For the last several years, we have seen courts consistently (although with some exceptions) dismissing consumer data security breach claims where the consumers were not able to allege actual damages beyond the costs of credit monitoring and emotional distress. See Ponder v. Pfizer, Inc., No. 07-466 (M.D. La. Nov. 7, 2007); Pisciotta v. Old Nat’l Bancorp., 2007 WL2389770 (7th Cir. Aug. 23, 2007).
A recent reversal in one of these cases by the Ninth Circuit demonstrates the other side of the coin. In Stollenwerk v. Tri-West Health Care Alliance, the Ninth Circuit Court of Appeals, applying Arizona law, largely upheld the lower court’s "no harm, no foul" approach to assessing damages for a theft of personal information. However, for one of the three plaintiffs, the court reversed and remanded the claim plaintiff’s claim.
In Stollenwerk, three plaintiffs brought suit against Tri-West, a health claims processor for the federal government. Tri-West’s corporate offices were burglarized and computer equipment was stolen, including hard drives containing the plaintiffs’ personal data, i.e., names, addresses and social security numbers. The plaintiffs alleged, among other legal claims dismissed by the district court, that the theft of their personal data was caused by Tri-West’s negligent failure to secure their personal information.
Two of the plaintiffs did not allege that they had suffered any incidents of identity theft following the burglary, but sought to recover the cost of "enhanced" credit-monitoring services. However, the third plaintiff, Brandt, alleged that following the burglary, he experienced six incidents of identity theft, and he claimed damages with respect to those incidents.
The claims of all three plaintiffs were dismissed by the district court. The district court found that the two plaintiffs who did not suffer any actual incidents of identity theft had failed to show either that their personal data was actually "exposed" to the thieves, or that their risk of identity theft was significantly increased as a result of the theft of the computer hardware. Brandt’s claim was dismissed on the ground that he had shown insufficient causal connection between the burglary and the identity theft incidents that he suffered.
The Court of Appeals agreed with the lower court’s result as to the two plaintiffs who had not suffered actual incidents of identity theft, but disagreed with the result as to Brandt. The court reversed and remanded with respect to Brandt’s claim, finding that the showing as to the six incidents of identity theft following the burglary were sufficient for a jury to infer a causal connection to the burglary:
“The primary additional evidence of proximate causation Brandt produced was his testimony that (1) he gave Tri-West his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing Tri-West’s customers’ personal information were stolen; and (3) he previously had not suffered any such incidents of identity theft. Of course, purely temporal connections are often insufficient to establish causation. See, e.g., Choe v. INS, 11 F.3d 925, 938 (9th Cir. 1993). Here, however, proximate cause is supported not only by the temporal, but also by the logical, relationship between the two events. *** As a matter of twenty-first century common knowledge, just as certain exposures can lead to certain diseases, the theft of a computer hard drive certainly can result in an attempt by a thief to access the contents for purposes of identity fraud, and such an attempt can succeed.”
An interesting impact of the court’s reversal of the third plaintiff’s claim is the potential impact it may have on the claims made by the other two plaintiffs (which were dismissed). If the court accepted the evidence that the third plaintiff’s ID theft was related to the stolen hard drives, then doesn’t it follow that the other two plaintiffs (whose personal information was stolen in the same theft) would also be at risk? And does this serve to undercut the court’s rationale that, for the first two plaintiffs, there was insufficient evidence that the thieves were interested in anything but the equipment itself?
For a more indepth article about this case, see Jeff Neuburger’s Technology Law Update blog post "Ninth Circuit Upholds (Mostly) Dismissal of Data Breach Damages Case"