No harm, no foul, says judge in Express Script data breach case
Plaintiffs failed to show how breach affected them directly, judge rules
Computerworld - A federal court in Missouri has thrown out a consumer class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed.
In dismissing the lawsuit, Magistrate Judge Frederick Buckles reiterated a position that has been taken by other judges in similar cases: Without any actual harm done, there can be no damages sought.
In a 22-page ruling last week, Buckles said that the plaintiff in the case, John Amburgy, failed to show how the data breach caused him any direct injury or even put him in imminent danger of any injury.
"Abstract injury is not enough to demonstrate injury-in fact," Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical."
The $22 billion Express Scripts in October 2008 disclosed that extortionists were threatening to publicly release millions of patient records that they had accessed from the company's databases unless the company paid an undisclosed amount of money. St. Louis-based Express Scripts said it had received a letter with the names, birth dates, Social Security numbers and some prescription information for 75 patients, with the threat that more would be released if it did not pay up.
As of November, Express Scripts said it had notified about 700,000 individuals that their information may have been compromised in the incident.
In his lawsuit, Amburgy accused Express Scripts of negligence in its duty to protect customer records. He accused the company of breach of contract, breach of implied contract and violations of data breach notification laws in various states.
Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. He claimed that he and others similarly affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts.
But like other judges in similar cases, Buckles brushed aside those contentions and said Amburgy failed to show that he was directly affected by the breach and that his claims relied on too many "ifs."
"Plaintiff alleges that he would be injured 'if' his personal information was compromised, and 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen as a result, and 'if' the use of his stolen identity caused him harm." These multiple "ifs" put his claims in the realm of the hypothetical, the judge noted.
Though other cases have ended the same way, some courts have begun to show a willingness to at least hear the sort of claims raised by Amburgy. In October, for instance, a U.S. District Court judge in Maine asked the state's highest court to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law.
The question stemmed from a motion filed by plaintiffs in a data breach lawsuit involving supermarket chain Hannaford Bros. The judge had previously thrown out all other claims in the case.
In September, a federal court in Illinois allowed a couple's whose bank account had been depleted by cyber thieves to go ahead with their lawsuit against Citizens Financial Bank. The judge in the case noted the couple had shown there was a reasonable basis for arguing that the bank had failed in its duty to protect the couple's money.
Read more about Privacy in Computerworld's Privacy Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Understanding big data so you can act with confidence Automating information integration and governance and employing it at the point of data creation helps organizations boost confidence in their big data.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After... All Privacy White Papers | Webcasts