On January 5, 2010, Judge William Hibbler of the U.S. District Court for the Northern District of Illinois became the latest federal district judge to share his views about whether an increased risk of future harm based on the inadvertent exposure of personal information is a legally cognizable harm. In Rowe v. UniCare Life & Health Insurance Co., No. 1:09-cv-2286 (N.D. Ill. Jan. 5, 2010), Judge Hibbler denied the defendant’s motion to dismiss for failure to state a claim because, in his view, after drawing all reasonable inferences in the plaintiff’s favor, the plaintiff’s complaint satisfied the minimal pleading standard required to survive a motion to dismiss. Nevertheless, in his written opinion, Judge Hibbler hinted that the plaintiff’s claims for violations of the Fair Credit Reporting Act (“FCRA”) and the Illinois Insurance Information and Privacy Act, as well as his common law claims of invasion of privacy, negligence and breach of implied contract, may ultimately be dismissed if the plaintiff failed to show a basis for damages other than his alleged increased risk of future harm, such as identity theft.
In April 2008, UniCare informed some members of its health insurance plans that some of their personal information was temporarily accessible to the public on the Internet. In response to UniCare’s notice, the plaintiff sued alleging that UniCare’s inadvertent disclosure of his personal information harmed him in the following ways: created anxiety and emotional distress, increased his risk of identity theft, forced him to spend time and money monitoring his credit, compromised his possessory rights in his information and invaded his privacy. UniCare then filed a motion to dismiss the complaint which focused chiefly on the plaintiff’s failure to allege that any unauthorized person actually viewed the inadvertently exposed information.
At the outset of the opinion, noting that at the motion to dismiss stage disclosure to a third party could be inferred from the plaintiff’s complaint, the court ruled that UniCare’s inadvertent disclosure might constitute a “communication” of consumer report information and thus refused to dismiss the plaintiff’s FCRA claims. The court then examined the plaintiff’s remaining claims – all of which, according to UniCare, required a showing of damages to state a valid cause of action – in relation to the various harms plaintiff claimed to have suffered due to the disclosure of his information. In each instance, the court found that even though the evidence might ultimately not support the plaintiff’s theories of damage, drawing all inferences in the plaintiff’s favor as the court must on a motion to dismiss, his complaint satisfied the liberal pleading standard set forth in the Federal Rules of Civil Procedure.
But Judge Hibbler did make clear that the Illinois Supreme Court’s decision in Williams v. Manchester, 229 Ill. 2d 404 (2008), ruled out the possibility that “the exposure of personal information might be the present injury providing the basis for recovery of damages for increased risk of future harm.” Rather, as Judge Hibbler stated, “Rowe may collect damages based on the increased risk of future harm he incurred, but only if he can show that he suffered from some present injury beyond the mere exposure of his information to the public.” Moreover, while the court did not find the Seventh Circuit’s reasoning in Pisciotta v. Old National Bancorp (see our blog post here) entirely persuasive, the court held that “the costs of credit monitoring services are not a present harm in and of themselves.”
Though some might view this decision as a victory for plaintiffs and their lawyers, it also further illustrates the level of judicial skepticism toward “identity theft exposure” claims and makes it even more difficult for plaintiffs to argue that an increased risk of harm based on the exposure of personal information, without more, is a harm that the law should recognize.