One of the challenges for a plaintiff bringing a lawsuit based upon a data security breach is causation. For example, if a laptop is stolen containing your personal information and you are a victim of identity theft a week later, can you be certain that the two events are linked? More to the point, will a court allow your claim to proceed based upon that possible (and perhaps likely) connection?
A November 20 ruling by the Ninth Circuit Court of Appeals provides insight into how courts will evaluate causation in data breach cases. In the Ninth Circuit case (Stollenwerk v. TriWest Health Care Alliance Corp., 9th Cir., No. 05-16990, unpublished opinion 11/20/07), three plaintiffs filed a complaint against a health care company after personal information on over a half million military retirees was stolen from the company’s offices. One of the plaintiffs identified at least six unauthorized attempts to use his personal information within six weeks after the data breach.
The Ninth Circuit reversed a trail court’s grant of summary judgment dismissing this plaintiff claim. The court relied upon the fact that the attempted identity theft occurred shortly after the breach, as well as other circumstantial evidence. In particular, the court noted that the data subject to the breach was the same kind of data needed to commit the identity theft that was later attempted. Of course, causation is just one of the challenges facing data security breach claims, but that is a subject for other postings ….