Claims Brought by Express Scripts Data Breach Plaintiffs Rejected on Standing Grounds — Amburgy v. Express Scripts, Inc.

[Post by Venkat]

A federal court in Missouri recently rejected a class action brought by consumer plaintiffs on standing grounds. Given the long line of consumer plaintiffs who have suffered a similar fate I thought this case was somewhat unexceptional, but I think it’s worth mentioning for a couple of reasons. (Amburgy v. Express Scripts, Inc., Case No. 4:09-CV705 FRB; Nov. 23, 2009 (E.D. Mo). Access a copy of the order at scribd here.)

Consumer plaintiffs who have tried to bring claims arising out of data breaches have all pretty much failed, unless they are able to show that someone actually misused their data (for example, by withdrawing money from their account). A good recent example of this is the Citizens Financial case mentioned here and here, where the court allowed plaintiffs to sue a bank which tried to hold the plaintiff liable for funds that were hacked from plaintiff’s bank account. Where the plaintiff or class of plaintiffs have not had their data actually misused by the person who stole it, courts have uniformly rejected class actions trying to seek redress. Typically the company who suffered the loss of data will offer monitoring services effectively mooting the issue of whether this is something plaintiffs should be able to sue for.

Express Scripts provides “pharmacy benefit management services.” It suffered a data breach coupled with an extortion attempt by someone who threatened to disclose customer information. (WSJ Health Blog [link] covered the story in 2008.) Although Express Scripts notified the FBI, a quick Google search didn’t unearth any news reports of the bad actors having been caught. The Express Scripts webpage [link] which provides notice of the incident states that in August 2009 the perpetrator sent a similar letter threatening to expose consumer information. Plaintiffs sued alleging negligence, breach of contract, and state law satutory claims.

The court granted the motion to dismiss brought by Express Scripts on Article III standing grounds. Language used by the court expressed some hostility to the underlying claims – in describing the hypothetical nature of the injury, the court states:

[f]or plaintiff to suffer the injury and harm he alleges here, many “if’s” would have to come to pass. Assuming plaintiff’s allegation of security breach to be true, plaintiff alleges that he would be injured “if” his personal information was compromised, and “if” such information was obtained by an unauthorized third party, and “if” his identity was stolen as a result, and “if” the use of his stolen identity caused the harm. These multiple “if’s” squarely place plaintiff’s claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court’s standing doctrine would be meaningless.

[quotations in original]

The result is pretty typical, but two things struck me about this case. I didn’t realize this at first, but the records at issue included prescription information. Medical information is subject to a higher degree of privacy and subject to specialized rules. Either the plaintiff didn’t allege violations of these specific rules or the rules weren’t implicated. Either way, the court only made a passing reference to the fact that the data included prescription information. Second, the bad actor is still at large. There are cases where an information breach occurs as part of another incident (such as a theft of a laptop). It’s less clear in those cases whether someone just stole a laptop or whether they were focused on obtaining information. Here, there’s no dispute that a bad actor has the customer information. Express Script received not one but two extortion letters which contained specific information demonstrating that the third party had access to Express Scripts information. And the person who sent the letters has not yet been caught. (On the other hand, the fact that they were seeking to extort Express Scripts tends to point in the direction that they didn’t necessarily use the information. The bad actors lose leverage by using the information and using the information increases the likelihood of being caught.)

I wonder if anyone has compiled data on what actually happens to these data breach class action plaintiffs – i.e., how many of them suffer damages as a result of identity theft, etc. I would think this type of data would be useful.

[Added: see additional coverage of this case from Proskauer's Privacy Law Blog here.]