IAPP-GDPR Web Banners-300x250-FINAL

Ninth Circuit Partially Reverses Motion for Summary Judgment on Issue of Damages in Data Breach Case

By David Navetta

One of the biggest obstacles for consumer plaintiffs in personal data breach lawsuits has been establishing the "damages" element for a negligence claim. Several courts have dismissed such suits, ruling that plaintiffs could not provide sufficient evidence that they suffered an injury as the result of a data breach. Ironically, one of the landmark cases against establishing damages, Stollenwerk v. Tri-West Health Care Alliance, may give plaintiffs' attorneys some additional ammunition.

The United States Court of Appeals for the Ninth Circuit ("Appellate Court") recently ruled on the Stollenwerk appeal and provided the plaintiffs with a partial victory on the issue of proving damages that could clarify the liability landscape for data breach lawsuits. The ruling may allow more data breach suits involving victims of actual identity theft to get in front of a jury and achieve more favorable settlements.

Stollenwerk Background & District Court's Ruling
In December 2002, Tri-West Healthcare Alliance ("Tri-West"), a contractor managing a large government health insurance program, suffered a burglary that resulted in the theft of computer hard drives containing the personal information of the program's members. Three individuals brought a class action lawsuit against Tri-West in the U.S. District Court of Arizona ("District Court") alleging numerous claims, including common law negligence. One of the plaintiffs, William Brandt, alleged that unknown individuals used his personal information after the burglary to open or attempt to open unauthorized credit accounts in his name. The two other plaintiffs, Michael Stollenwerk and Andrea DeGatica, while not alleging they suffered identity theft, did allege that they needed to purchase credit monitoring services and identity theft insurance to prevent potential future identity theft.

In its September 2005 opinion, the District Court dismissed all of the plaintiffs' claims on the grounds that they could not establish that they suffered any injury as a result of the Tri-West data breach. Stollenwerk and DeGatica attempted to analogize financial credit monitoring expenses to medical monitoring expenses in "toxic tort" cases (e.g., asbestos lawsuits where otherwise healthy individuals exposed to asbestos paid doctors to monitor their health prior to any adverse affects manifesting). The District Court indicated that enhanced risk of future injury is generally insufficient to establish a negligence claim, but in the case of toxic tort lawsuits an exception was justified because of the importance of preserving public health. In addition, since the plaintiffs could not establish that the target of the burglary was their personal information (as opposed to the physical hard drives themselves), the court ruled that Stollenwerk and DeGatica failed to provide evidence that such information was significantly exposed, or that they were at significantly increased risk of suffering identity fraud.

The District Court also dismissed Brandt's negligence claim. Although the plaintiff suffered identity theft on several occasions six weeks after the burglary, the Court held that the circumstantial timing of the burglary and identity theft was insufficient evidence that the burglary was the cause of such theft.

The Appellate Court's Decision
In November 2007, the Appellate Court reversed the District Court's decision concerning Brandt, but upheld the lower court's ruling on Stollenwerk and DeGatica.

Stollenwerk and DeGatica
With respect to Stollenwerk and DeGatica, the 9th Circuit agreed that the analogy to toxic tort cases was not justified because credit monitoring does not directly involve health and human safety. However, the court did not reject the analogy entirely, noting that: "In both circumstances the individual may manifest more obvious injury, such as identity fraud or disease, after some period of time, and in neither instance is the later manifestation of patent injury guaranteed, although the certainty with which such a development may be anticipated may be greater for toxic torts."

The Appellate Court also noted that under the facts of this case, even if the toxic tort analogy were apt, Stollenwerk and DeGatica had not established the requisite elements to support their claim, including:

  • Significant exposure of sensitive personal information;
  • A significantly increased risk of identity fraud as a result of that exposure; and,
  • The necessity and effectiveness of credit monitoring in detecting, treating and/or preventing identity fraud.

The Court held that the plaintiffs did not provide sufficient evidence that their personal data was targeted or accessed. Moreover, the Court indicated that the plaintiffs' expert failed to objectively quantify the reduction of risk that would result from credit monitoring.

The Appellate Court's opinion was much more forgiving for Brandt. In this case, the plaintiff allegedly was the victim of identity theft on six occasions after the burglary of Tri-West's hard drives. The Court did not make a distinction between "attempts" to open accounts and successful account openings — the Court appeared to conclude that both constituted identity theft. Significantly, the Court's opinion appears to simply accept that "identity theft" constitutes an injury, and instead focused on whether Brandt established that the burglary was the proximate cause of the identity theft.

On the issue of causation, to survive a motion for summary judgment, the plaintiff needed to provide evidence from which a reasonable jury could conclude that Brandt's injuries were the result of the burglary rather than other causes. Direct or circumstantial evidence is permitted, but this plaintiff was only able to offer circumstantial evidence, including:

  • Possession: The ID Theft Plaintiff provided Tri-West with his information
  • Type of Information: The personal information stored on the Tri-West hard drives is the type of information that can be used to open credit card accounts
  • Timing — Identity Theft Incidents: The six alleged identity theft incidents all occurred after the burglary, and the first began about six weeks after the burglary (the last happened about 3—4 months after the burglary)
  • Timing — Prior Incidents: The plaintiff had never suffered identity theft prior to the burglary (despite having his wallet stolen five years earlier)
  • Limited Opportunities for Other Causes: The plaintiff testified that he had never transmitted his personal information over the Internet and that he shreds all mail in the form of credit card applications, approvals and pre-approvals.

The 9th Circuit ruled that this circumstantial evidence on the issue of causation was sufficient for purposes of summary judgment and reversed the District Court's grant of summary judgment to the Defendants.

The Stollenwerk decision is largely a mixed bag for both plaintiffs and defendants. The 9th Circuit's decision is good for defendants because it largely validates that the purchase of credit monitoring services or insurance to decrease the likelihood of potential future identity theft is not sufficient to establish damages for purposes of a negligence lawsuit. This ruling most likely decreases the risk of successful class action lawsuits involving massive numbers of plaintiffs whose personal information is exposed in a data breach. However, because its decision was based mainly on public policy grounds, and because it noted some similarities between toxic tort injuries and data breach injuries, the Court appeared to leave the door open a little for plaintiffs to make the toxic tort analogy in other jurisdictions.

The Court's ruling was favorable for plaintiffs that actually suffer identity theft after a data breach situation. The Court was lenient in its acceptance of purely circumstantial evidence — most of the evidence provided was very loosely tied to the actual burglary. As a result of this ruling, plaintiffs that were or are the victims of identity theft will have a better chance to get their case in front of a jury in the 9th Circuit, which increases both the likelihood of success in litigation and the leverage plaintiffs will have to force a settlement. On the flip side, since it appears that most data breaches never actually result in identity theft (see GAO Report, June 2007), plaintiffs' lawyers may find it difficult to establish large classes that make these suits financially attractive to pursue. In all, this decision and other cases dismissing breach data cases seem to indicate that successful and severe consumer litigation (e.g., large successful class action suits) are still elusive for the plaintiffs' bar.

David Navetta operates InfoSecCompliance, LLC, a law firm providing services related to information security and privacy contract drafting, policy drafting, risk management and regulatory compliance. He previously worked as assistant general counsel for AIG's eBusiness Risk Solutions Group analyzing information security risks and drafting policies to cover such risks. Mr. Navetta serves as a Co-Vice Chairman of the ABA's Information Security Committee and Founder of the Facebook Information Security and Privacy Law Group. His blog is located at www.infoseccompliance.blogspot.com and he can be reached at 303-325-3528.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»