Recent Death of Data Breach Class Action Resuscitates Lack of Standing Arguments in Identity Exposure Cases

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://privacylaw.proskauer.com/2009/12/articles/data-breaches/recent-death-of-data-breach-class-action-resuscitates-lack-of-standing-arguments-in-identity-exposure-cases/

On November 23, 2009, a federal court in Missouri bucked the recent
trend in identity exposure lawsuits and refused to recognize Article
III standing in a class action lawsuit that alleged simply an
increased risk of identity theft resulting from a data breach. In
Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R.
Buckles of the U.S. District Court for the Eastern District of
Missouri held that “plaintiff’s asserted claim of
‘increased-risk-of-harm’ fails to meet the constitutional requirement
that a plaintiff demonstrate harm that is ‘actual or imminent, not
conjectural or hypothetical.’ Plaintiff has therefore failed to carry
his burden of demonstrating that he has standing to bring this suit.”
Consequently, the Court dismissed the plaintiff’s action – which
included claims for negligence, breach of contract, violations of
state data breach notification laws and violations of Missouri’s
Merchandising Practices Act ("MPA”) – in its entirety for lack of
subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal
Rules of Civil Procedure. In doing so, the court breathed new life
into the lack of standing argument that had begun to fall out of favor
in identity exposure cases.

Prior to the Court’s decision in Amburgy, the trend in lost data cases
had been in favor of finding subject matter jurisdiction, even where
the plaintiff's allegations failed to state a valid cause of action.
(See our post regarding McLoughlin v. People’s United Bank, Inc.
here.) Indeed, as Judge Buckles observed in his opinion, subsequent to
the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp,
“district courts have consistently determined that claims of increased
risk of identity theft resulting from security breaches sufficiently
allege an injury-in-fact to confer Article III standing.” After noting
the Seventh Circuit’s lack of discussion in Pisciotta about applying
the U.S. Supreme Court’s recognized standards for determining standing
under Article III, Judge Buckles engaged in a thorough analysis of the
plaintiff’s standing to sue. Relying principally on the Supreme
Court’s opinion in Whitmore v. Arkansas, the Court concluded that the
plaintiff lacked standing because he “cannot show that he has suffered
or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of
subject matter jurisdiction, the Court explained that the claims for
negligence, violations of state data breach notification laws and
violations of Missouri’s MPA also should be dismissed under Rule
12(b)(6) of the Federal Rules of Civil Procedure for failing to state
a viable cause of action. The Court pointed out that Plaintiff’s
breach of contract allegations stated a claim for at least nominal
damages under Missouri law, but the Court lacked subject matter
jurisdiction to entertain the matter.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php