The Eleventh Circuit recently overturned a U.S. District Court decision regarding issues of standing, injury, and causation in the context of data breaches and resulting identity theft. Specifically, the Court reversed the lower court’s decision and found that a class of plaintiffs suing the health insurer AvMed for allowing its personal information to be stolen had shown both sufficient injury and causation to survive AvMed’s motion to dismiss the plaintiff’s numerous claims, which included negligence and breach of contract by AvMed.
The suit stems from a December 2009 incident in which two unencrypted laptops containing the personal information of approximately 1.2 million current and former subscribers to AvMed were stolen from an AvMed corporate office. The computers contained data such as protected health information, Social Security numbers, names, addresses and phone numbers, and was ultimately used by a third party to steal individuals’ identities. Two of the effected individuals filed a complaint in the Southern District of Florida on behalf of the class alleging that AvMed was, among other things, (1) negligent in protecting plaintiffs’ sensitive information, (2) per se negligent under Florida Law in protecting plaintiffs’ medical information, (3) in breach of both an explicit and implied contract with AvMed to protect plaintiffs’ information, and (4) in breach of fiduciary duties that AvMed owed the plaintiffs. AvMed filed a motion to dismiss for failure to state a claim and the District Court judge upheld AvMed’s motion, dismissing the class plaintiffs’ claims based on a lack of evidence of injury to the plaintiffs and causation between the security breach and the plaintiffs having their identities stolen. Without proof of injury or causation, two of the three elements that are required to establish standing, the class plaintiffs could not proceed with the case.
The class plaintiffs appealed the dismissal to the Eleventh Circuit. The Court first addressed whether a party claiming identity theft resulting from a data breach had suffered an injury in fact. In the end, the Court concluded that the monetary damages that the class plaintiffs alleged as a result of the identity theft constituted injury in fact. The Court then addressed whether AvMed’s actions caused the class plaintiff’s injury in fact, and concluded that such injury was traceable to the actions of AvMed who failed to properly secure the information, and that compensatory damages to the plaintiffs would make them whole. Having concluded that the plaintiffs had been injured and that injury was caused by AvMed, the plaintiffs had standing to bring the case.
After finding standing, the Court then turned to consider the claims that the plaintiffs brought against AvMed, eventually deciding that the plaintiffs had properly stated a claim for (1) negligence, (3) breach of contract, and (4) breach of fiduciary duties, but not for claim (2) per se negligence. The Court reasoned that if the plaintiffs properly showed a causal relationship between AvMed’s failure to secure the plaintiffs’ personal information and the alleged theft of plaintiffs’ identities, the plaintiffs should be able to survive AvMed’s motion to dismiss. To that end, the evidence showed that there was a link between the information compromised in the 2009 theft and the data used to steal the plaintiffs’ identities. Thus, the plaintiffs had proved causation for all counts. The Court only upheld the dismissal of Claim 2, addressing negligence per se, because it determined that AvMed was not subject to the Florida Negligence Per Se Statute.
All companies that collect personal information should be aware of this development. Currently, U.S. Federal Circuit Courts are split regarding standing for data breach cases. While the Seventh and Ninth Circuits have found that the mere threat of identity theft is sufficient to bring a case, the Third and First Circuits have found that plaintiffs completely lack standing in similar scenarios. The Eleventh Circuit, while unwilling to grant standing based on a mere threat of identity theft, will allow suits to proceed so long as the plaintiff can draw some logical connection between the release of the plaintiff’s information and an injury. This case is another step in the evolution of the law in this area, and makes it easier for plaintiffs whose personal information was disclosed in a data privacy breach to bring suit in federal court.