The onslaught of identity theft lawsuits against any number of businesses from banks to retailers continues unabated, and the strong odds are that the wave will continue.
46 states now have legislation concerning the use of personal identification information (PII) and regulating what must be done to notify those whose information has been compromised. Cybersecurity spending is estimated to be $30 billion annually in the United States, as identity thieves employ numerous techniques to retrieve identity information through the internet. The average cost of defending an identity theft lawsuit has been estimated to be $500,000, with settlements of putative class actions costing an average of $2.1 million.
The plaintiffs’ bar has been creative in alleging claims for breach of contract, negligence, consumer protection act violations, misrepresentation, breach of fiduciary duty and an array of claims under various state and federal statutes among others.
But the good news for businesses is that our courts are dismissing these cases with some regularity. Two of the more recent cases are Holmes v. Countrywide Fin. Corp., No. 5:08-CV-00205-R, 2012 U.S. Dist. LEXIS 96587 (W.D. Ky. July 12, 2012) and Willingham v. Global Payments, Inc., No. 1:12-CV-01157-RWS-JFK, 2013 U.S. Dist. LEXIS 27764 (N.D. Ga. Feb. 5, 2013). In Holmes, individuals who opted out of a class action proceeding brought independent claims for breach of state security notification laws and violations of the federal Fair Credit Reporting Act against Countrywide Financial. The security breach at issue in Holmes, which was undisputed, involved 2.4 million customers whose PII was fraudulently sold by a Countrywide insider. Nevertheless, after a review of the legal precedent elsewhere and a healthy discussion of the claims at issue, the U.S. District Court for the Western District of Kentucky dismissed the plaintiffs’ claims, finding that allegations of increased risk of harm, without more, are an insufficient basis upon which to recover damages.
Just last month, the U.S. District Court for the Northern District of Georgia reached a similar conclusion in Willingham, where 1.5 million consumer accounts had been compromised. The court noted that while an imminent risk of injury may be sufficient to establish Article III standing, actual identity theft, rather than the mere risk of future identity theft, remains necessary to the recovery of damages. Moreover, the court observed, an actionable allegation of identity theft requires more than merely fraudulent charges on a bank statement. According to the court, “[w]ithout some further factual allegation, such as that Plaintiff was not reimbursed for th[e] [fraudulent] charges or that she incurred fees or other expenses or financial consequences because of such charges,” a plaintiff fails to establish an injury for which a court may award damages.
While the law is still evolving in this arena, the decisions to date reflect a common theme disfavoring claims for risk of future identity theft. The primary theme is simply this: without actual harm to the individual in the form of unauthorized use of PII by a thief and measurable damages resulting from that use, the victim cannot recover damages. Speculative claims based upon fear of potential misuse of the data, without more, are insufficient and are likely to be dismissed.