Identity theft was the most common complaint the Federal Trade Commission received in 2008, accounting for 26 percent of the year’s complaints. Anxiety and distress drive most ID theft allegations, because stolen personal information can be used to make fraudulent credit and debit card charges and open bogus bank accounts. But unless such actual injuries occur, an organization that loses personal data is not liable for damages or injunctive relief, according to the D.C. Circuit’s June 18 ruling in Randolph v. ING Life Insurance and Annuity Company.

The case stemmed from a June 11, 2006, burglary at the home of an ING Life representative who served participants in the District of Columbia’s deferred compensation plan. The thief stole the agent’s laptop computer, onto which he had downloaded plan participants’ personal information. The data allegedly was not encrypted or otherwise protected with a password (see "Encryption Prescription").

The court dismissed a class action filed on behalf of plan participants on the grounds they failed to state a claim.

"This is the highest court yet to rule on the loss of personal information by a corporation, in a case with no actual misuse of the information to cause harm, just the possibility that injury may occur someday," says Rosalind Allen, a partner at Holland & Knight. "If you can’t show harm, the D.C. Circuit is saying you’re essentially out of luck."

In the plaintiffs’ initial complaint, they asserted that ING Life had failed "to establish and enforce appropriate ... safeguards to ensure the security and confidentiality of records," alleging gross negligence and invasion of privacy. They subsequently amended their complaint to allege breaches of fiduciary duty and confidential relationship, and violations of two District of Columbia statutes. But they still did not claim actual harm, just the potential of future harm.

Judge Colleen Kollar-Kotelly of the U.S. District Court for the District of Columbia dismissed the case on Feb. 20, 2007, finding that the plaintiffs "lack standing because they fail to allege a sufficiently ‘actual and imminent’ injury-in-fact." After remand to the district’s Superior Court, the plaintiffs made essentially the same complaint, which included no allegations of actual harm even though a year had passed since the burglary. ING Life again moved to dismiss the complaint for lack of standing.

Accepting this argument, Superior Court Judge Frederick Weisberg wrote in his June 2007 ruling, "[Plaintiffs] must have suffered an injury in fact—an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical."

The plaintiffs appealed the decision to the D.C. Court of Appeals, which took a different tack, declining to rule on standing in favor of taking a "better approach" to determining whether the case should proceed. The court did not rule on standing and instead asked whether the plaintiffs successfully stated a claim. In its analysis, the court cited the Supreme Court’s reasoning in Doe v. Chao, which allowed standing and general damages for privacy torts without reference to specific harm.

"Rather than an analysis of standing (the test for which, the opinion in Doe suggests, is fairly easily satisfied), the better approach toward resolving ING’s motion to dismiss is to analyze whether the amended complaint succeeded in stating a claim as to any or all of the appellants’ various theories of liability," the appeals court stated in its opinion.

Yet William McComas, a partner at Shapiro Sher Guinot & Sandler, notes, "The end result was the same. The appeals court ruled that a plaintiff must allege more than speculative harm from the defendant’s allegedly negligent conduct. By creating the statement of claim precedent, the ruling gives defendant corporations another arrow in their quivers to fight these cases in the future."

With regard to the plaintiffs’ claim of future injury, the court noted that ING Life notified the D.C. government and the affected participants of the potential data breach within a few days of learning about it. ING Life also instituted a series of steps to mitigate, if not eliminate, potential future harm, including paying for a credit monitoring service.

While it appears the thief in the ING Life case wasn’t after the personal data the laptop contained, other cases do include that particular motive. Barry Coburn, a Coburn & Coffman attorney, contrasts the burglary at the home of the ING Life representative with the data breach that occurred in early 2007 against TJX Cos., the parent company of TJ Maxx and other retailers.

"In that case you had sophisticated hackers break into the company’s computer system using a wireless device to specifically steal the credit and debit card numbers of 45 million customers for sale to others," he says. "ING Life was a garden-variety burglary. There was no indication whatsoever—and no plaintiff alleged—that the thief took the laptop because of the data it contained."

Allen shares this perspective. "Many laptops are stolen not for the data they contain but for the computer. In such cases, thieves don’t assume there is value in the personal information stored on the computer. They don’t want to hack into the system; they want to sell the computer."

While Allen agrees the appeals court’s ruling "makes these kinds of suits easier to defend," she says the windfall received by parties affected by the TJX Cos. data breach "make this as an area where the plaintiffs bar will continue to look to reap rewards."