InfoLawGroup Counsel Andrew L. Hoffman contributed to this post.
In a case of first impression in the Eleventh Circuit, the Court ruled in a 2-1 opinion that the plaintiffs in a putative class action had sufficiently alleged liability against a health plan provider for a data breach involving actual identity theft. The Court’s opinion, decided under Florida law, gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims. See Curry v. AvMed, Inc., No. 11-13694, 2012 WL 2012 WL 3833035, — F.3d —- (11th Cir. Sep. 5, 2012).
In Curry, two laptops were stolen from AvMed’s corporate offices in Florida in December 2009. According to the plaintiffs, these laptops contained unencrypted sensitive information regarding approximately 1.2 million AvMed customers, which information including protected health information, social security numbers, names, addresses, and phone numbers. The plaintiffs alleged that the laptops were then sold to an individual who dealt in stolen property, and then ten and fourteen months later, the two named plaintiffs suffered identity theft.
The two named plaintiffs alleged that they were careful in guarding their sensitive information and avoided sharing sensitive information digitally; but notwithstanding their care, they both became victims of identity theft. Ten months following the laptop theft, an unknown third party opened Bank of America accounts, activated credit cards, made unauthorized charges, and changed one of the plaintiffs’ mailing address with the US Postal Service. Fourteen months after the laptop theft, the other named plaintiff had a brokerage account opened in her name, and that account was overdrawn.
Although not recited in the appellate opinion, the complaint alleged that the plaintiffs suffered financial losses by being forced to spend money to place alerts with credit reporting agencies and to contest fraudulent charges (e.g., cellular telephone minutes, postage, travel-related costs); by being forced to spend money an ongoing basis for a subscription to an identity theft protection service; and by missing work, incurring lost wages, and suffering a loss of goodwill at work to spend time meeting with the police to report and attempt to remedy the effects of the identity theft. The plaintiff who had a brokerage account opened in her name also alleged that the broker still holds her responsible for the nearly $4,300 overdrawn account, despite the fact that the plaintiff reported the identity theft to the broker.
After amending their complaint several times, the plaintiffs alleged that AvMed was negligent in protecting their sensitive information; was negligent per se when it violated Fla. Stat. § 695.3025, which protects medical information; breached its contract (or alternatively, implied contract) with Plaintiffs; were unjustly enriched; breached the implied covenant of good faith and fair dealing; and breached the fiduciary duty it owed to Plaintiffs. The federal district court dismissed the case for failure to state a cognizable injury.
On appeal, the circuit court held that allegations of identity theft that caused monetary damages – an issue of first impression in the Eleventh Circuit – are an injury in fact sufficient to confer Article III standing. The court also added that allegations of monetary loss are cognizable under Florida law for damages in contract, quasi-contract, negligence, and breach of fiduciary duty.
The Eleventh Circuit focused the bulk of its analysis on the question of causation as it relates to damages and conducted an analysis under Rule 8 to determine whether Plaintiffs allege a plausible basis for inferring that their sensitive information was obtained from AvMed.
The court considered the following allegations sufficient to establish a plausible entitlement to relief:
- Prior to the data breach, neither Plaintiffs had their identities stolen or had their sensitive information “compromised in any way.”
- Both Plaintiffs took substantial precautions to protect themselves from identity theft (listing many specific acts alleged)
- Plaintiffs became victims of identity theft for the first time ten and fourteen months after the AvMed laptop containing their sensitive information was stolen
The court noted that Plaintiffs sufficiently pleaded causation and established a nexus between the laptop theft and the identity theft “that includes more than a coincidence of time and sequence.” The Court found relevant the explicit allegations that plaintiffs’ identity was stolen because the identity thief used Plaintiffs’ sensitive information stored on the unencrypted laptop stolen from AvMed. The Court cautioned that “[h]ad Plaintiffs alleged fewer facts, [it would] doubt whether the Complaint could have survived a motion to dismiss.”
The Court also analyzed Plaintiff’s claim for unjust enrichment, which does not require causation under Florida law. The Court held that Plaintiff’s allegations of unjust enrichment were sufficient to withstand a motion to dismiss:
- Plaintiffs conferred a monetary benefit on AvMed in the form of monthly premiums
- AvMed appreciates or has knowledge of such benefit
- AvMed uses the premiums to pay for the administrative costs of data management and security
- AvMed should not be permitted to retain the money belonging to Plaintiffs because AvMed failed to implement the data management and security measures mandated by industry standards
- AvMed either failed to implement or inadequately implemented policies to secure sensitive information, as demonstrated by the data breach.
The Eleventh Circuit, however, held that the count for negligence per se failed because the statute allegedly creating the duty to protect information did not apply to AvMed, and that the count for the breach of the covenant of good faith and fair dealing failed because such breach must be caused by a conscious and deliberate act, not negligence or bad judgment as Plaintiffs allege.
Judge Pryor dissented, stating that he did not read the complaint to allege a plausible basis that AvMed caused Plaintiffs to suffer identity theft. The dissent would have found that the plaintiffs left too many unanswered questions regarding the source of the data used to steal their identities. According to Judge Pryor, plaintiffs’ allegations that they were careful to protect their sensitive information, standing alone, were irrelevant because such allegations left open the question of how third parties with access to the plaintiffs’ sensitive information care for that information. Thus, the alternative explanation remains open that some other third party in possession of Plaintiffs’ information might have caused the identity theft—not AvMed. The dissent recognized the difficulty of pinpointing the source of sensitive information used to commit identity theft, “[b]ut that difficulty does not relieve [Plaintiffs] of their burden under Rule 8 to plead a plausible basis for inferring that the sensitive information used by the identity thieves was obtained from AvMed.”
Had Plaintiffs encrypted the stolen laptops, perhaps the case would have failed. But the Curry opinion may mean more data breach litigation in the Eleventh Circuit because the case fairly clearly outlines what the Court views as the minimum requirements to establish causation in a data breach/identity theft case. Whether Plaintiffs making such allegations can ultimately prove their claims is a question for another day. Even so, this decision may give some plaintiffs litigation leverage to move their cases toward a jury trial and possibly force settlement.