On March 9, 2010, Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania dismissed a lawsuit brought by a plaintiff seeking to bring a class action against insurance company Aetna following an alleged security breach of the company's job application website. Joining a growing trend of courts presiding over security breach cases, the court in Allison v. Aetna (Case 2:09-cv-02560-LDD) dismissed the plaintiff's claims for negligence, breach of contract, negligent misrepresentation and invasion of privacy, finding that allegations of a mere risk of identity theft were insufficient to confer standing under the "cases and controversies" requirement of Article III, § 2 of the U.S. Constitution.
The Aetna Security Breach
Aetna learned of a breach to its website for prospective employees in May 2009 when job applicants began reporting the receipt of suspicious emails that purported to be from Aetna and "phished" for additional personal information from the applicants. The breached website hosted certain personal information of a variety of individuals, including job applicants and present and former Aetna employees. Specifically, the site contained the email addresses of approximately 450,000 job applicants, social security numbers of current and former employees, and social security numbers, contact information and employment histories of prospective employees to whom Aetna had extended offers of employment.
Following discovery of the breach, Aetna issued a public announcement and transmitted notification letters to the 65,000 individuals whose social security numbers were potentially exposed by the breach. The notification letter explained the unauthorized access to the job application website and that it was possible that other personal information may have been exposed. Aetna offered credit monitoring assistance and identity theft insurance to individuals whose information may have been exposed in the breach.
The lead plaintiff of the class action was a prospective Aetna employee who had applied for a customer service position using its job application website. The plaintiff's complaint asserted various potential harms arising from security breaches and identity theft, but alleged only one act of actual misuse of the breached information—the phishing emails that some individuals (not including the plaintiff) received.
Jurisdictional Challenge
Aetna moved to dismiss the complaint for lack of standing, specifically, on the ground that the plaintiff failed to allege an injury-in-fact. In considering the motion, Judge Davis referenced well-established principles that an actionable injury-in-fact must be concrete and particularized, as well as actual or imminent. The court acknowledged that it is possible for an increased risk of harm to serve as the basis for an injury-in-fact, but that, in such cases, the basic standing requirements must still be satisfied. In such cases—where an increased risk of harm is the asserted basis of injury—the standing requirements can be satisfied when a plaintiff alleges a "credible threat" of harm.
The court recognized a split of authority on this issue, but noted decisions by two other district courts in the Third Circuit that considered similar assertions of harm by plaintiffs affected by a security breach and ultimately concluded that such individuals lacked standing. Likewise, in this case, the court determined that the plaintiff failed to allege a sufficient injury-in-fact to satisfy the Article III standing requirements. Specifically, the court found that the asserted injury of increased risk of identity theft was far too speculative, especially because, in the plaintiff's case, the allegation that his personal information was even accessed itself was conjectural. Even assuming that the hackers had obtained the plaintiff's email address, the court determined that it was highly speculative that they had obtained other information sufficient to permit them to commit identity theft. On this point, the court indicated that the plaintiff's own allegation regarding the phishing email suggested that the hackers did not have sufficient information to commit identity theft; if the perpetrators of the breach had access to information sufficient to commit identity theft, the court reasoned, the transmission of the phishing email would have been unnecessary.
The plaintiff's allegations concerning the remedial measures that he and other potential class members had undertaken—such as time expended reviewing financial statements and signing up for credit monitoring/fraud alerts—failed to persuade the court. The plaintiff also asserted out-of-pocket expenses for additional identity theft protection services, and damages arising from anxiety, emotional distress and loss of privacy. None of these allegations remedied the fundamental deficiency in the plaintiff's case—that, "at best, he alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft."
An Apparent Trend
As Judge Davis recognized, Allison v. Aetna is part of a "burgeoning area of law." Indeed, the court's holding is consistent with a long line of cases in which plaintiffs have struggled to surmount the necessary hurdle of proving injury or recoverable damages in the absence of actual identity theft. Across multiple jurisdictions, courts have dismissed security breach cases when no identity theft can be shown. Some courts, like the Allison court, reason that without a tangible injury, e.g., identity theft, the plaintiffs lack constitutional standing. Other courts have concluded that security breach plaintiffs meet the constitutional standing threshold, but ultimately dismissed such cases on the grounds that the plaintiffs cannot prove a cognizable injury simply from the unauthorized release of personal information, without more. Taken together, this authority illustrates the potential difficulties that security breach plaintiffs face, particularly those who cannot demonstrate an actual occurrence or credible risk of identity theft.
