With data security risk now ranked as their top legal concern (see “Top of the List”), general counsel are closely watching class action suits in which plaintiffs are claiming damages from the loss or theft of personal information.
Several cases have failed to survive the class certification phase because plaintiffs whose personally identifiable information (PII) had been compromised couldn’t prove damages or directly tie the theft of their identity to a data breach. But an 11th Circuit ruling in September appears to have lowered the threshold. A divided panel in Resnick v. AvMed, Inc. reversed in part a district court’s ruling denying class certification and dismissing the plaintiffs’ claims.
Resnick grew out of the theft of two laptops from an AvMed office containing unencrypted PII of 1.2 million health care plan members, including protected health information, Social Security numbers and other contact information. The two named plaintiffs allege that they became victims of identity theft 10 and 14 months, respectively, after the laptop larceny. Although some of the PII used in the identity theft was the type of information contained on the laptops, the plaintiffs did not allege that the identity thieves directly obtained it from the laptops. They could not specify how the identity theft occurred, other than showing that someone had opened fraudulent accounts in their names.
AvMed argued that the complaint alleged no facts directly connecting the laptop heist to the identity theft and that the thieves may have wanted the laptops to pawn, sell or use. The defendant also suggested that the identity thieves could have acquired the PII used in the identity thefts from a number of sources other than the laptops.
The 11th Circuit noted that the plaintiffs’ burden at the class certification stage was to show that their injury was fairly traceable to AvMed’s actions, a standard lower than proximate cause on which many courts have agreed. The court ruled the plaintiffs’ allegation that the sensitive information contained in the stolen laptops “was the same sensitive information used to steal Plaintiffs’ identity” was sufficient to show a nexus between the data breach and the identity theft.
“The Resnick decision will not be welcomed by data breach defendants,” says Michael Pennington, a partner at Bradley Arant Boult Cummings. “It makes it much easier for plaintiffs to survive dismissal at the pleading stage without alleging specific facts clearly linking their alleged identity theft to the defendant’s loss of personally identifiable information.”
Although class certification will remain a crucial first battle area in such lawsuits, experts disagree about Resnick’s impact on future cases.
“Plaintiffs will argue that this case provides support for their right to sue companies that suffer data breaches even where the harm is difficult to measure. So, whether right or wrong, you may see an increase in lawsuits against companies that suffer data breaches,” says Al Saikali, co-chair of the Shook, Hardy & Bacon data security and privacy group.
But Philip Gordon, chair of the Littler Mendelson privacy practice group, says the impact of Resnick will be limited because few cases have similar facts.
“Resnick does not open the floodgates for data breach class actions” because data breaches very rarely result in identity theft, Gordon says. “I’ve handled hundreds of security breaches, but only two or three of these involved identity theft.” He also notes that even where there is identity theft, the victims rarely lose substantial amounts of money. “A $25,000 case is not appealing to a plaintiff class action attorney,” Gordon says.
The case is still in an early stage and, with only two victims identified to date, may not ultimately survive as a class action, Gordon says. The plaintiffs must ultimately prove the identity theft directly resulted from the breach.
The extent of actual injury required to be pleaded and proved in data breach class actions is a rapidly evolving area of the law. Some courts, including the 7th and 9th Circuits, have allowed class actions to proceed after sophisticated data breaches based on the threat of future damage to the plaintiffs.
Prior to Resnick, case results often differed based largely on the nature of the data and the nature of the theft, Pennington says. For example, a case based on an organized group of hackers seeking sensitive information might require less specific proof from plaintiffs than one involving a thief seeking a laptop to sell for cash. “Resnick allows even these cases to proceed toward the class certification stage with little more than assumptions about a causal link between a laptop theft and the plaintiff’s claimed identity theft,” Pennington says.
With data breach incidents and risk from ensuing class actions increasing, “companies should be taking proactive measures to limit the risks associated with a breach,” Saikali says.
In addition to using the latest data security technology and encrypting mobile devices, Pennington suggests companies keep sensitive information only as long as necessary. He also recommends having a plan to quickly notify affected customers of a data breach, and offering those customers prearranged identity theft protection and credit monitoring services.
“These types of proactive mitigation efforts can help minimize a company’s class action exposure once a data breach occurs,” Pennington says.