Federal Court Dismisses Identity Theft Class Action Suit Following Theft Of Computers From Government Contractor

In a victory for a company facing potential identity theft liability, a federal district court has dismissed a class action that alleged harm stemming from the presence of personal information of members of the class on stolen computer hard drives. The class action plaintiffs had claimed that they were injured by the negligent failure of TriWest Healthcare Alliance to protect their personal data. Though unpublished, the decision in Stollenwerk v.TriWest Healthcare Alliance,No. CIV 03-0185-PHX-SRB (D.Ariz. Sept. 6, 2005) (unpublished disposition), provides insight into the potential treatment of future "data breach" cases in which it is unclear whether the data in question has in fact been accessed by those who have unlawfully obtained the device on which the data is stored. This ruling is consistent with numerous cases, including this firm’s victory in Conboy v. AT&T Corp. 241 F.3d 242 (2d Cir. 2001), in holding that emotional distress, mental anguish, and other similar damages cannot be presumed from the mere disclosure of personally identifiable information, absent some concrete evidence of demonstrable harm.

TriWest is a government contractor that manages a portion of the Department of Defense’s health insurance program. In administering the program,TriWest stored the personal information of the program’s beneficiaries on computers at a facility in Arizona. In 2002, a burglary at TriWest’s facility resulted in the theft of computer hard drives containing the beneficiaries’ personal information, in addition to other items. Following the burglary, the personal information of William Brandt, who later became a named plaintiff in the suit against TriWest,was used in attempts to establish unauthorized credit accounts in Brandt’s name. Two other individuals, Michael Stollenwerk and Andrea DeGatica, who later also became named plaintiffs in the suit, purchased credit monitoring services and identity theft insurance after the theft of their data. The class action plaintiffs first filed suit against TriWest in 2003, alleging violations of the federal Privacy Act,5 U.S.C. § 552a, and asserting various other claims under state tort and contract law, including a claim that TriWest had acted negligently. In a 2004 disposition, the court dismissed all claims except the plaintiffs’ negligence claim. In the most recent Stollenwerk decision, the court analyzed that remaining claim,and again found in favor of the defendant based on the absence of damage.

The court’s evaluation of defendant TriWest’s motion for summary judgment on the negligence claim centered on the question of whether there was sufficient evidence to conclude that the theft of the computers containing the insurance program beneficiaries’ personal information had actually resulted in injury to the plaintiffs. Plaintiffs Stollenwerk and DeGatica asserted that their purchase of credit monitoring services, by itself, constituted adequate injury for purposes of the negligence claim. In assessing this argument, the court considered and ultimately rejected an analogy between toxic torts and the consequent need for medical monitoring, on the one hand, and identity theft and the need for credit monitoring, on the other. According to the court, the paramount public health concern that arises in toxic tort cases justifies an exception to the general rule that a mere heightened risk of future injury is insufficient to sustain a negligence claim. By contrast, negligent actions that result in the theft of personal data, which does not pose a serious threat to human health, cannot justify a similar departure from that general rule. Thus, the credit monitoring costs incurred by the Stollenwerk plaintiffs could not provide a basis for recovery.

Moreover, even assuming that credit monitoring costs could amount to sufficient injury for negligence purposes, the court found that the plaintiffs had failed to present enough evidence to defeat the defendant’s summary judgment motion. Drawing upon standards set forth in toxic tort and medical monitoring cases, the court determined that plaintiffs in identity theft cases should be required to show a "(1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud." Stollenwerk, No. CIV 03-0185-PHXSRB, slip op. at 7. The court concluded that the Stollenwerk plaintiffs were unable to fulfill these criteria because they did not offer evidence that the personal data contained on the stolen hard drives was in fact accessed by the thieves. In the court’s view, the situation in Stollenwerk was distinct from that in so-called "pure data theft" cases, as nothing in the Stollenwerk record demonstrated that "the data, rather than the hardware on which the data was stored, formed the thieves’ target." Id. The court thus held that, absent proof that the plaintiffs’ personal data was either targeted or accessed, there was no reasonable basis for finding that the data was significantly exposed.

Finally, with respect to plaintiff Brandt, whose personal information was used in several attempts to open fraudulent credit accounts, the court determined that there was insufficient evidence to support the contention that the theft at TriWest’s facility was the cause of Brandt’s injuries. According to the court, the mere fact that the TriWest theft preceded these episodes of identity fraud did not permit more than mere speculation about the source from which the data were obtained. In reaching this conclusion, the court relied on the admission that Brandt had disclosed his personal information to entities other than TriWest.

The Stollenwerk case suggests that, despite the recent spate of highprofile identity theft incidents and the resulting public outcry, courts will likely continue to hold plaintiffs in identity theft cases to traditional standards for proving causation and harm before these individuals will be permitted to recover monetary damages for any alleged injuries. Stollenwerk thus helps to undermine the incentives for class action suits, but may increase pressure for enforcement actions by attorneys general. Given the rapidly evolving state of the law in this area, companies would be welladvised to adhere to appropriate security practices in storing, handling and disposing of personal data, in order to minimize reputational damage and avoid exposure to lawsuits.