Amburgy v. Express Scripts: Why a Missouri Court Held that an Increased Risk of Identity Theft Is Insufficient to Confer Standing in a Data Breach Case
Digital media law update: In a twist on an old story, a judge in the Eastern District of Missouri has dismissed a data breach class action because the named plaintiff was unable to plead that he had suffered any injury other than an increased risk of identify theft. This case is somewhat unique, because the Court dismissed the case on standing grounds, even though it found that the lead plaintiff had pled sufficient facts for a breach of contract action. This result is at odds with many recent cases which tend to find that an increased risk of identity theft is sufficient to confer standing.
Express Scripts provides prescription management services for employee benefit plans. In October 2008, Express Scripts received an anonymous letter demanding money. The letter writer claimed that it had obtained critical personal identifying information for millions of Express scripts members and threatened to reveal this information if Express Scripts didn't pay up. The letter included details on 75 Express Scripts members, including names, dates of birth, Social Security numbers and prescription data.
In 2009, lead plaintiff John Amburgy filed a consumer class action against Express Scripts. Amburgy alleged that Express Scripts had failed to maintain adequate security measures and that this had led to the data breach. Amburg claimed that as a result of Express Scripts' breach of duty, Amburgy and other plan members had been exposed to "increased risk of becoming victims of identity theft crimes, fraud, abuse and extortion." Amburgy did not allege that he and other class members had actually suffered identity theft losses, but merely that they had incurred costs for credit monitoring to prevent such losses. The complaint sought damages from Express Scripts under negligence, breach of contract, and state consumer statute theories.
The Court rejected these claims on "standing" grounds. According to U.S. Supreme Court precedent, to have standing to bring a case before a federal court, a plaintiff must show that he has suffered "injury-in-fact." Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992). This can be either an injury he has already sustained or is in immediate danger of sustaining.
Here, the Court held that the named plaintiff, Amburgy, did not meet this standard. The main problem was that he was unable to allege that his own information had ever been stolen, but only claimed that it was "possible" that this had occurred. Apparently, he was not one of the 75 members identified by the extortioners. He was also unable to allege that an actual theft of his personal information would "cause him damages either presently or in the future."
The Court held that a possibility of injury is not the same as an "injury-in-fact." The Court stated:
"For plaintiff to suffer the injury and harm he alleges here, many "if's" would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured "if" his personal information was compromised, and "if" such information was obtained by an unauthorized third party, and "if" his identity was stolen, and "if" the use of his stolen identity caused him harm." These multiple "ifs" squarely place plaintiff's claimed injury in the realm of the hypothetical."
The Court recognized that its conclusion was at odds with recent decisions which have found that a plaintiff's allegation of increased risk of identity theft is sufficient to confer standing. Notable among these are the 7th Circuit's decision in Pisciotta v. Old Nat'l Bankcorp., 499 F.3d (7thCit. 2007), and the District Court decisions in the Hannaford Bros. and People's United Bank class actions. However, in many of those cases, while the Courts found that the plaintiffs' allegation of increased risk of identity theft was sufficient to confer standing, they held that it was not sufficient to state a claim for damages - and ultimately dismissed the cases anyway for failure to state a cognizable claim.
This pattern of sustaining a data breach claim on standing grounds, but then rejecting it for failure to state a claim would not work in Missouri. This is because under a Missouri law, a plaintiff does not have to plead damages to maintain a breach of contract claim. Because Amburgy had pled that he was the beneficiary of a third party contract and that Express Scripts had breached its duties under that contract, the Court actually found that he had adequately pled a claim for breach of contract. So unless the Court was able to dismiss the case on some other grounds - it would have to let it go forward.
I'm not saying that the Court's decision was entirely results-oriented, but I don't think he wanted to force Express Scripts to endure the cost and risk of discovery and further law and motion practice to defend a case on which the plaintiffs were highly unlikely to succeed. So in the end, this case is one more illustration of how unwilling courts are to consider data breach cases where the plaintiff's sole damage is an increased risk of identity theft.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
