McLoughlin v. People's United Bank: No Claim for Future Identity Theft Losses where Plaintiffs Were Unable to Claim that Data Lost in a Breach Was Misused
Data security law: There is no question that it is a trend. In the latest in the never-to-be ended series of data breach cases, a Connecticut District Court held that a plaintiff may not maintain a claim for damages after a data breach merely based on a fear of future identity theft losses.
The case is McLoughlin v. People's United Bank, Inc., District of Connecticut, No. 3:08-cv-00944. People's United Bank had a contract with co-defendant BNY Mellon to handle People's customer information, including its customers' names, addresses, Social Security numbers and bank account information. In February 2008, a metal box containing six to ten unencrypted backup tapes of People's customer data was lost or stolen from a courier truck. The truck had a broken lock and was left unattended during the transport.
About two months after the breach, Peoples and BNY Mellon began informing customers of the loss of the unencrypted back-up tapes. BNY Mellon ultimately offered affected customers two years of free credit monitoring, $25,000 in identity theft insurance and free credit freezes. The plaintiffs eventually brought the present case -- a class action against People and BNY Mellon.
After removal to Federal court, the defendants moved to dismiss for lack of standing, arguing that the plaintiffs had pleaded no actual damages.
Citing U.S. Supreme Court precedent in Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 180 (2000), the District Court stated that "to satisfy Article III's standing requirements, a plaintiff must show (1) it has suffered 'injury in fact', that is (a) concrete and particularized, and (b) actual and imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision."
To be cognizable, actual damages may flow directly from the defendants' act, or may flow indirectly, in the form of costs spent to remedy the harm. For example, in a case brought against a bank for giving faulty tax advice, actual harm was held to include the "costly and time-consuming step" the plaintiffs had taken "to rectify errors in their past or future tax filings" and the fees they paid for advice. Denny v. Deutsche Bank AG, 443 F.3d 253, 264 (2nd Cir. 2006). Under Second Circuit precedent, "injury in fact" may also be based on "the fear or injury of future harm." Id.
Here, the plaintiffs' claims for damages were not based on direct losses or indirect payments of fees or expenses, but solely on their fear of future losses from identity theft. However, while fear of identity theft been held sufficient to confer standing, it has also been held to be insufficient to satisfy the "actual damages" elements of state tort claims. For example, in Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y. 2008), the court found that an employee had alleged sufficiently alleged injury-in-fact for standing purposes when his laptop was stolen from his employer, but could not sustain a claim for negligence or breach of fiduciary duty. See also Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D.Call 2009) (standing but no quantifiable damages where thief broke into data processor's office, stealing laptops containing unencrypted personal data).
Following these precedents, the Court in McLoughlin found that the plaintiffs had pled an injury-in-fact sufficient to comply with Federal standing requirements. However, also following these precedent, the Court found that the plaintiff had not alleged damages sufficient to state a claim under Connecticut law which controlled here.
The plaintiffs had asked for relief under the Connecticut Unfair Trade Practices Act (CUPTA), negligence and breach of fiduciary duty theories. Under CUPTA, a plaintiff must demonstrate that she has suffered an "ascertainable loss of money or property. . ." Finding no Connecticut cases on whether "increased risk of identify theft" represents an ascertainable loss, the Court turned to the recent Maine identity theft case, In re Hannaford Bros. Co. Customer Data Security Breach Litigation, 631 F.Supp.2d 108 (D. Me. 2009) (see our blog entry of June 17, 2009). Interpreting a similar statute, the court in that case ruled that there was no loss where there was only a "risk of injury and no actual misuse of stolen data."
On their negligence and breach of fiduciary duty theories, following New York precedent, the Court ruled that a plaintiff would be required to show a "rational basis" for its fear that its stolen data would be misused. Here, while the plaintiffs' data had been stolen, there was no evidence that it would be misused. The Court reasoned that "the tapes could have been inadvertently discarded or destroyed, or they could be collecting dust in some forgotten warehouse. It is only through speculation that one concludes that they are in the possession of an individual who is driven to maliciously mine the tapes for the personal data they contain." "Accordingly," the Court held, "this is not a 'risk of injury' but rather speculation as to a possible risk of injury."
Based this analysis, the Court granted the defendants' motion to dismiss and closed the case.
It is always worthwhile comparing the results in fear of future identity theft cases to the results in the seminal fear of cancer case, Potter v. Firestone Tire & Rubber Co., 863 P.2d 795 (Cal. 1993). In Potter, landowners who lived next to a landfill brought an action seeking fear of cancer damages from a tire manufacturer whose hazardous wastes were disposed in the landfill. At the time of the suit, none of the four plaintiffs currently suffered from cancer, but each faced an enhanced but unquantifiable risk of developing cancer in the future from his exposure. In Potter, the California Supreme Court held that a plaintiff could recover fear of cancer damages after an exposure to a carcinogen. However, it also held that "in the absence of a present physical injury or illness, damages for fear of cancer may be recovered only if the plaintiff pleads and proves . . . that . . the plaintiff's fear stems from a knowledge, corroborated by reliable medical or scientific opinion, that it is more likely than not that the plaintiff will develop cancer in the future due to the toxic exposure." Id. at 817.
Causation in toxic tort cases is always murkier than in theft cases. Perhaps this is why the Potter standard is stricter than that suggested by the Court here for data breach cases. For data breach cases, the McLoughlin court indicates that a plaintiff could recover fear of identify theft damages if he can simply show that his data had been misused -- i.e., that an identity theft had actually occurred. Under the Potter standard, the plaintiff would have to show that such misuse/theft would more likely than not lead to actual losses.
Recovering damages without proof of actual losses in data breach cases is an uphill battle. However, where actual data losses have occurred, such as in the TJX case, losses can be massive.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
