Another court has weighed in on the issue of what constitutes a cognizable injury in a data breach case. In a lengthy opinion, the U.S. District Court for the Western District of Kentucky in Holmes v. Countrywide Financial Corp. dismissed a lawsuit against Countrywide by plaintiffs who claimed that their personal information had been compromised as a result of the criminal activity of a Countrywide employee. The court ruled that although Plaintiffs had standing, they did not suffer a cognizable injury, and they could not prove the elements of the causes of action pled in their complaint. The opinion is significant for at least two reasons: (1) it lends further support for the position that plaintiffs in data breach cases must show actual, measurable, direct harm to recover, and (2) the degree of analysis and the amount of authority cited by the court could make this a frequently cited opinion in the future.

Background

In 2008, the FBI discovered that a Countrywide employee had stolen sensitive personal and financial information from millions of Countrywide’s customers. The employee then sold that data to a third party, but there was little evidence that the information was actually misused. Countrywide notified the affected individuals and offered two years of free credit monitoring. The lawsuit was filed by two sets of plaintiffs – the first set (the Holmes) purchased credit monitoring services because someone had unsuccessfully sought credit under their names; the second set (the Stiers) spent money to cancel their telephone service as a result of increased solicitations and time spent researching the hazards of identity theft. Neither set suffered actual monetary damages from fraud or identity theft.

Standing

The court first addressed the issue of whether Plaintiffs had standing to sue Countrywide. The court noted that while several other courts have held that plaintiffs who have only suffered an increased risk of identity theft do not have standing, the Sixth Circuit’s opinion in Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008), compelled the court to conclude that an increased risk of identity theft and credit monitoring satisfied the requisite injury necessary for standing.

Injury

Just because Plaintiffs had standing, however, did not mean that they suffered recompensable injuries. The court concluded that Plaintiffs injuries as alleged were not cognizable or recompensable.

First, the court rejected Plaintiffs argument that the risk of future identity theft was a cognizable injury. It concluded that such damages were too speculative and might never materialize. The court stated that no lawsuit based on risk of future identity theft has ever proceeded past a motion to dismiss.

The court next considered whether Plaintiffs could recover for credit monitoring services. Plaintiffs attempted to analogize credit monitoring to medical monitoring in a personal injury case where a plaintiff is exposed to a substance that causes no harm at the time but creates an increased risk of future physical harm. The court rejected these damages, too. It first cited a number of cases where expenses for credit monitoring were not considered a cognizable injury. With respect to the medical monitoring analogy, the court cited Kentucky law requiring a plaintiff seeking damages for medical monitoring to have also suffered a present injury. The court rejected Plaintiffs' argument that the fact someone had attempted unsuccessfully to obtain credit using their personal information meant they were at risk for identity theft. The court also rejected Plaintiffs’ reliance on Anderson, which allowed the plaintiffs in a data breach case to recover for the mitigation expenses of card replacement and credit monitoring services because they had suffered “financial injuries that exhibited actual misuse and identity theft.” Here, Plaintiffs suffered no unauthorized charges and there were no attempts to take funds. In other words, according to the court, “the victims in Anderson were faced with a much graver threat to their personal information and resources.” Accordingly, credit monitoring expenses were not compensable injuries.

Next, the court considered whether telephone cancellation fees incurred to avoid the bombardment of telemarketers constituted a cognizable injury. The court rejected these damages, relying on cases where the courts held that no cognizable injury occurred where the only harm is an increase in junk mail and unwanted telephonic/electronic correspondences.

Finally, the court considered whether time spent by Plaintiffs monitoring their credit was a compensable injury. In rejecting those damages, the court relied on decisions in other jurisdictions that refused to recognize such damages as recompensable.

Causes of Action

After rejecting all of Plaintiffs' damages, the court nevertheless proceeded to address whether Plaintiffs' causes of action were applicable theories of recovery in a data breach case such as this one.

Plaintiffs sued Countrywide for unjust enrichment, arguing that Countrywide collected application and processing fees relating to applications for mortgages, as well as fees for credit monitoring services being offered by Countrywide and its subsidiary. The court dismissed this cause of action because an explicit contract existed between the parties, requiring Plaintiffs to make monthly mortgage payments and obligating Countrywide to protect Plaintiffs’ personal information.

Plaintiffs also sued Countrywide for common law fraud, contending that Countrywide made material misrepresentations about the storage of their personal information and the severity of the breach. The court dismissed this count because the only financial damages suffered “were self inflicted.”

Plaintiffs sued Countrywide for breach of contract, covenant of good faith, and covenant of fair dealing. They alleged that Countrywide agreed, but failed, to safeguard their personal information. The court dismissed these counts based on the fact that each cause of action required a cognizable injury as an element, which Plaintiffs had not pled.

Plaintiffs also included a count for “state security notification” (the data breach notification laws of New Jersey, where some of Plaintiffs resided). They claimed that Countrywide failed to abide by the data breach notification requirements set forth under New Jersey law. The court dismissed this cause of action on the ground that, under the court’s interpretation, the statute did not create a private right of action and Plaintiffs had not provided precedent proving otherwise.

Next, Plaintiffs' operative complaint included counts for violation of state consumer fraud laws (deceptive business practices). The court dismissed those counts on the ground that Plaintiffs had not shown that they suffered an ascertainable loss.

Plaintiffs also alleged that Countrywide violated the Fair Credit Reporting Act; namely, that Countrywide is a “consumer credit reporting agency” under the FCRA, that it failed to maintain reasonable procedures to “furnish” consumer reports, and that consumer reports were released in violation of the statute’s provisions. The court dismissed this cause of action on the ground that Countrywide did not “furnish” any consumer reports a third party in violation of the statute. The court relied on Plaintiffs’ allegation that Countrywide’s employee (“a ne’er-do-well who independently stole Countrywide’s customer information and engaged in a scheme to sell it to his criminal associates”) transmitted Plaintiffs’ information to a third party without Countrywide’s permission.

Finally, Plaintiffs’ operative complaint included a claim for civil conspiracy. The court dismissed that count because Plaintiffs failed to establish an injury.

Conclusion

The Holmes opinion is another example of a court that is skeptical of a plaintiff’s ability to recover from a defendant who suffers a data breach that potentially exposes the plaintiff’s personal information to a third party. Courts like the one in Holmes are requiring actual, measurable monetary damages as a result of the data breach for a plaintiff to proceed with a lawsuit; a risk of harm is not enough. Even if a plaintiff can show that her personal information was misused, without evidence that the misuse resulted in fraudulent charges or other similar loss, the plaintiff would ostensibly have no cause of action under Holmes. The opinion is also of interest for the level of supportive authority it cites, demonstrating that data security law is quickly maturing and the issues arising in those cases are being addressed and written about all over the country.

 

DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.