On September 5, 2012, the U.S. Court of Appeals for the 11th Circuit overruled, in part, a dismissal of a class action filed first in Florida state court (then removed to federal court), which action arose out of the theft of two unencrypted laptops (Resnick v. AvMed, No. 11-13694). The laptops of AvMed, a managed care organization, contained protected health information and personally identifiable information for approximately 1.2 million current and former members. Plaintiffs’ class action alleged that an unknown third party used the information for fraudulent purposes 10 to 14 months after the theft. AvMed moved to dismiss the class complaint, which the district court granted on the grounds that plaintiffs failed to state a cognizable injury. Specifically, the district court reasoned that plaintiffs sought to “predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft.”
The 11th Circuit found (after plaintiffs amended their complaint to include only parties alleging actual identity theft) that where plaintiffs allege they have become victims of identity theft and have suffered monetary damages as a result, this constitutes an injury in fact. Next, the court looked at whether plaintiffs’ injury was fairly traceable to AvMed’s actions. The court found that even a showing that a plaintiff’s injury is indirectly caused by a defendant’s actions satisfies the fairly traceable requirement and here, plaintiffs alleged that AvMed failed to secure their information, despite plaintiffs’ efforts at protecting their information and in light of the fact that they have become victims of ID theft. The court found that under Florida law, plaintiffs’ allegations that they suffered monetary loss was a cognizable injury.
The court was also satisfied that the allegations sufficed to establish causation, citing to the 9th Circuit’s ruling in Stollenwerk v. Tri-West, 254 F. App’x 664 (9th Cir. 2007). The court looked at whether there was a logical connection between events – the sensitive information on the stolen laptops was the same sensitive information used to steal their identities. Given the facts pled, the 11th Circuit found a sufficient nexus between the lost laptop incident and the identity theft loss. (The court found that the negligence, breach of contract, etc. claims could stand while the unjust enrichment claim would not).
The dissent found that the complaint should be dismissed for failure to state a claim because the complaint failed to allege a plausible basis for finding that AvMed caused plaintiffs to suffer identity theft. The dissenting judge argued that it was equally plausible that the identity thieves obtained the information from other third parties, not as a result of the AvMed breach.
The decision may have an impact on how parties view the viability of a class action following a data breach. The 11th Circuit noted this was the first such review of these issues before them – the ruling, however, may leave open what kind of damages suffice and how far from an incident an identity theft is plausibly related.