At the FindLaw site, Anita Ramasastry, a FindLaw columnist and Director of the Shidler Center for Law, Commerce & Technology, analyzed the Amburgy v. Express Scripts court case. In this case, a consumer sued a company claiming negligence, after that company's data breach and subsequent extortion letter from one of the hackers:
"What happens when a company that has been subject to a breach receives an anonymous letter from someone who claims to have access to the stolen data and who states that, unless there is a payoff, he or she will use the data to commit large-scale identify theft? Such a situation is more serious than a data breach alone, but less serious than a data breach combined with fully-realized identity theft. Of course, under the criminal law, the letter's demand is extortion, and its victim is the company. But is there also a civil remedy that consumers whose data is compromised can invoke in such a situation?"
That's a good question. Can consumers sue a company after a data breach and claim that the company should have done more to protect their data, because now the data breach victims bear a risk that didn't exist before the data breach:
"That was the question posed in Amburgy v. Express Scripts... The complaint alleged that the company breached its duty to maintain adequate security measures, and that this failure resulted in the data breach where millions of customer records were compromised. As a result, it alleged, plan members had been exposed to an increased risk of becoming victims of identity theft crimes, as well as fraud and extortion. The plaintiffs sought damages for emotional distress resulting from the fear of future identity theft. They also sought damages for costs incurred by plan members who had incurred costs for credit monitoring to prevent such losses. The suit claimed that the company's actions constituted negligence and breach of contract, and that these actions had also violated state consumer statutes."
I know that I definitely felt that way after IBM's 2007 data breach. I felt that IBM, through its own carelessness or the carelessness of one of its vendors, didn't protect the sensitive personal data of employees and former employees that was exposed (e.g., lost or stolen) -- including mine. After that breach, I had to take actions that I wouldn't have had to take if the IBM breach hadn't happened.
Yes, IBM paid for free credit monitoring and resolution for one year for its breach victims. The reality: long after the free period ended, I had to remain vigilant and continue monitoring my credit reports. To me, 10 or 15 years of free credit monitoring services seemed more appropriate. After all, IBM is one of the top computing and security companies on the planet.
So I can fully understand how the class-action plantiffs must have felt in the Amburgy v. Express Scripts case. How the court ruled:
"... a Missouri federal court hearing the case held that even such a threat is not enough to form the kind of injury that gives a consumer standing to sue the company for negligence."
Why the court ruled against the plaintiffs in Amburgy:
"... the court invoked the law of standing – that is, the body of law that examines whether a would-be plaintiff has suffered the type of injury that the court deems a valid basis on which to ground a lawsuit. The
Amburgy court found that the injury at issue was not sufficiently concrete to be the basis to sue for a negligence claim... Standing requires "injury in fact" and the court held that a possibility of injury is did not meet the standard."
The extortion letter was not enough. Amburgy wasn't on the list of 75 stolen identities the hackers shared in their letter. Amburgy hadn't had any money stolen from his bank accounts, or fraudulent loans taken out in his name.
Translation: a consumer has to suffer real identity fraud first: loss of money, getting your bank accounts hacked, or fraudulent loans taken out in your name. After that, then you can sue -- provided you have the money and resources to sue and can prove the connection between your identity fraud and the corporate data breach.
The court's decision is understandable and unfortunate. In this age of the Internet and computing, sensitive personal data can be transmitted quickly and resold anywhere worldwide, and it seems that the criminals are rarely caught. All of this makes it extremely difficult for the average consumer to prove that the fraud and stolen bank account monies they experienced are directly connected to a corporate data breach that happened weeks or months ago.
There has to be a better way... a middle ground that balances the needs of consumers and the needs of companies:
"Finally, the courts that have rejected "identity theft risk" cases may feel that the courts should not be the only -- and may not be the best -- place for developing new risk- mitigation principles and tools. Congress may be the best place to develop a unified solution..."