Lawsuit Against Data Security Company Arising Out of State Tax Breach Dismissed

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

March 19 --A federal district court March 12 dismissed a putative class action alleging that a data security company's actions led to a data breach at the South Carolina Department of Revenue, finding the plaintiff's claimed injuries “too speculative” to establish Article III standing ( Strautins v. Trustwave Holdings, Inc., 2014 BL 67509, N.D. Ill., No. 1:12-cv-09115, dismissed 3/12/14).  

Social Security numbers for some 3.6 million taxpayers, as well as information belonging to 657,000 businesses and 387,000 credit and debit card holders, were exposed in a hacking breach at the department .

Plaintiff Amber J. Strautins sued Trustwave Holdings Inc., a Chicago-based data security company, on behalf of a proposed class of taxpayers who filed South Carolina tax returns since 1998. She alleged that Trustwave, which maintained the security of the Department of Revenue's system, inadequately protected her personally identifiable information (PII).

Judge John J. Tharp Jr. of the U.S. District Court for the Northern District of Illinois granted Trustwave's motion to dismiss and dismissed the case without prejudice.

In February 2013, a South Carolina court dismissed putative class action claims against Trustwave because the plaintiffs alleged only risk of harm from the breach rather than actual harm (12 PVLR 438, 3/11/13).

Clapper Is Binding

The plaintiff's claimed injuries included untimely or inadequate breach notification, improper disclosure of PII, loss of privacy, out-of-pocket expenses to mitigate an increased risk of identity theft/fraud, value of time spent mitigating identity theft/fraud, deprivation of the value of PII and violations of rights under the Fair Credit Reporting Act, the court explained.

Given that such injuries “are premised on the mere possibility that her PII was stolen and compromised, and a concomitant increase in the risk that she will become a victim of identity theft, Strautins' claim is too speculative to confer Article III standing,” the court said.

As in Clapper v. Amnesty International USA, 133 S. Ct. 1138, 2013 BL 50248 (2013) , the plaintiff failed to allege facts that would establish a “certainly impending” risk of injury, the court said.

The court rejected the plaintiff's attempt to rely on the U.S. Court of Appeals for the Seventh Circuit's decision in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007), holding that consumers whose online banking information had been hacked had standing based on their risk of future harm .

In addition to predating Clapper, the Seventh Circuit's decision didn't explore thresholds for “probabilistic harm,” suggesting that any degree of risk exposure could confer standing, the district court said.

Clapper does not completely close the door on probabilistic harm as a basis for standing--harm that is 'imminent' or 'certainly impending' is, by definition, harm that has not occurred,” the court said. “Nevertheless, the import of the Supreme Court's decision in Clapper is that, whatever verbal formulation is used to describe it, the threshold of probability for injuries that have not actually occurred is high.”

The complaint also fails to state a claim because it doesn't plausibly establish that the plaintiffs' PII was stolen and compromised, the court said. The Department of Revenue made clear that tax filers' PII was possibly compromised, the court said.

The Coffman Law Firm and Barnow and Associates PC represented the named plaintiff. Kirkland & Ellis LLP represented Trustwave.

Full text of the court's opinion is available at

Request Bloomberg Law Privacy and Data Security