In Curry v. AvMed Inc., No. 11-13694 (11th Cir. Sept. 5, 2012), the Eleventh Circuit found that the named plaintiffs sufficiently alleged injury and causation by including detailed allegations making it plausible, not merely possible, that their purported injuries resulted from the data breach.
In AvMed, plaintiffs alleged that their identities were stolen as a result of the theft of two unencrypted laptop computers containing sensitive customer information – including private health information, social security numbers, names, addresses, and phone numbers – of approximately 1.2 million AvMed customers. Plaintiffs alleged that these laptops were sold to an individual that dealt in stolen property, that they were victims of identity theft approximately 10-14 months after the laptop computers were stolen, and that they suffered financial damages as a result of the defendant’s failure to secure their sensitive personal information. In addition, plaintiffs included detailed allegations in an attempt to tie their identity theft to the data breach. For example, plaintiffs alleged that they had never transmitted unencrypted sensitive information over the internet, that they stored their sensitive information in a secure location, and that they physically destroyed documents containing sensitive information common to identity theft. Plaintiffs further alleged that the information on the laptops was the same information used to steal their identities and that they had never been victims of identity theft before.
The District Court dismissed plaintiffs’ claims, holding that, among other deficiencies, the complaint failed to state a cognizable injury. See Resnick v. AvMed, Inc., No. 10-cv-245513-JLK (S.D. Fla. July 12, 2011). In reversing the District Court, the Eleventh Circuit determined first that plaintiffs had Article III standing to sue because they had alleged actual – not speculative – identify theft and monetary harm. The Court then examined whether plaintiffs adequately alleged causation under several Florida state law claims. The Court noted that, “to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.” Curry v. AvMed Inc., No. 11-13694 at 14. In determining that the allegations did plead such a nexus, the Court relied heavily on the specific allegations regarding plaintiffs’ attempts to safeguard their personal information. The Court reasoned that these allegations were “sufficient to cross the line from merely possible to plausible.”
This decision is important because it is the Eleventh Circuit’s first opinion discussing standing in the data breach context. The holding’s applicability to future cases may be limited, however, because of the uniquely detailed allegations that were included in the complaint at issue. Indeed, the Court stated it “doubt[ed] whether the Complaint would have survived a motion to dismiss” if plaintiffs alleged any less. Id. at 17. In sum, the Eleventh Circuit made clear that, in order to survive a motion to dismiss in the context of a data breach, a plaintiff must plead something beyond “mere timing and sequence” and must allege a nexus between the data breach and identity theft.