Consumer Finance Law Blog : Consumer Finance Lawyer & Attorney : Kelley Drye & Warren Law Firm : Financial Privacy & Security

The Southern District of New York, recently, in Hammond v. The Bank of New York Mellon Corp., No. 08-6060, 2010 WL 2643307 (S.D.N.Y. June 25, 2010) joined other courts from around the country in holding that plaintiffs who bring claims based on the risk of identity theft lack Article III standing. In each case, including the 26 cases cited in Hammond, the plaintiffs’ claims were dismissed, either on a motion to dismiss or summary judgment.

In Hammond, the plaintiffs, after being notified that their personal information, contained on unencrypted back up tapes, had been “lost” while being transported by a third party, brought a putative class action asserting claims for breach of implied contract, breach of fiduciary duty, negligence, and violation of state consumer protection laws. Three of the seven named plaintiffs alleged that they actually had suffered “unauthorized credit transactions” after the tapes were lost, although they ultimately conceded that the charges were either reimbursed or unrelated to the tape loss. Bank of New York’s original motion to dismiss was denied. It then moved for summary judgment based on a lack of Article III standing and argued that the alleged emotional distress or increased risk of harm did not constitute legally cognizable harm.

Discovery in the case, particularly plaintiffs’ deposition testimony, demonstrated that the plaintiffs did not suffer any damages.  The court, recognizing the apparent inconsistencies in its decisions on defendant’s motion to dismiss and plaintiffs’ motion for summary judgment, held that a finding that Article III standing exists at the motion to dismiss stage does not necessarily mean that it will be present at summary judgment.

Hammond is the latest in a long line of cases holding that the risk of identity theft is not a cognizable injury.  Thus, dismissal in these cases is not an issue of “if,” but of “when.” 

Click here to view previous posts on these and other related issues. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Updating a prior post, the Ninth Circuit, in Ruiz v. Gap, Inc., recently upheld a dismissal on summary judgment on the grounds that the mere risk of identity theft is too speculative of an injury to substantiate a cause of action based on negligence. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993 (9th Cir. May 28, 2010)

As background, Plaintiff, Mr. Joel Ruiz, submitted an online job application to work in a Gap store. As part of the application, Ruiz provided his social security number. Gap later disclosed that laptops were stolen from Vangent, the vendor with whom Gap had contracted for recruiting purposes. The laptops contained Ruiz’s unencrypted personal information, along with the information of nearly 800,000 other Gap job applicants.

Ruiz filed a putative class action alleging, among other things, negligence and violation of California Civil Code § 1798.85. Ruiz later amended his complaint to bring a breach of contract claim against Vangent. As discussed in a prior post, the court previously denied a motion to dismiss on the negligence claim. However, defendants were granted summary judgment on the negligence claim after discovery had done little to cure its speculative nature. See Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009). The court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” Id. at 913.

In the opinion, the Ninth Circuit held that while the increased risk of identity theft created sufficient concern to grant plaintiff Article III standing, the alleged injury was still too speculative to sustain a negligence claim under California law. See Ruiz v. Gap, Inc., No. 09-15971, 2010 WL 2170993, at *1 (9th Cir. May 28, 2010). “It is fundamental that a negligent act is not accountable unless it results in injury to another.” Id. Notably, the court refrained from answering whether money spent on credit monitoring, as the result of personal information theft, supported a negligence claim. Id. However, the court included a footnote citing authority in favor of awarding medical monitoring costs, thus suggesting that it might be inclined to draw a parallel between these issues in the future. Id. at n1.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On-line marketers that share their customers’ credit or payment card information with other business partners without the consumer’s knowledge or active consent – a practice referred to as a “data pass” – may wish to read a recently published BNA Privacy & Security Law Report titled “Scrutiny on Payment Card Data Pass: Raising the Profile of Personal Information Sharing Among Marketers.” Kelley Drye attorneys Alysa Z. Hutnik and Joseph D. Wilson co-authored this article, which:

• explores a rule recently announced by VISA and legislation recently proposed by Senate Commerce Committee Chairman, Jay Rockefeller (D-W.Va.) entitled “The Restore Online Shoppers’ Confidence Act” (S. 3386), both of which restrict companies’ ability to share customer payment card information. (Visit Kelley Drye's Advertising Law Blog for related articles on these topics);

• reviews two recently filed class actions, Ferrington, et al. v. McAfee Inc., 5:10-cv-1455 (N.D. Cal.), and Van Tassell, et al. v. United Marketing Group Inc., et al., 1:10-cv-2675 (N.D. Ill.), alleging that the data pass practices of certain on-line marketers violated numerous state consumer protection laws;

• advises on steps companies should consider taking to mitigate the risk that their data pass practices will come under FTC scrutiny; and

• discusses considerations companies should make if they find themselves the subject of a class action relating to their data pass practices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Allison v. Aetna, Inc., a recent opinion out of the Eastern District of Pennsylvania, adds to the burgeoning area of law that holds when a plaintiff fails to allege an actual injury resulting from a data breach, but instead only alleges an enhanced risk of identity theft, an injury-in-fact does not exist and the suit must be dismissed for lack of standing.

In Allison, Plaintiff alleged that he and others submitted their personal information to Aetna’s job application website. Soon after, Plaintiff alleged that he began receiving “phishing” emails requesting additional personal information, as the result of an alleged security breach of Aetna’s website. Plaintiff, other applicants, and over 65,000 current and former Aetna employees were sent notification letters advising them of the breach, stating that their email addresses had been accessed but that it was unclear whether additional information had been accessed.

Plaintiff then filed his class action suit alleging that Aetna had failed to “adequately protect the personal information of its current, former, and potential employees….” Plaintiff described the various remedial measure that he and potential class members had been forced to undertake, including time spent to monitor various accounts for signs of identity theft and out-of-pocket expenses for identity theft protection services. The complaint did not allege that Plaintiff, or anyone else, had suffered identity theft, but rather that they were subject to an “a significant risk of identity theft.” The suit asserted various claims including negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy. Aetna moved to dismiss all claims pursuant to Federal Rules of Civil Procedure 12(b)(1), arguing that Plaintiff lacked injury-in-fact standing., and 12(b)(6), arguing that Allison had failed to state a claim. 

The court held that Plaintiff’s increased risk of harm did not create an injury-in-fact because his chance of suffering from identity theft was not imminent and was too speculative. Despite Plaintiff’s conclusory allegations to the contrary, the court found that Plaintiff had merely alleged that unidentified hackers had accessed his email address, thus making actual identity theft unlikely. The court dismissed Allison’s claims based on a lack of standing. 

Compared to other recent opinions that address the risk of identity theft, this opinion stops short of addressing the heart of this issue -- namely, does a demonstrated risk of identity theft create an injury upon which relief can be granted? Would the court have ruled differently if Allison's social security number, as opposed to just his email address, had been accessed? Future plaintiffs are likely to attempt to distinguish their claims from Allison by contending that their claims are more fully and adequately plead to demonstrate a more imminent risk of identity theft. However, that does not mean a claim survives a motion to dismiss. In fact, as we discussed just last year, certain courts have held that while the increased risk of harm may be sufficient to satisfy the initial injury-in-fact element for standing, it may not suffice to show "actual damage" to support a claim for damages under negligence and other liability principles.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Updating a previous post regarding the rise last year in the number of data breaches involving customers’ personal information in the general business sector, the numbers of these breaches for the first third of 2010 reflect a similarly troubling trend. According to the Identity Theft Resource Center (“ITRC”), the total number of reported data breaches as of today stands at 245, or nearly half of the 498 total breaches reported for the entire year in 2009. The general business sector (not including companies in the more heavily-regulated financial and medical sectors) continues to experience the highest percentage of these data breaches, with a reported 38.8% of reported breaches thus far this year. These statistics underscore the urgency with which your company should act to ensure that adequate measures are in place to protect private data, or risk being subject to costly litigation. Stay tuned for further updates as additional data becomes available.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent study released by the Identity Theft Resource Center (“ITRC”), a non-profit organization dedicated exclusively to the prevention of identity theft, suggests that in 2009, while the government appeared to be improving data security, the protection of customers’ private information by some businesses may have worsened. The annual ITRC study is funded by the U.S. Department of Justice’s Office of Victims of Crime and tracks how a data breach occurs and identifies the breach by sector – including general business, medical and health, financial institutions, government/military, and educational.

The highlights of the 2009 ITRC study include the following:

• Breaches within the general business sector (not including companies in the more heavily-regulated financial and medical sectors) climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far.                   
• Paper breaches increased 46% from 2008 and now account for nearly 26% of known breaches.
• The number of breaches caused by a malicious attack surpassed the number resulting from human error for the first time in three years.
• In only six of the total 498 breaches reported was encryption or other strong security feature protecting the exposed data utilized.

These statistics highlight the importance of consistently evaluating the measures your company takes to secure private data. Otherwise, your company runs the risk of being sued for breach of privacy, including in the individual and class action context, or becoming the subject of investigation by state and/or federal regulators, who are becoming increasingly aggressive about investigating privacy breaches. Your company may also find itself liable to third-parties with whom it does business, including credit card issuers and merchant banks, especially if your company’s privacy protections fail to meet the industry standard. [Click here for a post from the Kelley Drye Advertising Group’s “Ad Law Access Blog” regarding a recent law passed in the state of Washington that establishes such liability.]

Click here for more information about ITRC’s 2009 Data Breach study.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The recently filed case of First Bank v. Federal Insurance Company  reflects yet another financial services provider that was the subject of a data breach incident, and was forced into litigation with its insurers as a result. As detailed in our recent article, First Bank is not alone in having their insurance company deny the claim for coverage arising from the data breach. In this area of privacy and data security, anecdotally at least, it appears that many insurers are "underwriting at the point of claim" -- that is, denying coverage in the hope that the policyholder will abandon pursuit of the coverage.

However, you may be covered, even if you do not have a "cyber" or "data security" policy. In fact, the label or title on the policy matters little, as Federal had issued a policy impressively titled, “Cybersecurity by Chubb for Financial Institutions,” yet disclaimed coverage. That old standby -- Comprehensive General Liability (better known as "CGL") policies -- may well provide you with the coverage you need to defend litigation arising from a data breach.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last week , the Federal Trade Commission, jointly with other federal agencies that regulate financial institutions, released "frequently asked questions" designed to provide additional assistance to companies required to comply with new identity theft rules pursuant to the Fair and Accurate Credit Transactions Act ("FACTA") . 

Those rules were issued in November 2007. Under the regulations, financial institutions are required to develop and implement written programs to detect and respond to possible identity theft as indicated by certain "red flags." These newly required programs were to be in place on or before November 1, 2008.

The FAQs are the latest step in a number of efforts by the FTC and others to assist companies in complying with the new FACTA rules. For instance, in July 2008, the FTC launched an outreach program to explain the rules in greater detail, to clarify the types of institutions to which the rules apply, and to offer guidance as to how these institutions can comply. That outreach effort included an alert providing information relating to definitions and terms used in the rules, including the definitions of “financial institution,” “creditor,” “transaction account,” and “covered account.” In addition, the alert addressed five categories of “red flag” activities.

Financial institutions should continue to monitor for guidance from the federal agencies, and/or consult with counsel, regarding their compliance with the new FACTA rules.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If your company collects customers’ personal data in the course of its business, be aware of the wave of class actions that have recently been filed arising out of data security breaches. Finkelstein Thompson, a DC-based law firm, over the past year has filed a series of class actions against businesses that have fallen victim to such data breaches.

One such suit, filed in the Northern District of Georgia, asserts claims against RBS WorldPay, Inc. for negligence, breach of implied contracts, and violation of state unfair trade law, after hackers allegedly gained access to the personal information of approximately 1.5 million RBS cardholders. In an incident apparently related to this security breach, Fox News reported -- citing FBI sources-- that thieves, using cloned ATM cards with the stolen data, withdrew $9 million from ATMs in a coordinated attack in 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. This incident has garnered considerable media attention and will likely result in similar suits being filed against RBS across the country as a result of the security breach.

While this sort of case is extremely difficult to sustain given the absence of actual harm, the litigation and reputational costs associated with them are significant for businesses targeted by this litigation, particularly given the resulting media attention. Therefore, be forewarned, and regularly evaluate your data collection, data use, and data maintenance procedures and infrastructure with both your IT personnel and legal counsel.

For further discussion of this case, see our recently published piece in the ABA “Secure Times” newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Several weeks ago, we discussed how most courts were rejecting lawsuits where the plaintiffs claimed “damages” in the form of an increased risk of identity theft, generally stemming from allegations of an accidental loss or theft of personal confidential information. Since we last blogged on this issue, two recent decisions highlight how that trend is continuing, and that courts increasingly require more than speculation about future harm to sustain a lawsuit over the loss of confidential information.

The first notable decision involved a court which was clearly aware of this growing body of case law. In Belle Chasse Automotive Care, Inc. v. Advanced Auto Parts, Inc., United States District Court Judge Kurt Engelhardt of the Eastern District of Louisiana dismissed a claim stemming from a security breach involving confidential information. The plaintiff in Belle Chasse alleged that this breach only had caused an increased risk of identity theft, not an actual identity theft. The court granted defendants’ Rule 12(b)(6) motion, and cited to the growing body of case law from around the nation supporting the position that these allegations amount only to “speculative damages for which [Louisiana] law provides no remedy.” Notably, the Court cited to the Pinero decision we referenced in our prior post and found United States District Court Judge Sarah Vance’s analysis in that case to be “directly on point.”

The second notable decision provides an example of a Court reversing course on this issue, citing this line of cases as authority. The Ruiz v. Gap, Inc. case already was notable in that United States District Court Judge Samuel Conti, in March 2008, had previously ruled  that allegations of a potentially increased risk of future identity theft were sufficient to make out a viable negligence claim under California law. At that time, Judge Conti denied the defendant’s motion to dismiss under Rule 12(b)(6) and held that the plaintiff had alleged an injury in fact, even though he noted that it was unclear what damages the plaintiff would be able to recover even if the plaintiff were to prevail on the merits. Compared to the many cases holding to the contrary, the Ruiz case was generally viewed as an outlier, as one of the few rulings to have held that an allegation of the mere increased risk of identity theft was sufficient to defeat a Rule 12(b)(6) motion.

But just this month, Judge Conti granted summary judgment to the defendants on this same issue. In doing so, the court held that an increased risk of identity theft did not constitute “the level of appreciable harm necessary to assert a negligence claim under California law.” The court expressly rejected parallels to medical monitoring claims in the toxic tort context, and expressly noted similar cases from other jurisdictions – namely Louisiana, Ohio, and Minnesota – none of which were referenced in the court’s 2008 opinion denying the defendants’ motion to dismiss. The decision appears to reflect a reconsideration of sorts by the court – the evidence obtained during depositions seemed to be no different from what the plaintiff alleged in his Complaint, so if those allegations were adequate to defeat a motion to dismiss, testimony to the same effect should have also been adequate to defeat summary judgment. This is merely our own speculation, but it could be that the court became aware, over the course of the past year, of the growing and substantial body of case law which has been rejecting these types of speculative claims.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The current economic climate has had many consequences, including an apparent increase in economic crimes such as credit card fraud. In recent months, numerous credit card scams involving restaurant chains have been reported. For example, the Washington Examiner reported on March 29 that wait staff at several high-end restaurants in Washington, DC, including M&S Grill, 701 Restaurant, Clyde’s of Gallery Place and Bowie’s Carrabba’s Italian Restaurant, stole credit card numbers from customers and ran up a $750,000 tab at various luxury retail stores. In addition, the article references a similar scam recently uncovered in New Orleans, in which a waitress at Bubba Gump Seafood Company used a skimming device to capture customers’ credit card information. “Skimming” devices, which can easily be purchased over the Internet, are small enough for wait staff to carry in their pockets or aprons, and within a second can capture the electronic information stored in a credit card’s magnetic strip.

While such scams obviously cost consumers, merchants are also victims due to loss of consumer trust, the time and expense of cooperating with authorities and, if applicable, notifying potentially affected customers, and potential lawsuits under negligence and/or negligent hiring theories. Although merchants can never be completely assured that rogue employees will not engage in theft, they should consider the following steps to mitigate their risk:

(1) Handle credit cards in view of the customer. If the customer never loses sight of the credit card, theft is more difficult if not impossible. Retailers, restaurants and other businesses may wish to consider switching to portable credit card processing devices that allow customers to pay at the table.

(2) Carefully screen job applicants. Simple background checks can identify applicants with prior criminal histories.

(3) Educate and monitor employees. Ensure that employees are aware of the risks and consequences of credit card fraud (e.g., mere possession of a skimming device is a felony in many states), and adopt policies for employees handling customer credit cards. Monitor employees and encourage them to report any suspicious activity on behalf of their coworkers.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

Over the last few years, incidents involving disclosures of personal information by consumer financial service providers have been big news, ranging from the theft of laptop computers containing social security numbers, to hacker attacks on computer networks containing confidential information, to the more "vanilla" theft of personal documents. Not surprisingly, the plaintiffs' bar has been attempting to turn all of this worry about identity theft into big money - even where no identity theft has occurred. However, courts around the nation have been considering such claims, and responding with a virtually uniform voice to state that, however the claim may be styled, a plaintiff's speculative fear of potential future identity theft does not constitute "actual damages" under the law, and accordingly reject such lawsuits.

In the latest court opinion to address this issue, Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535, 2009 U.S. Dist. LEXIS 660, (E.D. La. January 7, 2009), Chief Judge Sarah S. Vance dismissed various statutory and tort claims, including negligence, breach of contract, violations of a Louisiana data breach notification statute, and claims under the Tax Reform Act of 1976, against a national franchisor of income tax preparation services and its local independent franchisee. In the Pinero case, the plaintiff contended that the independent franchisee had failed to dispose of certain documents properly, which allegedly contained personal information. However, the plaintiff neither contended that her documents fell into the hands of a wrong-doer, nor that she had suffered any actual identity theft. Her damages claims were largely based on alleged emotional injuries and mental anguish, and theoretical consequential damages about steps she might need to take to deal with potential identity theft.

The Court rejected this theory of damages, and dismissed 6 of 7 claims, including negligence, breach of contract, and violations of the Louisiana data breach notification statute, holding that this type of speculative “injury” does not meet the required damages element. Also, in a holding of first impression, Judge Vance dismissed the federal claim for statutory penalties under the Tax Reform Act of 1976, ruling that commercial tax preparers are simply not subject to the provisions of the law governing disclosure of tax return information by the I.R.S. or its agents. The Court further ruled that the Louisiana data breach notification statute did not apply to paper documents – notably, Louisiana is not alone in this regard. Judge Vance also dismissed claims for fraudulent inducement and the Louisiana unfair trade practice law for a failure to adequately allege an intent to defraud. The Court only let the invasion of privacy claim survive, albeit noting skepticism about whether such a claim could succeed on the merits.

For further discussion of this case, see our recently published piece in the ABA "Secure Times" newsletter. And for a broader discussion of how other cases have addressed these types of claims, please see our article published in Andrews Litigation Reporter.

(Andrew S. Wein and Veronica D. Gray represent Jackson Hewitt Tax Service in this case.)
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

Which among the following businesses are potentially subject to consumer financial services laws, rules, and regulations?

A. a retail clothing chain
B. a bank or mortgage company
C. an internet retailer
D. a fast food franchisor
E. all of the above

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

• State consumer protection statutes and regulations
• State privacy statutes
• Privacy and consumer protection litigation
• Card Association Rules
• Equal Credit Opportunity Act
• Electronic Funds Transfer Act
• Fair Credit Reporting Act
• Fair Credit Transactions Act
• Fair Debt Collection Practices Act
• Payment Card Industry Data Security Standard
• State Money Transmitter Statutes
• State Retail Installment Sales Act
• State and Federal Unfair and Deceptive Trade Practices Acts
• TILA, RESPA, and related federal and state consumer disclosure and notice requirements
• Insurance coverage issues
• Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link