Class Action Complaint Premised on Risk of Identity Theft Failed to Adequately Allege Injury in Fact and, Accordingly, Must be Dismissed for Lack of Standing Pennsylvania Federal Court Holds
Plaintiff filed a putative class action against Aetna in federal court, asserting jurisdiction under the Class Action Fairness Act (CAFA), arising out of “an alleged security breach of Defendant’s online job application database”; specifically, the class action complaint alleged that plaintiff (who had worked for Aetna previously) applied online for a position with Aetna and, as part of the application, “uploaded his personal information as well as his resume” and subsequently learned that Aetna’s job application website had been hacked. Allison v. Aetna, Inc., ___ F.Supp.2d ___ (E.D. Pa. March 8, 2010) [Slip Opn., at 1-2]. According to the allegations underlying the class action complaint, Aetna “tout[ed] the security measures that [it] employed to protect such information against accidental or unauthorized access or disclosure.” Id., at 1. The website contained email addresses, Social Security numbers, and personal contact information of people to whom Aetna had extended job offers. Id..at 2. Aetna disclosed that the email addresses had been stolen but that it did not know whether any other information had been compromised, id. Additionally, Aetna could not confirm that plaintiff’s email address had been stolen, and the class action complaint did not allege that plaintiff had received any phishing email or that there was “any other sort of misuse of the database information or his information specifically.” Id., at 2-3. In response to the intrusion, Aetna “offered Plaintiff credit monitoring assistance and identity theft insurance.” Id., at 3. Instead, plaintiff filed his putative class action, alleging that Aetna’s data security system was inadequate and asserted causes of action “for negligence, breach of implied contract, breach of express contract, negligent misrepresentation, and invasion of privacy.” Id., at 3-4. Defense attorneys moved to dismiss the class action, id., at 4. The district court granted the motion, concluding that plaintiff had failed to establish an injury in fact.
The district court explained that the class action complaint was light on facts. The complaint “details the various ways in which Sensitive Information can be exploited, the dangers of identity theft, and the costs and inconvenience it causes its victims”; however, the “only allegation of actual misuse relates solely to the phishing emails that were sent to others.” Allison, at 3-4. The complaint also outlines various steps taken by putative class members, largely centered on monitoring identity theft, and concludes that class members “face a significant risk of identity theft” and that he, personally, suffered anxiety, emotional distress, and loss of privacy. Id., at 4. In analyzing the motion to dismiss, the federal court began by noting that Article III jurisdiction requires plaintiff establish standing to prosecute the class action and, specifically, that he establish “an injury in fact . . . ; a causal connection between the injury and the conduct complained of; and substantial likelihood of remedy – rather than mere speculation – that the requested relief will remedy the alleged injury in fact.” Id., at 4-5 (citation omitted). Moreover, “[t]he assumption of truth does not apply . . . to legal conclusions couched as factual allegations or to ‘[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements.’” Id., at 6 (citation omitted).
The defense motion to dismiss was premised on “the speculative nature of the harm to Plaintiff as well as the lack of imminency [of harm].” Allison, at 6. Plaintiff countered that injury in fact had been adequately alleged because the class action complaint alleged plaintiff “suffered damages including out-of-pocket expenses, lost time, and an increased risk of identity theft,” and that he had standing “even without actual identity theft.” Id., at 6-7. Based on the court’s review of the applicable case law, see id., at 7-10, the district court concluded that “the mere possibility of future harm” is inadequate to establish injury in fact, id., at 10 (citation omitted). The federal court also concluded that the injury alleged in the complaint “is far too speculative” to establish standing. Id., at 11. Indeed, plaintiff could not even establish that his information was stolen and, even if stolen, that anything more than his email address had been stolen. Id. In sum, “At best, Plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.” Id., at 12. Accordingly, “under any standard for increased risk of harm,” plaintiff failed to establish standing. Id. The district court therefore granted Aetna’s motion and dismissed the class action complaint. Id., at 14.