain: Data breaches are on the rise and show no signs of abating.

Let’s take a closer look at Resnick v. AvMed and other cases to fully understand how the ruling could prove to be a costly game changer for companies.

In the Resnick case, 693 F.3d 1317 (11th Cir. Sept 5, 2012), thieves stole two laptops from an AvMed office in Gainesville, FL, containing the names, addresses, phone numbers and Social Security numbers of 1.2 million AvMed customers. They then sold the laptops to a known trafficker in stolen property.

Ten months after the breach, a bank account was opened and credit cards were issued in the name of one AvMed customer. Four months later, an E*Trade account was opened in the name of another AvMed customer. Unauthorized transactions were made from both accounts. The two customers sued AvMed on behalf of a putative class of customers whose PII was on the stolen laptops and a subclass of those customers whose identities were later stolen.

AvMed quickly filed a motion to dismiss in the U.S. District Court for the Northern District of Florida, arguing that the plaintiffs had failed to allege sufficient facts to tie their injuries to the prior data breach. The district court agreed and dismissed the lawsuit.

The ruling was consistent with trends elsewhere in the country. To avoid dismissal, a court must find that the plaintiffs have stated a claim upon which relief can be granted. When confronted with data breach lawsuits, courts uniformly require that the data breach lead to actual identity theft--that is, that someone uses the pilfered information in a fraudulent transaction--before the courts will find a cognizable injury.

In the case of Holmes v. Countrywide Financial Corp., for example, a Countrywide employee stole and then sold PII of 2.4 million Countrywide loan customers. Countrywide offered each affected loan customer two years of free credit monitoring, but the heightened risk of future identity theft prompted some customers to purchase their own credit-monitoring services.

The trial court, however, found that “scant evidence exists demonstrating that (the thieves) misused the customers’ information or engaged in any kind of financial fraud.” Thus, the court dismissed the plaintiffs’ claims for failure to state a claim upon which relief could be granted.

As another court explained, “An increased risk of [future] identity theft, even accompanied by credit-monitoring costs, does not constitute present injury,” Worix v. MedAssets, Inc.

What does it take, then, to survive a motion to dismiss? A recent decision of the U.S. Court of Appeals for the First Circuit is instructive. In Anderson v. Hannaford Bros. Co., hackers stole 4.2 million credit and debit card numbers and security codes from a Maine grocery chain. The defendant acknowledged that more than 1,800 incidents of identity theft resulted from the breach. Many victims had to pay to cancel their cards or purchase credit-monitoring services. Others were hit with unauthorized charges.

The First Circuit found this set of facts sufficient to allege a cognizable claim and reversed the trial court’s dismissal. This case is somewhat of an outlier, however, due perhaps to the unusually large number of identity thefts, as well as the defendant’s apparent concession that the identity thefts resulted from the data breach.

Because of prior rulings, many expected the U.S. Court of Appeals for the Eleventh Circuit to affirm the district court’s dismissal of the Resnick plaintiffs’ class-action lawsuit. But that’s not what happened. The Eleventh Circuit reversed the trial court on most counts and allowed the lawsuit to go forward.

The court noted that, generally, “to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond [mere] allegations of time and sequence.” Thus, the fact that the identity thefts occurred relatively close in time and after the data was allegedly misappropriated is not sufficient to state a claim.

But in Resnick the plaintiffs also alleged that they had never experienced identity theft prior to the data breach and that they had taken “substantial precautions” to safeguard their PII. They further alleged that “the sensitive information on the stolen laptop was the same sensitive information used to steal plaintiffs’ identity.”

This was enough to convince a two-judge majority of the appellate court that the plaintiffs had alleged a sufficient nexus to state a viable claim. The third judge dissented. “Although it is conceivable that the unknown identity thieves used the sensitive information stolen from AvMed to open the fraudulent accounts,” the dissent opined, “it is equally conceivable, in the light of the facts alleged in the complaint, that the unknown identity thieves obtained the information from third parties.” Thus, according to the dissent, the plaintiffs failed to nudge their claims “across the line from conceivable to plausible.”

As the Resnick case wends its way through litigation, the question that must be asked is, will other courts follow the Eleventh Circuit’s lead and let data breach class-action claims survive based on little more than the absence of previous thefts of the plaintiffs’ identities and a similarity between the PII accessed in the breach and the PII used in the identity thefts? Or will they continue to require a stronger nexus between the breach and the thefts?

Millions of dollars of legal costs and billions of dollars of potential liability may hang in the balance.

Henry R. Chalmers is an attorney in Atlanta, Georgia, with the law firm Arnall Golden Gregory LLP. Chalmers chairs the firm’s business litigation team and is a member of its privacy and data breach teams. This article is adapted from his article, “Data Breach Caseload: About to Blow?” from the Winter 2013 issue of ABA Litigation News.