On November 23, 2009, a federal court in Missouri bucked the recent trend in identity exposure lawsuits and refused to recognize Article III standing in a class action lawsuit that alleged simply an increased risk of identity theft resulting from a data breach. In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that "plaintiff's asserted claim of 'increased-risk-of-harm' fails to meet the constitutional requirement that a plaintiff demonstrate harm that is 'actual or imminent, not conjectural or hypothetical.' Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit." Consequently, the Court dismissed the plaintiff's action – which included claims for negligence, breach of contract, violations of state data breach notification laws and violations of Missouri's Merchandising Practices Act ("MPA") – in its entirety for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. In doing so, the court breathed new life into the lack of standing argument that had begun to fall out of favor in identity exposure cases.
Prior to the Court's decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People's United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit's decision in Pisciotta v. Old Nat'l Bancorp, "district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing." After noting the Seventh Circuit's lack of discussion in Pisciotta about applying the U.S. Supreme Court's recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff's standing to sue. Relying principally on the Supreme Court's opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he "cannot show that he has suffered or will immediately suffer a concrete injury-in-fact."
In addition to dismissing all of plaintiff's claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri's MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff's breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.