Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

law&policy e-finance&payments cecile park publishing FEATURED ARTICLE

advertisement 
e-finance&payments
law&policy
FEATURED ARTICLE
07/07
cecile park publishing
Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND
tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com
www.e-comlaw.com
IDENTITY THEFT
Limiting class action liability
for businesses
As concern surrounding identity theft
in the United States continues,
financial organisations are threatened
by lawsuits over failures to ensure
sufficient levels of corporate security,
particularly in the form of class-action
lawsuits where customers are
affected on a nationwide basis. R.
Bruce Allensworth, Andrew C. Glass,
Ryan M. Tosi and David D.
Christensen of K&L Gates’ Boston
office report on a recent US district
court case where they successfully
represented the defendants and
which may limit class action liability
for organisations that electronically
store consumer personal information.
As public concern about ‘identity
theft’ continues to increase,
institutions such as lenders, banks
and credit card companies find
themselves facing a growing
number of lawsuits arising out of
alleged breaches of corporate
security. Because claims involving
identity theft may involve an
institution’s customers throughout
the country, the potential for class
action lawsuits on a nationwide
level is growing as well. Yet a
number of US federal courts have
taken a pragmatic approach to
assessing the validity of identitytheft claims. Most recently, in
Kahle v Litton Loan Servicing LP,1
the United States District Court for
the Southern District of Ohio
decided a case that may limit class
action liability for institutions that
electronically store consumer
personal information.
In that case, plaintiff Patricia
Kahle (‘Kahle’) sued defendant
Litton Loan Servicing LP (‘Litton’)
following the theft from a Litton
facility of password-protected hard
drives containing some consumer
personal information. Kahle
attempted to articulate theories of
identity theft and identity exposure
on behalf of a putative class of
customers located throughout the
United States. The court, however,
dismissed the lawsuit in its entirety,
ruling that such claims cannot
withstand summary disposition
where the only injury arguably
suffered is the mere fear of future
identity theft. Kahle bolsters a
growing line of US federal court
identity-theft and identityexposure cases holding that the
increased risk of future injury from
identity exposure is insufficient to
support an actionable injury or to
establish damages.2
Kahle’s Class Action claims
Kahle’s claims arose from an
August 2005 theft in which a
person or persons unknown
e-finance & payments law & policy july 2007
smashed their way into a locked
and alarmed facility belonging to
Litton and tore out computer hard
drives - among other more
expensive equipment - containing
some consumer personal
information.3 The computer hard
drives contained several layers of
electronic security, including
extensive password protection.
After the break-in, Litton
provided written notice to each
person whose information was
contained on the hard drives and
recommended that those persons
place a fraud alert on their credit
files. Kahle chose not to do so, but
instead brought suit on behalf of a
putative nationwide class under a
theory of negligence.4 Specifically,
Kahle claimed that the members of
the class would incur emotional
distress, costs of credit monitoring
and loss of identity as a result of
the theft of the hard drives.5
During discovery, Kahle
acknowledged that since the theft
of the hard drives, no
unauthorized use of her personal
information had ever occurred,
nor did she have any knowledge as
to whether any of her personal
information from the hard drives
had even been accessed in an
unauthorized manner.6 The only
harm that Kahle claimed to have
suffered was the cost incurred in
purchasing credit-monitoring
services.7
The Court rejects Kahle’s
theory of injury
On its motion for summary
judgment, Litton successfully
argued that Kahle’s claim must fail
‘as a matter of law because Plaintiff
cannot establish injury or
causation.’8 The court found that
any injury Kahle may have suffered
was ‘purely speculative’ because she
admitted no knowledge of any
unauthorized use or access of her
personal information, and there
was no evidence that the
05
IDENTITY THEFT
information contained on the hard
drives was even the target of the
theft.9
In particular, the court rejected
Kahle’s assertion that time and
money spent monitoring credit
establishes a cognizable injury.10
Rather, the court held that Kahle’s
argument overlooks the fact that
such expenditure of time and
money was not the result of any
present injury, but rather the
anticipation of future injury.11
Because such expenditures are the
result of a perceived risk of future
harm and not any present or
reasonably-certain future injury,
they do not constitute
compensable injury as a matter of
law.12
The court was not persuaded by
Kahle’s attempt to analogize
identity-exposure cases to toxicsubstance-exposure cases. Kahle
argued that the court must require
Litton to pay for credit-monitoring
costs in the same way that some
defendants in toxic-substanceexposure cases are required to pay
for medical-monitoring costs.13
The court found, however, that:
Although a victim of identity
theft and/or fraud - like the victims
in other negligence actions where
present actual injury is required may experience non-monetary
harm, the primary injury does not
present a serious health risk. Thus,
despite findings that identity theft
results in more than purely
pecuniary damages, including
psychological or emotional
distress, inconvenience and harm
to his credit rating or reputation, as
a matter of law, identity theft and
credit monitoring must still be
differentiated from toxic torts and
medical monitoring.14
Thus, the court declined to
extend the criteria used in medicalmonitoring cases to identityexposures cases. ‘[W]ithout direct
evidence that the information was
accessed or specific evidence of
06
identity fraud this Court can not
find the cost of obtaining credit
monitoring to amount to damages
in a negligence claim.’15
The Kahle decision is significant
in the defense of class action
lawsuits because if the named
plaintiff cannot introduce some
evidence of actual, versus merely
speculative, injury as the result of
the alleged data theft, judgment
must be entered against that
named plaintiff.16 It is not enough
for the named plaintiff to allege
that an injury has been ‘suffered by
other, unidentified members of the
class’ that the named plaintiff
purports to represent.17 ‘If a named
member purporting to represent a
class does not have standing, she
may not seek relief on behalf of
herself or any other member of the
class.’18
US federal case law holds that
standing is an essential element in
determining class certification.19
Further, class actions in US federal
courts are governed by Rule 23 of
the Federal Rules of Civil
Procedure. Rule 23 mandates,
among other things, that a named
plaintiff satisfy ‘typicality’ and
‘adequacy’ requirements.20 The
named plaintiff’s claims must be
typical of those of the class, and
the named plaintiff must
adequately protect the interests of
the unnamed class members.21 To
satisfy these requirements, the
named plaintiff must show that her
injury arises from or is directly
related to the alleged wrong to the
putative class.22 It would follow that
because Kahle had not suffered a
cognizable injury,23 she could not
adequately represent the putative
class, nor was she a typical member
of a sustainable class.
Kahle could not prove
proximate causation
Proximate causation presents
another significant barrier for a
named plaintiff in litigating an
identity-theft class action lawsuit.
For each claim, the named plaintiff
must establish that the defendant’s
alleged actions were the proximate
cause of any complained-of
injury.24 Thus, even if Kahle had
established that the unauthorized
use of her personal information
had occurred following the theft
(which she did not do), her claims
would have failed because she
could not have established that
Litton’s alleged actions were the
proximate cause of the
unauthorized use of information.
Kahle’s inability to demonstrate
proximate cause further prevented
her from adequately representing
the putative class and from being a
typical class member, as required
by Rule 23 of the Federal Rules of
Civil Procedure.
Like many consumers, Kahle
disclosed her personal information
to third parties on a regular basis.
In particular, Kahle’s driver’s
license, which she used as a form of
identification, contained her name,
address, US social security number
and birth date. Any persons to
whom Kahle gave her driver’s
license as a form of identification
would have had ample opportunity
to record her personal information
and could have used that
information at any time in the
future. Those opportunities
constituted potential intervening
causes sufficient to break the chain
of causation between the theft of
the hard drives and any
unauthorized use of Kahle’s
personal information that might
occur in the future.25
Conclusion: business
implications
The Kahle decision may have
significant implications for
financial institutions and other
businesses that electronically store
consumer personal information.
The decision suggests that even
amid the growing concern over
e-finance & payments law & policy july 2007
IDENTITY THEFT
information privacy, US federal
courts will likely continue to hold
named plaintiffs in identity-theft
class actions to the traditional
standards for proving injury and
causation. Before such plaintiffs
can represent a class, they must
point to some evidence of actual
injury to themselves and to
proximate causation. Thus, the
Kahle decision helps undermine
the incentive for bringing identitytheft class action lawsuits against
institutions that provide adequate
electronic protection for consumer
personal information, and
regularly assess the adequacy of
such safeguards. Institutions
should also regularly assess their
safeguards for the transmittal or
disposal of consumer personal
information. Furthermore,
institutions should regularly assess
the rapidly evolving landscape of
US federal and state statutory
regimes governing the protection
of consumer personal information.
As the Kahle court recognized, a
growing consensus has arisen
among US federal courts that an
alleged increase in the risk of
future injury is simply not an
‘actual or imminent’ injury
sufficient to sustain a class action,
or to withstand a defendant’s
motion for summary judgment.
Where a plaintiff’s claims are based
on nothing more than a
speculation that he or she will be a
victim of wrongdoing at some
unidentified point in the indefinite
future, the plaintiff does not have a
viable cause of action and cannot
maintain a class action.
R. Bruce Allensworth Partner
Andrew C. Glass Partner
Ryan M. Tosi Associate
David D. Christensen Associate
K&L Gates Boston, Massachusetts,
1. Civil Action No. 1:05cv756, 486 F.
Supp. 2d 705, 706-07 (S.D. Ohio 2007).
2. Id. at 710 (citing Key v DSW, Inc., 454
F. Supp. 2d 684, 690 (S.D. Ohio 2006);
Giordano v Wachovia Sec., 2006 WL
2177036, at *1 (D.N.J. July 31, 2006);
e-finance & payments law & policy july 2007
The court
rejected
Kahle’s
assertion that
time and
money spent
monitoring
credit
establishes a
cognizable
injury
Forbes v Wells Fargo Bank N.A., 420 F.
Supp. 2d 1018, 1021 (D. Minn. 2006);
and Guin v Brazos Higher Educ. Serv
Corp., 2006 WL 288483, at *5-6 (D.
Minn. Feb. 7, 2006)); see also
Stollenwerk v Tri-West Healthcare
Alliance, 2005 WL 2465906, at *5 (D.
Ariz. Sept. 6, 2005).
3. Kahle, 486 F. Supp. 2d at 706-07.
4. Id. at 707, 708.
5. Id. at 709, n.3.
6. Id. at 707.
7. Id. at 709.
8. Id.
9. Id. at 712-13. Indeed, in another
identity-theft case brought in the
Southern District of Ohio, the court
dismissed the plaintiff’s claim on the
basis that ‘potential injury [was]
contingent upon [the plaintiff’s]
information being obtained and then
used by an unauthorized person for an
unlawful purpose,’ which the court found
lacking. Key, 454 F. Supp. 2d at 690.
10. Kahle, 486 F. Supp. 2d at 711 (citing
Giordano, 2006 WL 2177036, at *5 &
n.5; Stollenwerk, 2005 WL 2465906, at
*1; Guin, 2006 WL 288483, at *3; and
Forbes, 420 F. Supp. 2d at 1020-21).
11. Id. at *710; see also Forbes, 420 F.
Supp. 2d at 1021.
12. Kahle, 486 F. Supp. 2d at 711;
Forbes, 420 F. Supp. 2d at 1021; see
also Key, 454 F. Supp. 2d at 690.
13. Kahle, 486 F. Supp. 2d at 712.
14. Id. (emphasis in original) (citing
Stollenwerk, 2005 WL 2465906, at *4).
15. Id. at 713.
16. Id. at 709 (citing Simon v Eastern Ky.
Welfare Rights Org., 426 U.S. 26, 40
n.20 (1976)); see also Key, 454 F. Supp.
2d at 687.
17. Kahle, 486 F. Supp. 2d at 709.
18. Key, 454 F. Supp. 2d at 687; see
also Kahle, 486 F. Supp. 2d at 709.
19. See Warth v Seldin, 422 U.S. 490,
502 (1975) (class representative plaintiffs
‘must allege and show that they
personally have been injured, not that
injury has been suffered by other,
unidentified members of the class to
which they belong and which they
purport to represent’); Simon, 426 U.S.
at 40, n.20 (‘[t]hat a suit may be a class
action ... adds nothing to the question of
standing’); see also Rivera v WyethAyerst Labs., 283 F.3d 315, 318 (5th Cir.
2002) (standing is an inherent
prerequisite to the class certification
inquiry); Ford v NYLCare Health Plans of
Gulf Coast, Inc., 301 F.3d 329, 332-33
(5th Cir. 2002) (same).
20. Fed. R. Civ. P. 23(a).
21. Fed. R. Civ. P. 23(a)(3) & (4).
22. See Bacon v Honda of Am. Mfg.,
370 F.3d 565, 572 (6th Cir. 2004); Lichoff
v CSX Transp., Inc., 218 F.R.D. 564, 575
(N.D. Ohio 2003) (‘it is obvious that the
named plaintiff cannot adequately
represent a proposed class that does
not share common issues and for which
their claims are not typical’).
23. Kahle, 486 F. Supp. 2d at 713.
24. Id. at 708.
25. See Tolton v Am. Biodyne, Inc., 48
F.3d 937, 944 (6th Cir. 1995) (a plaintiff’s
own actions can constitute an
intervening cause sufficient to break the
chain of causation).
07
cecile park publishing
Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND
tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093 info@e-comlaw.com
www.e-comlaw.com
Registered number 2676976 Registered address 141 Wardour Street, London W1F 0UT VAT registration 577806103
e-commerce law & policy
world online gambling law report
Many leading companies, including Amazon, BT, eBay, FSA, Orange, Vodafone,
Standard Life, and Microsoft have subscribed to ECLP to aid them in solving the
business and legal issues they face online.
ECLP, was nominated in 2000 and again in 2004 for the British & Irish Association
of Law Librarian’s Legal Publication of the Year.
A twelve month subscription is £390 (overseas £410) for twelve issues and
includes single user access to our online database.
You can now find in one place analysis of the key legal, financial and regulatory
issues facing all those involved in online gambling and practical advice on how
to address them. The monthly reports update an online archive, which is an
invaluable research tool for all those involved in online gambling.
Poker, payment systems, white labelling, jurisdiction, betting exchanges,
regulation, testing, interactive TV and mobile gaming are all subjects that have
featured in WOGLR recently.
Leading organisations, including Ladbrokes, William Hill, Coral, Sportingbet,
BskyB, DCMS, PMU, Orange and Clifford Chance are subscribers.
A twelve month subscription is £485 (overseas £505) for twelve issues
and includes single user access to our online database.
e-commerce law reports
You can now find in one place all the key cases, with analysis and comment, that
affect online, mobile and interactive business. ECLR tracks cases and regulatory
adjudications from around the world.
Leading organisations, including Clifford Chance, Herbert Smith, Baker &
McKenzie, Hammonds, Coudert Brothers, Orange and Royal Mail are subscribers.
A twelve month subscription is £380 (overseas £400) for six issues and
includes single user access to our online database.
data protection law & policy
FAX +44 (0)20 7729 6093
CALL +44 (0)20 7012 1380
EMAIL dan.towse@e-comlaw.com
ONLINE www.e-comlaw.com
POST Cecile Park Publishing 17 The Timber Yard, Drysdale Street, London N1 6ND
priority order form
You can now find in one place the most practical analysis, and advice, on how to
address the many problems - and some opportunities - thrown up by data
protection and freedom of information legislation.
DPLP’s monthly reports update an online archive, which is an invaluable research
tool for all those who are involved in data protection. Data acquisition, SMS
marketing, subject access, Freedom of Information, data retention, use of CCTV,
data sharing and data transfer abroad are all subjects that have featured recently.
Leading organisations, including the Office of the Information Commissioner, Allen
& Overy, Hammonds, Lovells, BT, Orange, West Berkshire Council, McCann
Fitzgerald, Devon County Council and Experian are subscribers.
A twelve month subscription is £355 (public sector £255, overseas £375)
for twelve issues and includes single user access to our online database.
■
■
■
■
■
world sports law report
WSLR tracks the latest developments from insolvency rules in football, to EU
Competition policy on the sale of media rights, to doping and probity. The
monthly reports update an online archive, which is an invaluable research tool
for all involved in sport.
Database rights, sponsorship, guerilla marketing, the Court of Arbitration in
Sport, sports agents, image rights, jurisdiction,domain names,ticketing and
privacy are subjects that have featured in WSLR recently.
Leading organisations, including the England & Wales Cricket Board, the
British Horse Board, Hammonds, Fladgate Fielder, Clarke Willmott and
Skadden Arps Meagre & Flom are subscribers.
A twelve month subscription is £485 (overseas £505) for twelve issues
and includes single user access to our online database.
Please enrol me as a subscriber to e-commerce law & policy at £390 (overseas £410)
Please enrol me as a subscriber to e-commerce law reports at £380 (overseas £400)
Please enrol me as a subscriber to data protection law & policy at £355 (public sector £255, overseas £375)
Please enrol me as a subscriber to world online gambling law report at £485 (overseas £505)
Please enrol me as a subscriber to world sports law report at £485 (overseas £505)
All subscriptions last for one year. You will be contacted at the end of that period to renew your subscription.
Name
Job Title
Department
Company
Address
Address
City
State
Country
Telephone
Postcode
Fax
Email
1
2
3
Please invoice me
Signature
Purchase order number
Date
I enclose a cheque for the amount of
made payable to ‘Cecile Park Publishing Limited’
Please debit my credit card
VISA ■ MASTERCARD ■
Card No.
Expiry Date
Signature
Date
VAT No. (if ordering from an EC country)
Periodically we may allow companies, whose products or services might be of interest, to send you information.
Please tick here if you would like to hear from other companies about products or services that may add value to your subscription. ■
Related documents
Class Action Alert Recent Federal Court Decision Bolsters
Class Action Alert Recent Federal Court Decision Bolsters
Cry, the Beloved Country: Questions Chapters
Cry, the Beloved Country: Questions Chapters
Eleanor Kahle Memorial Endowed Scholarship 2016-17
Eleanor Kahle Memorial Endowed Scholarship 2016-17
RECONVENTIONAL DEMAND
RECONVENTIONAL DEMAND
MATH 519 Homework Fall 2013
MATH 519 Homework Fall 2013
Download
advertisement