Class Action Suit Over Aetna's Security Breach Is Dismissed

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.law.com/jsp/article.jsp?id=1202446049469

Finding there was no more than speculative injury, a federal judge has
dismissed a class action suit against Aetna Inc. filed in the wake of
news that the insurer's computer database may have been hacked and
that personal data of up to 450,000 job applicants were potentially at
risk.

In Allison v. Aetna, U.S. District Judge Legrome D. Davis added his
voice to a growing chorus of judges who have held that such a claim of
"increased risk of identity theft" is not enough to confer standing to
sue.

"At best, plaintiff has alleged a mere possibility of an increased
risk of identity theft, which is insufficient for purposes of
standing, and he certainly has not asserted a credible threat of
identity theft," Davis wrote.

In his 14-page opinion, Davis surveyed the legal landscape, noting
that the case was "part of a burgeoning area of law," and that the
courts are divided on whether plaintiffs in such cases have standing.

The analysis is ultimately a fact-specific one, Davis found, that
turns on whether the plaintiff is able to show more than a mere
possibility of future harm.

The ruling is a victory for attorneys John M. Elliott, Mark J.
Schwemler, Timothy T. Myers and Stewart J. Greenleaf Jr. of Elliott
Greenleaf & Siedzikowski in Blue Bell, Pa., who argued that the
plaintiffs were asking the courts to invent new and novel tort and
contract theories.

But the plaintiffs lawyers -- Sherrie R. Savett and Michael T. Fantini
of Berger & Montague -- insisted in court papers that the suit was
firmly grounded on actual injury suffered by the lead plaintiff and
the class.

"This case is about whether plaintiff and the class can recover for:
(i) out-of-pocket costs necessarily incurred as a result of the data
breach; (ii) time spent responding to the breach; and (iii) an
increased risk of identity theft," the plaintiffs lawyers argued.

According to court papers, Aetna learned in May 2009 that its job
application Web site had been hacked when some applicants reported
receiving "phishing" e-mails purporting to be from Aetna and seeking
additional personal information.

The site contained the e-mail addresses of about 450,000 job
applicants, as well as the Social Security numbers of 65,000 current
and former employees. For a smaller number of applicants who had been
offered a job, the site contained even more data, including telephone
numbers, addresses and employment histories.

Aetna mailed letters to the 65,000 individuals whose Social Security
numbers were at risk. The letter "urged" them to take numerous steps
to protect themselves from identity theft, including monitoring their
personal accounts -- bank statements and credit card bills -- for
fraud, placing a fraud alert on their credit files, and reviewing
their credit reports for accounts they did not open.

The letter also said Aetna was offering free credit monitoring for one year.

But in the suit, plaintiff Cornelius Allison, a former Aetna employee,
claimed that Aetna wasn't offering enough to solve his problems. One
year of credit monitoring was not enough, his lawyers argued, for an
event in which Aetna itself had acknowledged there was a significant
risk of identity theft.

Defense lawyers, in their motion to dismiss, argued that Allison's
claims are fatally flawed because the entire case is built on a claim
that his personal data "might" have been accessed.

"Based on this pure conjecture," the defense team argued, "plaintiff
speculates that maybe, some day, perhaps more than a year from now, he
might suffer some kind of harm. As numerous federal courts have
already recognized, such allegations of speculative harm do not state
a valid or cognizable claim."

Davis agreed, saying "plaintiff's alleged injury of an increased risk
of identity theft is far too speculative."

Since Allison never received one of the phishing e-mails, Davis said,
the "allegation that his personal information was even accessed is
conjecture."

The evidence, Davis said, also hinted that the hackers may have been
able to retrieve only e-mail addresses and were therefore using
phishing e-mails to access more sensitive data.

The plaintiffs lawyers urged Davis to draw the opposite inference from
the phishing e-mails, arguing that such post-hacking conduct revealed
the hackers' nefarious purposes.

Davis disagreed and found instead that the more logical conclusion was
that the hackers had come up short and were unable to commit any
identity theft crimes with the data they had retrieved unless they
used trickery to augment it with more valuable information.

"It would not be a reasonable inference for the court to presume that
hackers would seek such information, thereby risking exposure of their
nefarious activities, if they had already obtained the same through
unlawful means. Accordingly, even assuming that the hackers obtained
plaintiff's email address, it is highly speculative that they obtained
any other information that would be necessary to commit identity
theft," Davis wrote.

Savett and Fantini did not return calls seeking comment.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php