data breach class action lawsuits

• 1 In re American Airlines, Inc., Privacy Litigation
• 2 Bell v. Acxiom Corp.
• 3 Dyer v. Northwest Airlines Corporations
• 4 Forbes v. Wells Fargo Bank, N.A.
• 5 Giordano v. Wachovia Sec., LLC
• 6 In re Jetblue Airways Corp. Privacy Litigation
• 7 Key v. DSW, Inc.
• 8 Randolph v. ING Life Ins. and Annuity Co.
• 9 Richardson v. DSW, Inc.
• 10 Stollenwerk v. Tri-West Healthcare Alliance

In re American Airlines, Inc., Privacy Litigation

370 F.Supp.2d 552 (N.D. Tex. 2005) [1]

Background: Plaintiffs filed putative nationwide class actions alleging injuries arising out of airline's agent's unauthorized disclosure of its passengers' personally identifiable travel information to Transportation Security Administration (TSA), and subsequent disclosure of that information to private research companies. After cases were consolidated and transferred by Judicial Panel on Multidistrict Litigation, 342 F.Supp.2d 1355, airline and companies moved to dismiss.

Holdings: The District Court, Fitzwater, J., held that:

(1) disclosure did not violate Electronic Communications Privacy Act-Stored Communications (ECPA);

(2) Airline Deregulation Act (ADA) preempted passengers' state law tort claims against airline; and

(3) passengers failed to plead actionable breach of contract claim.

Bell v. Acxiom Corp.

2006 U.S. Dist. LEXIS 72477 [2]

Backgound: Defendant Acxiom Corporation ("Acxiom") stores personal, financial, and other company data for its corporate clients. In 2003, Acxiom's computer bank was hacked and client files were compromised. Plaintiff filed this class action seeking damages and injunctive relief alleging that Acxiom's lax security jeopardized her privacy and left her at a risk of receiving junk mail and of becoming a victim of identify theft. Defendant moved for dismissal.

Holdings: Defendant's motion to dismiss is granted because potential future injury does not satisfy the injury-in-fact test. Plaintiff's claims must be dismissed for lack of standing.

Dyer v. Northwest Airlines Corporations

334 F.Supp.2d 1196 (D. N.D. 2004) [3]

Background: Passengers filed class action in state court alleging that airline's unauthorized disclosure of their personal information to government constituted violation of Electronic Communications Privacy Act (ECPA), and breach of contract. After removal, airline moved to dismiss.

Holdings: The District Court, Hovland, Chief Judge, held that:

(1) airline was not “electronic communications service provider,” and

(2) airline's privacy policy posted on its website did not constitute “contract.”

Forbes v. Wells Fargo Bank, N.A.

420 F.Supp.2d 1018 (D. Minn. 2006) [4]

Background: Bank customers whose personal information was on computers stolen from corporation that had been retained by bank to print monthly statements for certain home equity mortgage and student loan customers brought action in state court against bank, alleging claims for breach of contract, breach of fiduciary duty, and negligence. Following removal, bank moved for summary judgment.

Holding: The District Court, Doty, J., held that customers did not suffer any present injury or reasonably certain future injury, as required to recover damages for increased risk of harm in the future.

Giordano v. Wachovia Sec., LLC

2006 U.S. Dist. LEXIS 52266 [5]

Background: This case presents the interesting issue of whether a case, having been removed from State court to Federal court, in which the plaintiff lacks Article III standing to pursue her claim, should be dismissed in Federal court or remanded to State court. This matter, which was removed by Defendant from the Superior Court of New Jersey to this Court, is before the Court upon a motion to dismiss under Federal Rules of Civil Procedure 12(b) (1) and 12(b) (6) filed on behalf of Defendant Wachovia Securities, LLC ("Wachovia"). This motion relates to Plaintiff Lois Giordano's four-count complaint (the "Complaint") alleging (1) negligence, (2) invasion of privacy, (3) breach of the duty of confidentiality, and (4) conversion stemming from the loss of Plaintiff's personal and financial information.

Holdings: In short, the Court finds, as alleged by Defendant itself, that Plaintiff has failed to allege that she suffered an injury-in-fact and therefore has not met the Constitutional requirements for standing in Federal court under Article III. Having determined that Plaintiff did not fulfill the minimal constitutional requirements for Federal court standing, this Court lacks subject matter jurisdiction and cannot address the merits and, under 28 U.S.C. § 1447 (c), this Court shall (1) deny Wachovia's motion to dismiss and (2) remand the case back to State court.

In re Jetblue Airways Corp. Privacy Litigation

379 F.Supp.2d 299 (E.D.N.Y. 2005) [6]

Background: Nationwide class of airline passengers brought action against airline and data mining company for alleged violations of the Electronic Communications Privacy Act (ECPA), and violations of state and common law based on airline's transfer of their personal information to data mining company. Defendants moved to dismiss.

Holdings: The District Court, Amon, J., held that:

(1) airline's on-line reservations system did not constitute an “electronic communication service” within the meaning of ECPA;

(2) airline, which operated a website and computer servers, was not a “remote computing service” within the meaning of ECPA;

(3) passengers' privacy claims under New York General Business Law and other consumer protection statutes were expressly preempted by Airline Deregulation Act;

(4) passengers' claims against airline for breach of contract, trespass to property and unjust enrichment were not expressly preempted;

(5) passengers' alleged loss of privacy as result of airline's transfer of their personal information to data mining company was not a damage available in breach of contract action;

(6) passengers did not establish an actual injury sufficient to sustain a claim against airline for trespass to chattels; and

(7) passengers failed to state claim against airline for unjust enrichment

Key v. DSW, Inc.

454 F.Supp.2d 684 (S.D. Ohio 2006) [7]

Background: Customer brought putative class action in state court against store, when unauthorized persons obtained access to store customers' confidential financial information, alleging negligence, breach of contract, conversion, and breach of fiduciary duty. Action was removed to federal court. Store moved to dismiss.

Holding: The District Court, Frost, J., held: Customer lacked standing to assert action against store for negligence, breach of contract, conversion, and breach of fiduciary duty, in connection with store's alleged disclosure of its customers' confidential financial information to unauthorized third parties; customer's claimed injury, that she was subjected to substantially increased risk of identity theft as result of the disclosure of her confidential information, was not an actual or imminent injury.

Randolph v. ING Life Ins. and Annuity Co.

2007 WL 565872 (D. D.C. 2007) [8]

Background: Plaintiffs, seven current or retired District of Columbia employees, bring this purported class action on behalf of individuals whose private personal information, including Social Security numbers, was contained on the laptop computer of a representative of Defendant ING Life Insurance and Annuity Company (“ING”), which was stolen during a burglary of the representative's home. Plaintiffs' Complaint alleges two counts of invasion of privacy, one count of gross negligence, and one count of negligence. Defendant has moved to dismiss Plaintiffs' Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6) on three grounds: (1) that Plaintiffs fail to allege any injury in fact and thus lack standing; (2) that Plaintiffs fail to state a claim on which relief can be granted; and (3) that Plaintiffs' claims are moot because Defendant has already provided Plaintiffs all the relief they seek.

Holding: Upon a searching review of Defendant's Motion to Dismiss, Plaintiffs' Opposition, Defendant's Reply, and the relevant statutes and case law, the Court concludes that Plaintiffs lack standing because they fail to allege a cognizable injury in fact.

Richardson v. DSW, Inc.

2005 WL 2978755 (N.D. Ill. 2005) [9]

Background: In this diversity case, which is styled as a class action and was removed from state court, plaintiff Barbara Richardson contends that DSW negligently permitted unauthorized access to its computer system and raises claims based on implied contract and bailment theories and the Illinois Consumer Fraud Act. DSW's Rule 12(b)(6) motion to dismiss is before the court.

Holding: Richardson's implied contract claim survives DSW's motion to dismiss, but her bailment and Illinois Consumer Fraud Act claims are dismissed.

Stollenwerk v. Tri-West Healthcare Alliance

2005 U.S. Dist. LEXIS 41054 [10]

Background: This matter arises out of the burglary of Defendant TriWest Healthcare Alliance's ("Triwest") corporate office on December 14, 2002. During this burglary, computer hard drives containing the personal information of Plaintiffs Michael Stollenwerk, Andrea DeGatica, and Mark Brandt were stolen, leading Plaintiffs to file a class action lawsuit alleging negligence under Arizona law as well as other violations.

Holding: Defendant's motion for summary judgment is granted because the "mere use of such information in the course of acts of identity fraud, therefore, does not permit a finder of fact to draw the reasonable inference that the unidentified identity thieves obtained it from Defendant. Summary judgment is appropriate regardless of the admissibility of Plaintiff Brandt's evidence concerning information used by the identity fraud perpetrators. "