Court Dismisses Data Breach Claims Against Countrywide – Holmes v. Countrywide
[Post by Venkat Balasubramani]
Holmes v. Countrywide Financial Corp., et al., 08-CV-00205-R (W.D. Ky.; July 12, 2012)
In August 2008, a Countrywide employee engaged in a scheme to steal confidential customer information from Countrywide. An investigation found that the employee gained access to data from 2.4 million loan customers, and sold this information to unknown third parties for the whopping amount of $70,000. Countrywide sent notification letters to affected customers and offered two years worth of free credit monitoring.
Countrywide was hit with several class action lawsuits as a result of this data breach. The lawsuits were consolidated and eventually settled. Holmes and some members of his proposed class objected to the settlement which the court approved, notwithstanding the objections. Eventually, Holmes and Stiers (and their spouses) filed their own non-class complaint against Countrywide. One of the plaintiffs purchased credit monitoring services. The other expended sums for changing their telephone numbers due to the increased volume of telemarketing calls they received.
Standing: The court says that plaintiffs have standing under Sixth Circuit law (also citing to Krottner v. Starbucks). The credit monitoring and money spent to change the telephone number were sufficient to satisfy injury for Article III standing purposes.
The Merits: Plaintiffs don’t fare so well on the merits.
Risk of future identity theft:
It is an understatement to say that courts are skeptical of litigants’ claims for risk of future identity theft . . . . The animosity toward these types of lawsuits encompasses the most common scenarios where financial information is put at risk: instances where personal information is lost or misplaced through carelessness . . . and instances where criminals penetrate a company’s computer system and steal information.
The court cites to Pinero v. Jackson Hewitt as a prime example of this skepticism and also notes that Kentucky and New Jersey law both preclude recover for speculative or illusory damages.
Credit monitoring:
The court says that credit monitoring expenses are not recoverable as a general rule: “[c]onstruing the reach of state law and the requirements to show a compensable injury, case after case has discarded claims by litigants to collect damages for the electronic monitoring of their financial accounts and credit history.”
The court says that some courts have allowed recover for prophylactic measures by analogy to medical monitoring cases. However, Kentucky law does not allow recovery for risk of future injury, and federal courts construing New Jersey law have expressly rejected recovery for credit monitoring payments. Plaintiffs relied heavily on the Hannaford Brothers case, but the court distinguishes that case on the basis that in Hannaford, fraudulent charges were made to plaintiffs’ accounts, forcing them to pay fees for replacement cards (and other bank fees). In contrast, in this case, there was no allegation of such misuse (a single loan application in one of the plaintiff’s names were rejected) or out of pocket loss to plaintiffs.
Telephone cancellation fees:
The court says it’s unable to find any legal theory under which plaintiffs can recoup their phone cancellation fees. The court cites to a slew of cases holding that an increase in spam or unwanted calls is not compensable injury. In light of this, “[t]he court struggles to grasp how the cancellation of [plaintiffs’] telephone services to avoid the calls would be compensable . . . .”
Time spent monitoring credit:
Finally, the court says that time spent by plaintiffs monitoring credit also cannot form the basis of any legally compensable injury.
Causes of action:
After going through the categories of injury, the court ends up rejecting the causes of action asserted by plaintiffs: (1) unjust enrichment (plaintiffs can’t bring an unjust enrichment claim where there’s a contract and no breach of the agreement); (2) fraud (“the only financial damages [plaintiffs] suffered were self inflicted”); (3) breach of the duty of good faith (no injury); (4) data breach notification statutes (no private cause of action); (5) consumer fraud laws (no loss other than attorneys’ fees); and (6) Fair Credit Reporting Act (no consumer reports were “furnished” by Countrywide).
__
A fairly predictable result, given the precedent that has been built up over the past five or so years. No out of pocket loss equals no recovery. As I mentioned in my post about Hannaford, I would characterize that case as a “slight” win for the plaintiffs, and the result here bears that out. That case was not of much help to these plaintiffs. The class settlement probably did not provide much by way of monetary relief to the class, but these plaintiffs would have been better off opting in.
Previous posts:
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net
Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark