e-finance&payments law&policy FEATURED ARTICLE 0 7 /07 - - PDF document

e finance payments law policy
SMART_READER_LITE
LIVE PREVIEW

e-finance&payments law&policy FEATURED ARTICLE 0 7 /07 - - PDF document

Aug 31, 2023 226 likes •291 views

e-finance&payments law&policy FEATURED ARTICLE 0 7 /07 cecile park publishing Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093

slide-1
SLIDE 1

Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com www.e-comlaw.com

cecile park publishing

FEATURED ARTICLE 07/07

law&policy e-finance&payments

slide-2
SLIDE 2

e-finance & payments law & policy july 2007

05 IDENTITY THEFT

Limiting class action liability for businesses

As public concern about ‘identity theft’ continues to increase, institutions such as lenders, banks and credit card companies find themselves facing a growing number of lawsuits arising out of alleged breaches of corporate

  • security. Because claims involving

identity theft may involve an institution’s customers throughout the country, the potential for class action lawsuits on a nationwide level is growing as well. Yet a number of US federal courts have taken a pragmatic approach to assessing the validity of identity- theft claims. Most recently, in Kahle v Litton Loan Servicing LP,1 the United States District Court for the Southern District of Ohio decided a case that may limit class action liability for institutions that electronically store consumer personal information. In that case, plaintiff Patricia Kahle (‘Kahle’) sued defendant Litton Loan Servicing LP (‘Litton’) following the theft from a Litton facility of password-protected hard drives containing some consumer personal information. Kahle attempted to articulate theories of identity theft and identity exposure

  • n behalf of a putative class of

customers located throughout the United States. The court, however, dismissed the lawsuit in its entirety, ruling that such claims cannot withstand summary disposition where the only injury arguably suffered is the mere fear of future identity theft. Kahle bolsters a growing line of US federal court identity-theft and identity- exposure cases holding that the increased risk of future injury from identity exposure is insufficient to support an actionable injury or to establish damages.2 Kahle’s Class Action claims Kahle’s claims arose from an August 2005 theft in which a person or persons unknown smashed their way into a locked and alarmed facility belonging to Litton and tore out computer hard drives - among other more expensive equipment - containing some consumer personal information.3 The computer hard drives contained several layers of electronic security, including extensive password protection. After the break-in, Litton provided written notice to each person whose information was contained on the hard drives and recommended that those persons place a fraud alert on their credit

  • files. Kahle chose not to do so, but

instead brought suit on behalf of a putative nationwide class under a theory of negligence.4 Specifically, Kahle claimed that the members of the class would incur emotional distress, costs of credit monitoring and loss of identity as a result of the theft of the hard drives.5 During discovery, Kahle acknowledged that since the theft

  • f the hard drives, no

unauthorized use of her personal information had ever occurred, nor did she have any knowledge as to whether any of her personal information from the hard drives had even been accessed in an unauthorized manner.6 The only harm that Kahle claimed to have suffered was the cost incurred in purchasing credit-monitoring services.7 The Court rejects Kahle’s theory of injury On its motion for summary judgment, Litton successfully argued that Kahle’s claim must fail ‘as a matter of law because Plaintiff cannot establish injury or causation.’8 The court found that any injury Kahle may have suffered was ‘purely speculative’ because she admitted no knowledge of any unauthorized use or access of her personal information, and there was no evidence that the

As concern surrounding identity theft in the United States continues, financial organisations are threatened by lawsuits over failures to ensure sufficient levels of corporate security, particularly in the form of class-action lawsuits where customers are affected on a nationwide basis. R. Bruce Allensworth, Andrew C. Glass, Ryan M. Tosi and David D. Christensen of K&L Gates’ Boston

  • ffice report on a recent US district

court case where they successfully represented the defendants and which may limit class action liability for organisations that electronically store consumer personal information.

slide-3
SLIDE 3

e-finance & payments law & policy july 2007

identity fraud this Court can not find the cost of obtaining credit monitoring to amount to damages in a negligence claim.’15 The Kahle decision is significant in the defense of class action lawsuits because if the named plaintiff cannot introduce some evidence of actual, versus merely speculative, injury as the result of the alleged data theft, judgment must be entered against that named plaintiff.16 It is not enough for the named plaintiff to allege that an injury has been ‘suffered by

  • ther, unidentified members of the

class’ that the named plaintiff purports to represent.17 ‘If a named member purporting to represent a class does not have standing, she may not seek relief on behalf of herself or any other member of the class.’18 US federal case law holds that standing is an essential element in determining class certification.19 Further, class actions in US federal courts are governed by Rule 23 of the Federal Rules of Civil

  • Procedure. Rule 23 mandates,

among other things, that a named plaintiff satisfy ‘typicality’ and ‘adequacy’ requirements.20 The named plaintiff’s claims must be typical of those of the class, and the named plaintiff must adequately protect the interests of the unnamed class members.21 To satisfy these requirements, the named plaintiff must show that her injury arises from or is directly related to the alleged wrong to the putative class.22 It would follow that because Kahle had not suffered a cognizable injury,23 she could not adequately represent the putative class, nor was she a typical member

  • f a sustainable class.

Kahle could not prove proximate causation Proximate causation presents another significant barrier for a named plaintiff in litigating an identity-theft class action lawsuit. For each claim, the named plaintiff must establish that the defendant’s alleged actions were the proximate cause of any complained-of injury.24 Thus, even if Kahle had established that the unauthorized use of her personal information had occurred following the theft (which she did not do), her claims would have failed because she could not have established that Litton’s alleged actions were the proximate cause of the unauthorized use of information. Kahle’s inability to demonstrate proximate cause further prevented her from adequately representing the putative class and from being a typical class member, as required by Rule 23 of the Federal Rules of Civil Procedure. Like many consumers, Kahle disclosed her personal information to third parties on a regular basis. In particular, Kahle’s driver’s license, which she used as a form of identification, contained her name, address, US social security number and birth date. Any persons to whom Kahle gave her driver’s license as a form of identification would have had ample opportunity to record her personal information and could have used that information at any time in the

  • future. Those opportunities

constituted potential intervening causes sufficient to break the chain

  • f causation between the theft of

the hard drives and any unauthorized use of Kahle’s personal information that might

  • ccur in the future.25

Conclusion: business implications The Kahle decision may have significant implications for financial institutions and other businesses that electronically store consumer personal information. The decision suggests that even amid the growing concern over

IDENTITY THEFT 06

information contained on the hard drives was even the target of the theft.9 In particular, the court rejected Kahle’s assertion that time and money spent monitoring credit establishes a cognizable injury.10 Rather, the court held that Kahle’s argument overlooks the fact that such expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury.11 Because such expenditures are the result of a perceived risk of future harm and not any present or reasonably-certain future injury, they do not constitute compensable injury as a matter of law.12 The court was not persuaded by Kahle’s attempt to analogize identity-exposure cases to toxic- substance-exposure cases. Kahle argued that the court must require Litton to pay for credit-monitoring costs in the same way that some defendants in toxic-substance- exposure cases are required to pay for medical-monitoring costs.13 The court found, however, that: Although a victim of identity theft and/or fraud - like the victims in other negligence actions where present actual injury is required - may experience non-monetary harm, the primary injury does not present a serious health risk. Thus, despite findings that identity theft results in more than purely pecuniary damages, including psychological or emotional distress, inconvenience and harm to his credit rating or reputation, as a matter of law, identity theft and credit monitoring must still be differentiated from toxic torts and medical monitoring.14 Thus, the court declined to extend the criteria used in medical- monitoring cases to identity- exposures cases.‘[W]ithout direct evidence that the information was accessed or specific evidence of

slide-4
SLIDE 4

e-finance & payments law & policy july 2007

Forbes v Wells Fargo Bank N.A., 420 F.

  • Supp. 2d 1018, 1021 (D. Minn. 2006);

and Guin v Brazos Higher Educ. Serv Corp., 2006 WL 288483, at *5-6 (D.

  • Minn. Feb. 7, 2006)); see also

Stollenwerk v Tri-West Healthcare Alliance, 2005 WL 2465906, at *5 (D.

  • Ariz. Sept. 6, 2005).
  • 3. Kahle, 486 F. Supp. 2d at 706-07.
  • 4. Id. at 707, 708.
  • 5. Id. at 709, n.3.
  • 6. Id. at 707.
  • 7. Id. at 709.
  • 8. Id.
  • 9. Id. at 712-13. Indeed, in another

identity-theft case brought in the Southern District of Ohio, the court dismissed the plaintiff’s claim on the basis that ‘potential injury [was] contingent upon [the plaintiff’s] information being obtained and then used by an unauthorized person for an unlawful purpose,’ which the court found

  • lacking. Key, 454 F. Supp. 2d at 690.
  • 10. Kahle, 486 F. Supp. 2d at 711 (citing

Giordano, 2006 WL 2177036, at *5 & n.5; Stollenwerk, 2005 WL 2465906, at *1; Guin, 2006 WL 288483, at *3; and Forbes, 420 F. Supp. 2d at 1020-21).

  • 11. Id. at *710; see also Forbes, 420 F.
  • Supp. 2d at 1021.
  • 12. Kahle, 486 F. Supp. 2d at 711;

Forbes, 420 F. Supp. 2d at 1021; see also Key, 454 F. Supp. 2d at 690.

  • 13. Kahle, 486 F. Supp. 2d at 712.
  • 14. Id. (emphasis in original) (citing

Stollenwerk, 2005 WL 2465906, at *4).

  • 15. Id. at 713.
  • 16. Id. at 709 (citing Simon v Eastern Ky.

Welfare Rights Org., 426 U.S. 26, 40 n.20 (1976)); see also Key, 454 F. Supp. 2d at 687.

  • 17. Kahle, 486 F. Supp. 2d at 709.
  • 18. Key, 454 F. Supp. 2d at 687; see

also Kahle, 486 F. Supp. 2d at 709.

  • 19. See Warth v Seldin, 422 U.S. 490,

502 (1975) (class representative plaintiffs ‘must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent’); Simon, 426 U.S. at 40, n.20 (‘[t]hat a suit may be a class action ... adds nothing to the question of standing’); see also Rivera v Wyeth- Ayerst Labs., 283 F.3d 315, 318 (5th Cir. 2002) (standing is an inherent prerequisite to the class certification inquiry); Ford v NYLCare Health Plans of Gulf Coast, Inc., 301 F.3d 329, 332-33 (5th Cir. 2002) (same).

  • 20. Fed. R. Civ. P

. 23(a).

  • 21. Fed. R. Civ. P

. 23(a)(3) & (4).

  • 22. See Bacon v Honda of Am. Mfg.,

370 F.3d 565, 572 (6th Cir. 2004); Lichoff v CSX Transp., Inc., 218 F.R.D. 564, 575 (N.D. Ohio 2003) (‘it is obvious that the named plaintiff cannot adequately represent a proposed class that does not share common issues and for which their claims are not typical’).

  • 23. Kahle, 486 F. Supp. 2d at 713.
  • 24. Id. at 708.
  • 25. See Tolton v Am. Biodyne, Inc., 48

F.3d 937, 944 (6th Cir. 1995) (a plaintiff’s

  • wn actions can constitute an

intervening cause sufficient to break the chain of causation).

information privacy, US federal courts will likely continue to hold named plaintiffs in identity-theft class actions to the traditional standards for proving injury and

  • causation. Before such plaintiffs

can represent a class, they must point to some evidence of actual injury to themselves and to proximate causation. Thus, the Kahle decision helps undermine the incentive for bringing identity- theft class action lawsuits against institutions that provide adequate electronic protection for consumer personal information, and regularly assess the adequacy of such safeguards. Institutions should also regularly assess their safeguards for the transmittal or disposal of consumer personal

  • information. Furthermore,

institutions should regularly assess the rapidly evolving landscape of US federal and state statutory regimes governing the protection

  • f consumer personal information.

As the Kahle court recognized, a growing consensus has arisen among US federal courts that an alleged increase in the risk of future injury is simply not an ‘actual or imminent’ injury sufficient to sustain a class action,

  • r to withstand a defendant’s

motion for summary judgment. Where a plaintiff’s claims are based

  • n nothing more than a

speculation that he or she will be a victim of wrongdoing at some unidentified point in the indefinite future, the plaintiff does not have a viable cause of action and cannot maintain a class action.

  • R. Bruce Allensworth Partner

Andrew C. Glass Partner Ryan M. Tosi Associate David D. Christensen Associate K&L Gates Boston, Massachusetts,

  • 1. Civil Action No. 1:05cv756, 486 F.
  • Supp. 2d 705, 706-07 (S.D. Ohio 2007).
  • 2. Id. at 710 (citing Key v DSW, Inc., 454
  • F. Supp. 2d 684, 690 (S.D. Ohio 2006);

Giordano v Wachovia Sec., 2006 WL 2177036, at *1 (D.N.J. July 31, 2006);

The court rejected Kahle’s assertion that time and money spent monitoring credit establishes a cognizable injury

07 IDENTITY THEFT

slide-5
SLIDE 5

e-commerce law & policy

Many leading companies, including Amazon, BT, eBay, FSA, Orange, Vodafone, Standard Life, and Microsoft have subscribed to ECLP to aid them in solving the business and legal issues they face online. ECLP , was nominated in 2000 and again in 2004 for the British & Irish Association

  • f Law Librarian’s Legal Publication of the Year.

A twelve month subscription is £390 (overseas £410) for twelve issues and includes single user access to our online database.

e-commerce law reports

You can now find in one place all the key cases, with analysis and comment, that affect online, mobile and interactive business. ECLR tracks cases and regulatory adjudications from around the world. Leading organisations, including Clifford Chance, Herbert Smith, Baker & McKenzie, Hammonds, Coudert Brothers, Orange and Royal Mail are subscribers. A twelve month subscription is £380 (overseas £400) for six issues and includes single user access to our online database.

data protection law & policy

You can now find in one place the most practical analysis, and advice, on how to address the many problems - and some opportunities - thrown up by data protection and freedom of information legislation. DPLP’s monthly reports update an online archive, which is an invaluable research tool for all those who are involved in data protection. Data acquisition, SMS marketing, subject access, Freedom of Information, data retention, use of CCTV , data sharing and data transfer abroad are all subjects that have featured recently. Leading organisations, including the Office of the Information Commissioner, Allen & Overy, Hammonds, Lovells, BT, Orange, West Berkshire Council, McCann Fitzgerald, Devon County Council and Experian are subscribers. A twelve month subscription is £355 (public sector £255, overseas £375) for twelve issues and includes single user access to our online database.

world online gambling law report

You can now find in one place analysis of the key legal, financial and regulatory issues facing all those involved in online gambling and practical advice on how to address them. The monthly reports update an online archive, which is an invaluable research tool for all those involved in online gambling. Poker, payment systems, white labelling, jurisdiction, betting exchanges, regulation, testing, interactive TV and mobile gaming are all subjects that have featured in WOGLR recently. Leading organisations, including Ladbrokes, William Hill, Coral, Sportingbet, BskyB, DCMS, PMU, Orange and Clifford Chance are subscribers. A twelve month subscription is £485 (overseas £505) for twelve issues and includes single user access to our online database.

world sports law report

WSLR tracks the latest developments from insolvency rules in football, to EU Competition policy on the sale of media rights, to doping and probity. The monthly reports update an online archive, which is an invaluable research tool for all involved in sport. Database rights, sponsorship, guerilla marketing, the Court of Arbitration in Sport, sports agents, image rights, jurisdiction,domain names,ticketing and privacy are subjects that have featured in WSLR recently. Leading organisations, including the England & Wales Cricket Board, the British Horse Board, Hammonds, Fladgate Fielder, Clarke Willmott and Skadden Arps Meagre & Flom are subscribers. A twelve month subscription is £485 (overseas £505) for twelve issues and includes single user access to our online database.

Periodically we may allow companies, whose products or services might be of interest, to send you information. Please tick here if you would like to hear from other companies about products or services that may add value to your subscription. ■

priority order form

1 3 2

Name Job Title Department Company Address Address City State Country Postcode Telephone Fax Email Please invoice me Purchase order number Signature Date I enclose a cheque for the amount of made payable to ‘Cecile Park Publishing Limited’ Please debit my credit card VISA ■ MASTERCARD ■ Card No. Expiry Date Signature Date VAT No. (if ordering from an EC country)

FAX +44 (0)20 7729 6093 CALL +44 (0)20 7012 1380 EMAIL dan.towse@e-comlaw.com ONLINE www.e-comlaw.com POST Cecile Park Publishing 17 The Timber Yard, Drysdale Street, London N1 6ND

■ Please enrol me as a subscriber to e-commerce law & policy at £390 (overseas £410) ■ Please enrol me as a subscriber to e-commerce law reports at £380 (overseas £400) ■ Please enrol me as a subscriber to data protection law & policy at £355 (public sector £255, overseas £375) ■ Please enrol me as a subscriber to world online gambling law report at £485 (overseas £505) ■ Please enrol me as a subscriber to world sports law report at £485 (overseas £505) All subscriptions last for one year. You will be contacted at the end of that period to renew your subscription.

cecile park publishing

Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com www.e-comlaw.com

Registered number 2676976 Registered address 141 Wardour Street, London W1F 0UT VAT registration 577806103