Data 'fear factor'
Identity thefts lead to suits; defining damages is at issue.
National Law Reporter
By Tresa Baldas
May 9, 2005
The recent wave of personal data thefts from companies across the United States has lawyers bracing for a new round of lawsuits over how businesses safeguard the information.
Attorneys say "fear factor" and negligence lawsuits are starting to hit the courts. Consumers are suing companies for being careless with their personal data, causing it to get lost or stolen and triggering fears of identity theft.
Most recently, four consumer lawsuits were filed against ChoicePoint Inc., which said in February that it accidentally sold personal data on 145,000 consumers to identity thieves.
The suits, which have been consolidated in federal court in Los Angeles and are requesting class action status, seek monetary, statutory and punitive damages, including compensation for the anxiety of waiting and wondering. They also aim to represent consumers regardless of whether their data were used by thieves or not. Harrington v. Choicepoint, No. 2:05-CV-01294-SJO-JWJ (C.D. Calif.).
"Once the data is stolen and is out there, people have a legitimate fear that they're going to become victims, and that's damage right there," said attorney James B. Fishman, a consumer rights expert and partner at New York's Fishman & Neil.
Fishman, who is currently handling six identity-theft cases, said fears over such theft are analogous to anxiety over HIV.
"You may never be exposed to HIV, but you have to get tested," said Fishman, who likened that to consumers having continually to check their credit reports for possible theft. "Courts are starting to recognize that the fear of identity theft is a real concern," he said.
Fishman cited a recent landlord-tenant case in New York, where a judge recognized that a woman's fear of identity theft was a legitimate concern, and allowed her, under consumer protection law, to sue her landlord for demanding her Social Security number. Meyerson v. Prime Realty Services, No. 118001/03 (New York Co., N.Y., Sup. Ct. Feb. 28, 2005).
'Thank God for California'
Privacy advocates say that fear of identity theft has intensified in recent months, with nearly a dozen cases of major data leaks.
Since January, 11 major companies, including ChoicePoint, DSW Shoes Warehouse and Bank of America Corp., have announced that data on potentially millions of consumers have been stolen or have mysteriously disappeared.
The latest data leak happened at Time Warner Inc., which on May 2 reported the loss of computer backup tapes containing personal data on about 600,000 people. Why the sudden disclosure?
Privacy experts say what's prompting many companies to report security breaches is a two-year-old California data-theft disclosure law. It's the only such law in the country, prompting ChoicePoint to begin its notification process in California, and influencing similar proposed legislation in 28 states in recent months.
"I think California's law has played a huge role in this. California's law has not only led to the disclosures, but it's influencing legislation in other states," said attorney Ruth Hill Bro, a privacy expert in the Chicago office of Baker & McKenzie and co-chair of the American Bar Association Section of Science & Technology Law's e-privacy committee.
According to Bro, when ChoicePoint first started notifying California residents about the security breach, attorneys general in 18 other states caught wind of it and told the company that they required notification as well. ChoicePoint eventually notified everyone.
"A lot of people are saying, 'Thank God for California because if they didn't have that law, this stuff would have been swept under the rug,'" Fishman said.
In addition to the 28 states considering data-theft notification laws, credit-freeze bills are also pending in 20 states. Under these proposed laws, consumers would be able to freeze their credit reports, thus preventing anyone from opening any new accounts-even the consumer.
And a national data-theft notification law is pending before Congress, which is also considering amending the Fair Credit Reporting Act so that regulations that apply to credit reporting companies also apply to data brokers.
The FCRA dictates who can view consumer credit histories, and it requires consumer data to be accurate and fairly collected.
Currently, data brokers like ChoicePoint are not covered by the federal act because they are not considered credit agencies.
That's one of the major sticking points in the California consumer lawsuit against ChoicePoint, where plaintiffs' attorneys allege that the company's business model has been designed to skirt federal regulations.
"We are not believing their marketing scheme. They clearly are a consumer reporting agency in many ways. As an Equifax spinoff, they issue consumer reports all the time," said attorney Leonard Bennett, one of several lawyers representing plaintiffs in the consumer lawsuit against ChoicePoint.
Bennett of Consumer Litigation Associates in Hampton Roads, Va., noted that plaintiffs are going beyond liability and damages: They're also hoping to convince the courts to rule that data brokers should be governed by the same rules as credit-reporting agencies.
"Much of this is unchartered territory," said Bennett, noting that identity-theft and data-theft litigation is an emerging area. "Our position is that all consumers are entitled to the protections of the statutes. And when the privacy and the security of their information has been jeopardized or damaged by ChoicePoint, they have a legal remedy."
Attorney Anthony Taketa of Poindexter & Doutre in Los Angeles, who is representing ChoicePoint in the California litigation, declined comment. Three other attorneys representing ChoicePoint did not return phone calls.
ChoicePoint has offered one year of free credit monitoring to the 145,000 consumers affected by the data leak.
Douglas C. Curling, president and chief operating officer of ChoicePoint, recently apologized for the security breach during a recent Senate Judiciary Committee hearing on Capitol Hill. He also voiced his support for a national data-theft notification law.
"[W]e know, and have been painfully reminded by recent events, that there can be negative consequences to the improper access to personally identifiable data," Curling said in his testimony. "On behalf of ChoicePoint, let me again offer our sincere apology to those consumers whose information may have been accessed by the criminals who perpetrated this fraud . . . .While we offer a wide range of tools to help avoid fraud, no one is immune to it, as we and other companies and institutions are learning."
Michigan attorney Ian Lyngklip, an identity-theft specialist who travels the country giving monthly seminars on the topic, and is working on the California litigation, believes that lawyers are not yet equipped to tackle identity theft, largely because they do not know how to prove damages.
identity theft is a legal problem and the attorneys have yet to educate themselves as to how to attack it," said Lyngklip, whose Southfield, Mich., firm, Lyngklip & Taub Consumer Law Group, is handling eight identity-theft lawsuits.
"In the Northern District of Illinois, tons of cases get dismissed because the plaintiffs cannot show damages related to identity theft," Lyngklip said. "The Fair Credit Reporting Act requires that you show harm caused by the creditor or the credit-reporting agencies that stems from something that they're responsible for, and attorneys blow this all the time. They don't know how to prove damages."
A key to winning
Lyngklip said a key to winning cases involving identity theft is proving that a specific economic harm was done. He said that while the best tool for fighting these cases is the Fair Credit Reporting Act, lawyers can also file identity-theft suits claiming defamation, slander, invasion of privacy or negligence.
Technology litigator David Givelber of Atlanta's Alston & Bird also sees some tough hurdles for the California plaintiffs. Proving damages, he said, will likely be the biggest problem.
"I think it's going to be a hard recovery to get just based on the fact that your information has been disclosed," Givelber said.
"Statistically, it's not likely that just because your information was accessed that you're going to be the victim of identity theft," he said.
Given the recent publicity surrounding data leaks, Givelber believes that the courts are going to see a growing number of suits challenging the way companies handle private data.
"These suits are going to be coming in more frequently, and I think are going to be aggressively seeking avenues of recovery and trying to chip away at the damages hurdle," Givelber said.
"Eventually, some judge somewhere is going to be sort of fed up enough with what is the situation and may let one of these things go forward," he said.
However, he added, there's a lot of case law about lack of recovery for mere fear of damage that will work against that.
Bennett disagrees, arguing that the fear of having your data stolen is itself a form of damage.
"That is in fact the heart of the identity-theft problem-it's the potential for harm and abuse," he said.