Another Missive from the Data Breach Front: Remote Risk of Identity Theft Does Not Confer Standing in Allison v. Aetna
Allison v. Aetna, Inc., a recent opinion out of the Eastern District of Pennsylvania, adds to the burgeoning area of law that holds when a plaintiff fails to allege an actual injury resulting from a data breach, but instead only alleges an enhanced risk of identity theft, an injury-in-fact does not exist and the suit must be dismissed for lack of standing.
In Allison, Plaintiff alleged that he and others submitted their personal information to Aetna’s job application website. Soon after, Plaintiff alleged that he began receiving “phishing” emails requesting additional personal information, as the result of an alleged security breach of Aetna’s website. Plaintiff, other applicants, and over 65,000 current and former Aetna employees were sent notification letters advising them of the breach, stating that their email addresses had been accessed but that it was unclear whether additional information had been accessed.
Plaintiff then filed his class action suit alleging that Aetna had failed to “adequately protect the personal information of its current, former, and potential employees….” Plaintiff described the various remedial measure that he and potential class members had been forced to undertake, including time spent to monitor various accounts for signs of identity theft and out-of-pocket expenses for identity theft protection services. The complaint did not allege that Plaintiff, or anyone else, had suffered identity theft, but rather that they were subject to an “a significant risk of identity theft.” The suit asserted various claims including negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy. Aetna moved to dismiss all claims pursuant to Federal Rules of Civil Procedure 12(b)(1), arguing that Plaintiff lacked injury-in-fact standing., and 12(b)(6), arguing that Allison had failed to state a claim.
The court held that Plaintiff’s increased risk of harm did not create an injury-in-fact because his chance of suffering from identity theft was not imminent and was too speculative. Despite Plaintiff’s conclusory allegations to the contrary, the court found that Plaintiff had merely alleged that unidentified hackers had accessed his email address, thus making actual identity theft unlikely. The court dismissed Allison’s claims based on a lack of standing.
Compared to other recent opinions that address the risk of identity theft, this opinion stops short of addressing the heart of this issue -- namely, does a demonstrated risk of identity theft create an injury upon which relief can be granted? Would the court have ruled differently if Allison’s social security number, as opposed to just his email address, had been accessed? Future plaintiffs are likely to attempt to distinguish their claims from Allison by contending that their claims are more fully and adequately plead to demonstrate a more imminent risk of identity theft. However, that does not mean a claim survives a motion to dismiss. In fact, as we discussed just last year, certain courts have held that while the increased risk of harm may be sufficient to satisfy the initial injury-in-fact element for standing, it may not suffice to show “actual damage” to support a claim for damages under negligence and other liability principles.