Quickhits: Federal Judge Dismiss Aetna Data Breach Case Due to Lack of "Injury-in-fact"

A Federal judge in the U.S. District Court for the Eastern District of Pennsylvania dismissed a class action lawsuit arising out of a data security breach involving Aetna, Inc. (original compliant found here).  The basis of the dismissal was the plaintiff's lack of standing due to its failure to allege an "injury in fact"  (the dismissal was under section 12(b)(1) of the Federal Rules of Civil Procedure).  In particular the court held that the plaintiff's alleged injury in the form of an increased risk of identity theft is far too speculative based on the factual allegations.  

The following quote cited by the court (from another case), is indicative of the court's reasoning:

[f]or plaintiff to suffer the injury and harm he alleges, many ‘if’s’ would have to come to pass. Assuming plaintiff’s allegation of security breach to be true, plaintiff alleges that he would be injured ‘if’ his personal information was compromised, and ‘if’ such information was obtained by an unauthorized third party, and ‘if’ his identity was stolen as a result, and ‘if’ the use of his stolen identity caused him harm. These multiple ‘if’s’ squarely place plaintiff’s claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court’s standing doctrine would be meaningless.

Note that the basis of this dismissal was not a "failure to state a claim" under 12(b)(6).  Rather this decision basically held that the plaintiffs could not even get a hearing in court on a 12(b)(6) motion because the court lacked subject matter jurisdiction to hear the case at all.  Also note that other courts have found standing for data breach cases, including the Seventh Circuit in Pisciotta.  However, those that have proceeded past the 12(b)(2) motion have often been dismissed under 12(b)(6).  In all, no matter how it happened, it appears that plaintiffs still have significant challenges moving consumer data breach cases further toward trial.

More commentary can be found here.