Curry v. AvMed, Inc.
AvMed had announced that two laptops were stolen in December 2009. The laptops contained unencrypted sensitive information regarding approximately 1.2 million AvMed customers. The lost information included protected health information, social security numbers, names, addresses, and phone numbers.
Initially, Curry illustrates a point I have been discussing since the decision in Stollenwerk v. Tri-West Heath Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007), namely that plaintiff’s counsel will learn to pled around the standing issue. In Curry, the court gave counsel three chances to amend their complaint and get it “right.” While the lower court still dismissed the case, it was this final complaint that finally hit all the elements outlined in decisions like Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011). http://www.ca1.uscourts.gov/pdf.opinions/10-2384P-01A.pdf. In sum, after adding and dropping plaintiffs, the complaint finally alleged that the thieves sold the laptops to individuals who traffic in stolen property, and then ten and fourteen months later, the two named plaintiffs suffered identity theft.
Frankly, I suspect that most counsel will get their complaint correct on the first try. I am surprised that it took plaintiffs’ counsel three attempts to properly plead this case. It may be that it required multiple attempts not to plead the proper facts, but to find clients that supported such allegations. The more interesting question was how were these two named plaintiffs found by counsel? Neither was in the original complaint. It may be another lesson in how to properly prepare the breach notification plan. http://www.healthcareinfosecurity.com/post-breach-what-to-say-a-4743/op-1
Causation
As discussed above (and in other blogs), the ruling on what is required to sufficiently plead an Article III injury and damages is not remarkable. What the Circuit Court says about causation is interesting. After reciting the law on causation in the context of Twombly, the Court focused on whether the complaint alleged plausible facts to create a nexus between the breach and the alleged financial loss. Relying on Sollenwerk, the Court stated that “proximate cause is supported not only by the temporal[] but also by the logical[] relationship between the two events.”
In finding that the complaint pled “a logical relationship between the two events,” the Court emphasized the importance of the fact that the two named plaintiffs alleged that they were careful in guarding their sensitive information and avoided sharing sensitive information digitally. The Court noted that there was some temporal delay between the theft of the laptop and the alleged identity theft. However, the Court concluded that “Plaintiffs allege a nexus between the two events that includes more than a coincidence of time and sequence.” Specifically: (1) ten months following the laptop theft, an unknown third party opened Bank of America accounts, activated credit cards, made unauthorized charges, and changed one of the plaintiffs’ mailing address with the US Postal Service; (2) fourteen months after the laptop theft, the other named plaintiff had a brokerage account opened in her name, and that account was overdrawn.
Class Certification
Between Stollenwerk and Curry, plaintiffs have guidance on how to plead causation. While a victory for plaintiff to get past the pleading stage, the more interesting aspect of this decision will be the set up for class certification arguments. The Curry plaintiffs seek to “represent the class of AvMed customers whose sensitive information was stored on the stolen laptops and a subclass of individuals whose identities have been stolen since the laptop theft.” The decision does not speak to class issues, but obviously the definition is defective. Absent financial loss, there is no injury and no claim. Thus the definition will need to be narrowed to only those whose identities have been stolen. Even then the class allegations likely fail as the Court’s analysis of the facts supporting causation suggest a highly individual inquiry for each putative class member. As a result, plaintiff will not be able to meet the requirements of Fed. R. Civ. P. 23(b)(3). Indeed, the services offered to affected consumers by AvMed after the breach may further improve the defense.
It is however the Court’s ruling on unjust enrichment that creates the most risk as the same defenses to class certification may not be available as there is no causation element. The unjust enrichment claim is based on the monthly premium payments and a presumption that these payments were made to help pay for proper data security. Not surprising AvMed argued that plaintiffs paid for health insurance and not data security. The Court seems to conclude that it is the plaintiff’s expectation that some of these premiums were to be used for data security in determining whether the unjust enrichment claim survived. AvMed did not give them this expected benefit by failing to have proper data security in place. While I agree with the dissent that this analysis turns unjust enrichment claims on their head (this is a breach of contract claim, not unjust enrichment), the question remains whether proof of this expectation can be established on a class wide basis. The question may turn on the documentation AvMed provided to its insured and whether the documents include any promises regarding data security.
Companies Need to be Prepared
Regardless, the opinion highlights again the need for companies to be prepared. Initially, encrypting the laptops would have cut short all these issues. Likewise, statements about data security in contracts and marketing materials likely will affect the unjust enrichment claim and likely others. Decisions at the time of the breach (e.g., communication plan and services offered to affected consumers) will influence the strength of the defense. The lines of defense are moving from the pleading stage to discovery and class certification and companies need to be proactive to provide the best defense.