e-finance&payments law&policy FEATURED ARTICLE 0 7 /07 cecile park publishing Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com www.e-comlaw.com
IDENTITY THEFT Limiting class action liability for businesses As concern surrounding identity theft As public concern about ‘identity smashed their way into a locked theft’ continues to increase, and alarmed facility belonging to in the United States continues, institutions such as lenders, banks Litton and tore out computer hard financial organisations are threatened and credit card companies find drives - among other more by lawsuits over failures to ensure themselves facing a growing expensive equipment - containing sufficient levels of corporate security, number of lawsuits arising out of some consumer personal information. 3 The computer hard alleged breaches of corporate particularly in the form of class-action security. Because claims involving drives contained several layers of lawsuits where customers are identity theft may involve an electronic security, including affected on a nationwide basis. R. institution’s customers throughout extensive password protection. Bruce Allensworth, Andrew C. Glass, the country, the potential for class After the break-in, Litton Ryan M. Tosi and David D. action lawsuits on a nationwide provided written notice to each level is growing as well. Yet a person whose information was Christensen of K&L Gates’ Boston number of US federal courts have contained on the hard drives and office report on a recent US district taken a pragmatic approach to recommended that those persons court case where they successfully assessing the validity of identity- place a fraud alert on their credit represented the defendants and theft claims. Most recently, in files. Kahle chose not to do so, but which may limit class action liability Kahle v Litton Loan Servicing LP, 1 instead brought suit on behalf of a the United States District Court for putative nationwide class under a for organisations that electronically theory of negligence. 4 Specifically, the Southern District of Ohio store consumer personal information. decided a case that may limit class Kahle claimed that the members of action liability for institutions that the class would incur emotional electronically store consumer distress, costs of credit monitoring personal information. and loss of identity as a result of In that case, plaintiff Patricia the theft of the hard drives. 5 Kahle (‘Kahle’) sued defendant During discovery, Kahle Litton Loan Servicing LP (‘Litton’) acknowledged that since the theft following the theft from a Litton of the hard drives, no facility of password-protected hard unauthorized use of her personal drives containing some consumer information had ever occurred, personal information. Kahle nor did she have any knowledge as attempted to articulate theories of to whether any of her personal identity theft and identity exposure information from the hard drives on behalf of a putative class of had even been accessed in an unauthorized manner. 6 The only customers located throughout the United States. The court, however, harm that Kahle claimed to have dismissed the lawsuit in its entirety, suffered was the cost incurred in ruling that such claims cannot purchasing credit-monitoring withstand summary disposition services. 7 where the only injury arguably suffered is the mere fear of future The Court rejects Kahle’s identity theft. Kahle bolsters a theory of injury growing line of US federal court On its motion for summary identity-theft and identity- judgment, Litton successfully exposure cases holding that the argued that Kahle’s claim must fail increased risk of future injury from ‘as a matter of law because Plaintiff identity exposure is insufficient to cannot establish injury or causation.’ 8 The court found that support an actionable injury or to establish damages. 2 any injury Kahle may have suffered was ‘purely speculative’ because she Kahle’s Class Action claims admitted no knowledge of any Kahle’s claims arose from an unauthorized use or access of her August 2005 theft in which a personal information, and there person or persons unknown was no evidence that the 05 e-finance & payments law & policy july 2007
IDENTITY THEFT information contained on the hard identity fraud this Court can not identity-theft class action lawsuit. drives was even the target of the find the cost of obtaining credit For each claim, the named plaintiff theft. 9 monitoring to amount to damages must establish that the defendant’s In particular, the court rejected in a negligence claim.’ 15 alleged actions were the proximate Kahle’s assertion that time and The Kahle decision is significant cause of any complained-of injury. 24 Thus, even if Kahle had money spent monitoring credit in the defense of class action establishes a cognizable injury. 10 lawsuits because if the named established that the unauthorized Rather, the court held that Kahle’s plaintiff cannot introduce some use of her personal information argument overlooks the fact that evidence of actual, versus merely had occurred following the theft such expenditure of time and speculative, injury as the result of (which she did not do), her claims money was not the result of any the alleged data theft, judgment would have failed because she present injury, but rather the must be entered against that could not have established that named plaintiff. 16 It is not enough anticipation of future injury. 11 Litton’s alleged actions were the Because such expenditures are the for the named plaintiff to allege proximate cause of the result of a perceived risk of future that an injury has been ‘suffered by unauthorized use of information. harm and not any present or other, unidentified members of the Kahle’s inability to demonstrate reasonably-certain future injury, class’ that the named plaintiff proximate cause further prevented purports to represent. 17 ‘If a named they do not constitute her from adequately representing compensable injury as a matter of member purporting to represent a the putative class and from being a law. 12 class does not have standing, she typical class member, as required The court was not persuaded by may not seek relief on behalf of by Rule 23 of the Federal Rules of Kahle’s attempt to analogize herself or any other member of the Civil Procedure. identity-exposure cases to toxic- class.’ 18 Like many consumers, Kahle substance-exposure cases. Kahle US federal case law holds that disclosed her personal information argued that the court must require standing is an essential element in to third parties on a regular basis. Litton to pay for credit-monitoring determining class certification. 19 In particular, Kahle’s driver’s costs in the same way that some Further, class actions in US federal license, which she used as a form of defendants in toxic-substance- courts are governed by Rule 23 of identification, contained her name, exposure cases are required to pay the Federal Rules of Civil address, US social security number for medical-monitoring costs. 13 Procedure. Rule 23 mandates, and birth date. Any persons to The court found, however, that: among other things, that a named whom Kahle gave her driver’s Although a victim of identity plaintiff satisfy ‘typicality’ and license as a form of identification ‘adequacy’ requirements. 20 The theft and/or fraud - like the victims would have had ample opportunity in other negligence actions where named plaintiff’s claims must be to record her personal information present actual injury is required - typical of those of the class, and and could have used that may experience non-monetary the named plaintiff must information at any time in the harm, the primary injury does not adequately protect the interests of future. Those opportunities the unnamed class members. 21 To present a serious health risk. Thus, constituted potential intervening despite findings that identity theft satisfy these requirements, the causes sufficient to break the chain results in more than purely named plaintiff must show that her of causation between the theft of pecuniary damages, including injury arises from or is directly the hard drives and any psychological or emotional related to the alleged wrong to the unauthorized use of Kahle’s putative class. 22 It would follow that distress, inconvenience and harm personal information that might to his credit rating or reputation, as because Kahle had not suffered a occur in the future. 25 cognizable injury, 23 she could not a matter of law, identity theft and credit monitoring must still be adequately represent the putative Conclusion: business differentiated from toxic torts and class, nor was she a typical member implications medical monitoring. 14 of a sustainable class. The Kahle decision may have Thus, the court declined to significant implications for extend the criteria used in medical- Kahle could not prove financial institutions and other monitoring cases to identity- proximate causation businesses that electronically store exposures cases.‘[W]ithout direct Proximate causation presents consumer personal information. evidence that the information was another significant barrier for a The decision suggests that even accessed or specific evidence of named plaintiff in litigating an amid the growing concern over 06 e-finance & payments law & policy july 2007
Recommend
More recommend
