U.S. District Judge Claire Cecchi of the District of New Jersey dismissed a class action suit against Horizon Blue Cross Blue Shield of New Jersey over a data breach. Two laptop computers were stolen from Horizon’s Newark office in November 2013. Data for 839,000 members was compromised, including names, addresses, dates of birth, medical histories and Social Security numbers.
The named plaintiffs in the data breach case against the insurance company argued that they were at risk of identity theft due to the breach. Horizon made a motion to dismiss and, on March 31, Cecchi dismissed the suit on the grounds that the plaintiffs failed to show damages sufficient to give them standing under the Fair Credit Reporting Act. None of the plaintiffs was able to show post-breach damages and the judge ruled that the potential for harm was insufficient.
Courtney Diana, Karen Pekelney and Mark Meisel, three of the named plantiffs, argued they had standing based on economic injuries in the form of receiving “less than they bargained for” from payment of their premiums. They also argued a violation of common law and statutory rights and the “imminent risk of future harm.”
All of these arguments were rejected. Cecchi cited case law regarding the economic injuries claim saying it was “too flimsy to support standing.” As for the common law and statutory rights claim, the judge stated that simply showing that a law has been broken or that it will reward plaintiffs who can show it’s been broken without showing damages is not enough to confer standing. Cecchi relied on a decision from the U.S. Court of Appeals for the Third Circuit, Reilly v. Ceridian, which held increased risk of identity theft due to a security breach wasn’t enough to grant standing.
The plaintiffs’ attempts to support their claims relied upon cases that the Third Circuit rejected when deciding Reilly. In those cases, data thefts that were sophisticated, intentional or malicious were indicators of imminent future harm. Cecchi disagreed, saying that the theft of two laptops didn’t rise to that level of sophistication.
A fourth named plaintiff almost made it. Mitchell Rindner alleged that the laptop thieves filed a fraudulent 2013 income tax return in his and his wife’s names that resulted in a stolen tax refund. Horizon’s rebuttal was simple: the laptops didn’t contain any data pertaining to Mrs. Rindner. Horizon further argued that Rindner’s identity was stolen in a different event as none of the other 839,000 members reported identity theft.
Rindner continued saying that his information may have come from the Horizon laptops and his wife’s from another event. He cited Constitution Party of Pennsylvania v. Aichele, a 2014 Third Circuit case that held “room for concurrent causation in the analysis of standing.”
It wasn’t enough to convince Cecchi who opined that, while the theory may work in the abstract, the chance that the fraudulent tax return was related to the Horizon laptop theft was “remote.” She added that Rindner’s claim failed based on redressability as he eventually did receive the tax refund.
The moral of the story – at least in New Jersey and the Third Circuit – is if you know you’re data has been stolen, take the necessary precautions: report it to the police, to the IRS, to Social Security and to www.idtheft.gov. Be vigilant in monitoring your credit reports. As a last resort, the Social Security Administration may grant you a new number. However, the old number will still be connected to your name and damage can still be done.