No harm, no foul, says judge in Express Script data breach case

Computerworld - A federal court in Missouri has thrown out a consumer class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed.

In dismissing the lawsuit, Magistrate Judge Frederick Buckles reiterated a position that has been taken by other judges in similar cases: Without any actual harm done, there can be no damages sought.

In a 22-page ruling last week, Buckles said that the plaintiff in the case, John Amburgy, failed to show how the data breach caused him any direct injury or even put him in imminent danger of any injury.

"Abstract injury is not enough to demonstrate injury-in fact," Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical."

The $22 billion Express Scripts in October 2008 disclosed that extortionists were threatening to publicly release millions of patient records that they had accessed from the company's databases unless the company paid an undisclosed amount of money. St. Louis-based Express Scripts said it had received a letter with the names, birth dates, Social Security numbers and some prescription information for 75 patients, with the threat that more would be released if it did not pay up.

As of November, Express Scripts said it had notified about 700,000 individuals that their information may have been compromised in the incident.

In his lawsuit, Amburgy accused Express Scripts of negligence in its duty to protect customer records. He accused the company of breach of contract, breach of implied contract and violations of data breach notification laws in various states.

Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. He claimed that he and others similarly affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts.

But like other judges in similar cases, Buckles brushed aside those contentions and said Amburgy failed to show that he was directly affected by the breach and that his claims relied on too many "ifs."

"Plaintiff alleges that he would be injured 'if' his personal information was compromised, and 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen as a result, and 'if' the use of his stolen identity caused him harm." These multiple "ifs" put his claims in the realm of the hypothetical, the judge noted.

Though other cases have ended the same way, some courts have begun to show a willingness to at least hear the sort of claims raised by Amburgy. In October, for instance, a U.S. District Court judge in Maine asked the state's highest court to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.

The question stemmed from a motion filed by plaintiffs in a data breach lawsuit involving supermarket chain Hannaford Bros. The judge had previously thrown out all other claims in the case.

In September, a federal court in Illinois allowed a couple's whose bank account had been depleted by cyber thieves to go ahead with their lawsuit against Citizens Financial Bank. The judge in the case noted the couple had shown there was a reasonable basis for arguing that the bank had failed in its duty to protect the couple's money.

Read more about Privacy in Computerworld's Privacy Topic Center.