Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania issued an amended order on March 9th (amended from March 8th) dismissing a recent case seeking speculative damages arising from a data breach of Aetna’s job application web site. A copy of the opinion can be viewed here.
In Allison v. Aetna (09-2560), the plaintiffs sought, among other relief, damages in connection with possible future damages from identity theft that may occur in the future. Mr. Allison’s identity had not been stolen at the time the complaint was filed (and presumably not since then).
The facts are set forth in more detail in the attached opinion, but essentially hackers gained access to some 450,000 (!!!) job applicants’ personal information contained in Aetna’s job application web site database. Also taken was the social security numbers of employees of Aetna (reports say 65,000 employees were affected). The applicants then received emails, purporting to be from Aetna, requesting additional personal information from the applicant. It is unclear what additional information was actually sent by applicants, but it is a pretty safe assumption that at least some of the applicants were tricked into supplying the information.
Judge Davis walks through a detailed analysis of “increased risk of harm” claims, and concludes that there is no legally cognizable injury based on such claims. A detailed analysis of recent decisions related to “increased risk of harm” claims arising in connection with data breaches is included in the opinion.
There was no proof that Mr. Allison’s personal information was ever accessed and the only information known for certain to be stolen was email addresses. Mr. Allison never received the phishing email, and an implication arises that no other information was taken if the phishers were asking for the same information. (I think the opposite inference is possible, that only those applicants for which more detailed information was not taken were "phished.") Judge Davis notes that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”
This decision joins a growing line of cases where plaintiffs are not being allowed to collect damages where there has been no actual proof of harm.
A copy of the opinion can be found here.