Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

Judge Legrome D. Davis of the United States District Court for the Eastern District of Pennsylvania issued an amended order on March 9th (amended from March 8th) dismissing a recent case seeking speculative damages arising from a data breach of Aetna’s job application web site. A copy of the opinion can be viewed here.

In Allison v. Aetna (09-2560), the plaintiffs sought, among other relief, damages in connection with possible future damages from identity theft that may occur in the future. Mr. Allison’s identity had not been stolen at the time the complaint was filed (and presumably not since then).

The facts are set forth in more detail in the attached opinion, but essentially hackers gained access to some 450,000 (!!!) job applicants’ personal information contained in Aetna’s job application web site database. Also taken was the social security numbers of employees of Aetna (reports say 65,000 employees were affected). The applicants then received emails, purporting to be from Aetna, requesting additional personal information from the applicant. It is unclear what additional information was actually sent by applicants, but it is a pretty safe assumption that at least some of the applicants were tricked into supplying the information.

Judge Davis walks through a detailed analysis of “increased risk of harm” claims, and concludes that there is no legally cognizable injury based on such claims. A detailed analysis of recent decisions related to “increased risk of harm” claims arising in connection with data breaches is included in the opinion.

There was no proof that Mr. Allison’s personal information was ever accessed and the only information known for certain to be stolen was email addresses. Mr. Allison never received the phishing email, and an implication arises that no other information was taken if the phishers were asking for the same information. (I think the opposite inference is possible, that only those applicants for which more detailed information was not taken were "phished.") Judge Davis notes that “[a]t best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”

This decision joins a growing line of cases where plaintiffs are not being allowed to collect damages where there has been no actual proof of harm.

A copy of the opinion can be found here.

• Email This
• Print
• Comments
• Trackbacks

Symantec Corp. has released its Internet Security Threat Report Volume XIV, and the news is excellent for thieves of personal information.  Symantec reports that the income received by sellers of stolen personal information continues to be high. 

Credit card information continues to reign supreme, generating from $0.06 to $30.00 per record, while access to email accounts, access to proxies and shell scripts saw the biggest rises from 2007 to 2008.

A recent article by the Associated Press focuses on economic factors related to the trading of stolen personal information.  Citing reasons ranging from the bottoming out of the prices, to sellers of stolen information not want to undercut each other, to the difficulty in getting PIN codes and security codes, to the renewed efforts to scam information because of a failing economy, the article explains why prices are holding steady even though thefts are increasing.

However, the most interest statistic may relate to so-called phishing scams.  A study from Gartner estimated that more than 5 million persons in the United States were the victim of a phishing scam between September 2007 and September 2008, representing a forty (40%) percent increase over the prior twelve months. 

Reports also indicate that the trading in financial information has become so lucrative, and apparently relatively easy, that “gangs” of hackers and traders have become more common and visible. 

What this means is that one or both of these two things are happening: (1) those persons that set up phishing scams are getting even better at tricking unsuspecting people into providing their personal information, and (2) Internet users are not being nearly vigilant enough when it comes to “clicking” on emails and providing personal information online.

Issues from businesses are dramatic:

- Are employees falling for phishing scams on work computers, possibly allowing the installation of malicious software

- Are you customers being duped into thinking that your business is communicating with them (which begs the question of whether you have educated your customers about information you collect through email links)

- Are you accepting payments that do not conform to the PCI Standards and/or do not request enough information to ensure that you payees are who they say they are

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

• Email This
• Print
• Comments
• Trackbacks