Identity theft was the most common complaint the Federal Trade Commission received in 2008, accounting for 26 percent of the year's complaints. Anxiety and distress drive most ID theft allegations, because stolen personal information can be used to make fraudulent credit and debit card charges and open bogus bank accounts. But unless such actual injuries occur, an organization that loses personal data is not liable for damages or injunctive relief, according to the D.C. Circuit's June 18 ruling in Randolph v. ING Life Insurance and Annuity Company.
The case stemmed from a June 11, 2006, burglary at the home of an ING Life representative who served participants in the District of Columbia's deferred compensation plan. The thief stole the agent's laptop computer, onto which he had downloaded plan participants' personal information. The data allegedly was not encrypted or otherwise protected with a password (see "Encryption Prescription").
The plaintiffs appealed the decision to the D.C. Court of Appeals, which took a different tack, declining to rule on standing in favor of taking a "better approach" to determining whether the case should proceed. The court did not rule on standing and instead asked whether the plaintiffs successfully stated a claim. In its analysis, the court cited the Supreme Court's reasoning in Doe v. Chao, which allowed standing and general damages for privacy torts without reference to specific harm.
"Rather than an analysis of standing (the test for which, the opinion in Doe suggests, is fairly easily satisfied), the better approach toward resolving ING's motion to dismiss is to analyze whether the amended complaint succeeded in stating a claim as to any or all of the appellants' various theories of liability," the appeals court stated in its opinion.