Posted on March 12, 2010 by David Navetta

Quickhits: Federal Judge Dismiss Aetna Data Breach Case Due to Lack of "Injury-in-fact"

A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here).  The basis of the dismissal was the plaintiff's lack of standing due to its failure to allege an "injury in fact"  (the dismissal was under section 12(b)(1) of the Federal Rules of Civil Procedure).  In particular the court held that the plaintiff's alleged injury in the form of an increased risk of identity theft is far too speculative based on the factual allegations.  

The following quote cited by the court (from another case), is indicative of the court's reasoning:

[f]or plaintiff to suffer the injury and harm he alleges, many ‘if’s’ would have to come to pass. Assuming plaintiff’s allegation of security breach to be true, plaintiff alleges that he would be injured ‘if’ his personal information was compromised, and ‘if’ such information was obtained by an unauthorized third party, and ‘if’ his identity was stolen as a result, and ‘if’ the use of his stolen identity caused him harm. These multiple ‘if’s’ squarely place plaintiff’s claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court’s standing doctrine would be meaningless.

Note that the basis of this dismissal was not a "failure to state a claim" under 12(b)(6).  Rather this decision basically held that the plaintiffs could not even get a hearing in court on a 12(b)(6) motion because the court lacked subject matter jurisdiction to hear the case at all.  Also note that other courts have found standing for data breach cases, including the Seventh Circuit in Pisciotta.  However, those that have proceeded past the 12(b)(2) motion have often been dismissed under 12(b)(6).  In all, no matter how it happened, it appears that plaintiffs still have significant challenges moving consumer data breach cases further toward trial.

More commentary can be found here.

 

 

Tags: , , , , ,
Posted on July 23, 2009 by David Navetta

Merrick Bank v. Savvis: Merrick Files its Response to Savvis' Motion to Dismiss

On July 7, 2009, Merrick Bank filed its response to Savvis' motion to dismiss.  I have not had a time yet to analyze the brief, but will do so in the near future.  In the meantime, if any readers would like to share their insight, please submit a comment!

Tags: , ,
Posted on June 23, 2009 by David Navetta

Merrick Bank v. Savvis Update: Savvis Files Motion to Dismiss

As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem's security assessment company (Savvis).  The suit alleges that Savvis negligently certified CardSystem's security as compliant with Visa's Card Information Security Program ("CISP"), and negligently represented that CardSystems was compliant.  Earlier this month Savvis filed a motion to dismiss this case.  This post summarizes and explores that motion.

Continue Reading...
Tags: , , , , , ,
Posted on May 28, 2009 by David Navetta

Hannaford's Motion to Dismiss: Victory for Merchants (Part 2)

As detailed in ISC's first post on the Hannaford case, I detailed the District Court's rationale for either dismissing or generally recognizing various legal theories around payment card number security breaches.  The net result of the Court's analysis was the existence of three possible theories of recovery for the consumer plaintiffs: 

  1. Breach of implied contract
  2. Negligence
  3. Violation of Maine's Unfair Trade Practices Act ("UTPA")

While the partial recognition of these theories of liability might be viewed as a positive development for plaintiffs, based on the Court's analysis of the "cognizable harm" (e.g. damages) elements of each theory, this decision ends up being bad for plaintiffs (or better stated plaintiff law firms desiring to pursue class actions in the wake of a payment card security breach).  This post explains the Court's rationale and indicates aspects that may present difficulties for Hannaford on appeal.

 

Continue Reading...
Tags: , , , , , , ,
Posted on May 2, 2009 by David Navetta

The TJX Case: It Lives! With a New Theory of Liability: "Unfairness"

The last two plaintiff-banks still breathing after 1st Circuit Appeal
Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.

However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter "Issuing Banks" or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the "Appellate Court"). The 1st Circuit's opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX's inadequate security amounted to an unfair business practices under Massachusetts's unfair and deceptive business practices law.

Continue Reading...
Tags: , , , , , , , , , ,
Posted on November 2, 2007 by David Navetta

TJX Motion to Dismiss Bank's Claims

I came across this ruling in the TJX matter that dismisses some of the banks' claims against TJX: Link

Consistent with past decisions (B.J. Wholesalers) it looks like issuing banks cannot rely on a 3rd party beneficiary theory to go after merchants for breach of contract. Also appears that the economic loss doctrine is still an effective block to general negligence actions.

However, the negligent misrepresentation claim and unfair/deceptive business act claims both survived. The negligent misrepresentation argument was very interesting. Basically, it appears that the issuing banks alleged that by participating in an a financial network that relies on members taking appropriate security measures, TJX made "implied representations" that they would take security measures required by industry practice. The court let these allegations stand, indicating that the economic loss doctrine does not apply to a negligent misrepresentation claim in Massachusetts. In addition the court ruled that the banks' reliance on such implied representations is a question of fact inappropriate for resolution at the motion to dismiss phase. These allegations also serve as the basis for the Banks' unfair and deceptive business practices claims under Chapter 93 of Massachusetts' law.

While the survival of these claims is certainly good news for the banks, TJX may still be able to stop this case from going to trial using a motion for summary judgment further down the line. It will be interesting to see if the Banks can successfully argue that the costs of preemptively reissuing credit cards constitutes "damages" for purposes of negligent misrepresentation.

Tags: , , , , , ,