This significant data breach case recently came to my attention. In it, the Southern District Court of Ohio dismissed a motion to certify a class proceeding because the plaintiff had not alleged any damage other than the cost of obtaining credit monitoring services.
The defendant, a mortgage loan service provider, experienced a break-in in August 2005. The thieves took over $60,000 in computer hardware, including four hard drives containing the personal information of over 229,000 individuals. About four weeks after the break-in, the defendant notified individuals of the breach. In its notification letter, the defendant recommended that affected individuals place a fraud alert on their credit files but did not offer to pay for credit monitoring services.
The plaintiff claimed the defendant was negligent in securing the hard drives and negligent in terminating its internal investigation of the breach before identifying the perpetrators. The resulting loss, as alleged in the claim, was the cost of obtaining credit monitoring services “for many years” and “at great expense.”
The Court held that the plaintiff did not have standing to bring a claim in negligence because she did not establish a genuine issue of material fact in respect of her own claim. It cited a series of American cases from the last two years for the proposition that the cost of responding to an increased risk of identity theft, when merely speculative, is not an actionable loss. The following paragraph is a nice summary of the factual basis for the Court’s decision:
Although the above cited cases are not binding on this Court, this Court finds them to be persuasive. Plaintiff has admitted, that to her knowledge, no unauthorized use of her personal information has occurred. She has not been a victim of identity fraud since the theft, which occurred 20 months ago. Additionally, Plaintiff waited until almost one full year after the theft to obtain credit monitoring and chose not to place a free fraud alert on her credit report. She also failed to allege in her complaint that the information was the target of the theft. Although in her briefs she theorizes that the break-in was an “inside job” and that the information was targeted there is no evidence to support this. The four hard drives were among $60,000 worth of equipment that was stolen from the server room. There is no evidence that the information was the target of the theft as opposed to the actual hard drive themselves. Neither the Atlanta Police Department nor the private investigator hired by Litton came to any such a determination. Furthermore, even if the information was the target of the theft, there is no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it would be used for unlawful purposes. Thus, any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.