About the Firm

Technology Law Update Newsletter

Technology Law Update Newsletter Past Issues By Month

Recent Posts

Copyright

Search


AddThis Social Bookmark Button

« Commercial SMS Text Messages and the Telephone Consumer Protection Act | Main | District Court Rules Domain Name "E-fringement" of Famous Mark Constitutes Dilution Under Pre-Moseley Federal Trademark Dilution Act »

Ninth Circuit Upholds (Mostly) Dismissal of Data Breach Damages Case

The Ninth Circuit Court of Appeals has quietly (i.e., in an unpublished opinion) disposed of the appeal in Stollenwerk v. Tri-West Health Care Alliance, one of the handful of cases in which there is a opinion on the subject of damages arising from a breach of data security. The non-precedential opinion, applying Arizona law, largely upholds the lower court's "no harm, no foul" approach to assessing damages for a theft of personal information. (The lower court opinion is also unpublished.)

The result in Stollenwerk is consistent with a number of similar recent cases involving claims arising from a data security breach. Just a few weeks earlier, in Ponder v. Pfizer, Inc., No. 07-466 (M.D. La. Nov. 7, 2007), the district court dismissed the complaint in a putative class action arising from a laptop theft, on the ground that a claim of exposure of personal data as a result of a data theft is not cognizable under Louisiana law, in the absence of an allegation that the data was actually used in an incident of identity theft. The Ponder v. Pfizer court relied in turn on the decision of the Seventh Circuit Court of Appeals in Pisciotta v. Old Nat’l Bancorp., 2007 WL2389770 (7th Cir. Aug. 23, 2007), ruling similarly with respect to Indiana law.

In Stollenwerk, three plaintiffs brought suit against Tri-West, a health claims processor for the federal government. Tri-West's corporate offices were burglarized and computer equipment was stolen, including hard drives containing the plaintiffs' personal data, i.e., names, addresses and social security numbers. The plaintiffs alleged, among other legal claims dismissed by the district court, that the theft of their personal data was caused by Tri-West's negligent failure to secure their personal information.

Two of the plaintiffs did not allege that they had suffered any incidents of identity theft following the burglary, but sought to recover the cost of "enhanced" credit-monitoring services. However, the third plaintiff, Brandt, alleged that following the burglary, he experienced six incidents of identity theft, and he claimed damages with respect to those incidents.

The claims of all three plaintiffs were dismissed by the district court, which analogized the case to those involving lawsuits for the cost of future medical surveillance resulting from exposure to harmful substances. The district court found that the two plaintiffs who did not suffer any actual incidents of identity theft had failed to show either that their personal data was actually "exposed" to the thieves, or that their risk of identity theft was significantly increased as a result of the theft of the computer hardware. Brandt's claim was dismissed on the ground that he had shown insufficient causal connection between the burglary and the identity theft incidents that he suffered.

The Court of Appeals agreed with the lower court's result as to the two plaintiffs who had not suffered actual incidents of identity theft, but disagreed with the result as to Brandt. The Court of Appeals did accept the analogy drawn by the lower court to medical monitoring cases:

Under the medical monitoring cases, individuals who have been exposed to potentially harmful substances but have no presently detectable illnesses may recover the costs of future medical surveillance by showing “through reliable expert testimony,” (1) the “significance and extent of exposure,” (2) the “toxicity of [the contaminant], [and] the seriousness of the [harm] . . . for which the individuals are at risk,” and (3) the “relative increase in the chance of . . . [the harm] in those exposed,” such that (4) “monitor[ing] the effects of exposure . . . is reasonable and necessary.” *** Even if one applies a similar standard to determine the availability of damages for the cost of credit monitoring in instances of exposure of personal information, Stollenwerk and DeGatica fail to produce sufficient evidence to overcome summary judgment as to all elements of such a claim. (citations omitted)

On the first element, the appeals court reasoned that proof of the theft of hardware alone does not constitute proof of exposure of personal information to the risk of identity theft:

Stollenwerk and DeGatica have offered no evidence the thieves had any interest in their personal information, rather than just the  hardware. *** Here the thieves could use the information only by taking further steps after stealing the servers, and the risk they would do so, given the nature of the theft, was low."

On the second element, the appeals court ruled that the two plaintiffs had failed to show that "enhanced" credit monitoring services were required, given the availability of free credit monitoring services available through credit reporting agencies.

The Court of Appeals reversed and remanded with respect to Brandt's claim, finding that the showing as to the six incidents of identity theft following the burglary were sufficient for a jury to infer a causal connection to the burglary:

The primary additional evidence of proximate causation Brandt produced was his testimony that (1) he gave Tri-West his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing Tri-West’s customers’ personal information were stolen; and (3) he previously had not suffered any such incidents of identity theft. Of course, purely temporal connections are often insufficient to establish causation. See, e.g., Choe v. INS, 11 F.3d 925, 938 (9th Cir. 1993). Here, however, proximate cause is supported not only by the temporal, but also by the logical, relationship between the two events. *** As a matter of twenty-first century common knowledge, just as certain exposures can lead to certain diseases, the theft of a computer hard drive certainly can result in an attempt by a thief to access the contents for purposes of identity fraud, and such an attempt can succeed.

Arguably, there is a slight disconnect between the ruling with respect to the two plaintiffs, that they showed no proof that the thieves were interested in anything other than the hardware, with the ruling on Brandt's claim, where he showed evidence from which the jury would be permitted to infer that the same thieves in fact accessed the data. Perhaps that point will be explored in future cases in which at least one of the plaintiffs in a data security breach incident is able to show some evidence of an actual identity theft that resulted from the breach.

Posted by THELEN on December 13, 2007 at 01:49 PM in Data Security |

Technorati Tags: , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/613901/24191358

Listed below are links to weblogs that reference Ninth Circuit Upholds (Mostly) Dismissal of Data Breach Damages Case:

» Ninth Circuit finds enough evidence to support link between stolen hard drives and ID theft from The Secure Times
For the last several years, we have seen courts consistently (although with some exceptions) dismissing consumer data security breach claims where the consumers were not able to allege actual damages beyond the costs of credit monitoring and emotional ... [Read More]

Tracked on December 13, 2007 at 08:25 PM

Comments

Jeff: The six incidents of identity theft against Brandt should have left a rich body of digital clues and records for further investigation into the question whether the burglary caused the ID theft. For example, did the identity thefts have any connection to the geographic area where the burglary occurred? Did the identity thefts involve only the personal data obtained through the burglary? Was any element of data used in the thefts particularly tied to the data Tri-West held on Brandt? I'll bet there are multiple unexplored avenues of investigation available for determining whether Brandt's misfortune came as a consequence of the burglary. http://hack-igations.blogspot.com/2007/09/endless-investigations.html

Posted by:Benjamin Wright | February 15, 2008 at 06:36 PM

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

If you have a TypeKey or TypePad account, please Sign In

Richard Raysman


  • Richard Raysman concentrates on computer law, outsourcing, and intellectual property issues. He co-authors the montly Computer Law column in the New York Law Journal, and he is a co-author of "Computer Law: Drafting and Negotiating Forms and Agreements" (Law Journal Press).

Edward A. Pisacreta


  • Edward Pisacreta has concentrated his practice in e-commerce, information technology, and related intellectual property issues for over 20 years. He is a co-author of Intellectual Property Licensing: Forms and Analysis (Law Journal Press).

Frank A. Pugliese


  • Frank A. Pugliese concentrates on technology transactions involving software and hardware licensing, outsourcing, computer systems, e-commerce, emerging technologies and computer law. Skilled at counseling clients on a broad range of technology related matters, he has substantial experience in negotiating and drafting complex hardware, software, licensing, e-commerce and outsourcing agreements.

Case Lists

Subscribe to this blog's feed

Categories

Archives

More...