Summary
rejecting plaintiff's allegation of increased risk of identity theft where plaintiff had not alleged that she had suffered anything greater than an increased risk of identity theft
Summary of this case from Dugas v. Starwood Hotels & Resorts Worldwide, Inc.Opinion
4:06CV00485-WRW.
October 3, 2006
ORDER
Defendant Acxiom Corporation ("Acxiom") stores personal, financial, and other company data for its corporate clients. In 2003, Acxiom's computer bank was hacked and client files were compromised. Plaintiff filed this class action seeking damages and injunctive relief alleging that Acxiom's lax security jeopardized her privacy and left her at a risk of receiving junk mail and of becoming a victim of identify theft. Defendant moved for dismissal (Doc. No. 5). Plaintiff has responded (Doc. No. 16). For the reasons stated below, Defendant's Motion to Dismiss is GRANTED.
I. History
Acxiom is a data bank that stores marketing information about its clients' customers. Acxiom takes this information and "match[es] names with lifestyles and demographic information from other sources . . . [to] give . . . [its] client a clear picture of the people buying its products and services."
Acxiom Corp. v. Axiom, Inc., 27 F. Supp. 2d 478, 482 (D. Del. 1998).
In order for its clients to reach their information, Acxiom maintains a File Transfer Protocol ("FTP") site. To access this site, the client must have a username and password, assigned by Acxiom. Between November 2001 and the summer of 2003, Scott Levine, an Acxiom client, exploited a hole in Acxiom's security system, accessed the Acxiom FTP server, and downloaded other client's databases. Levine sold some of the information to a marketing company in Georgia, who then used the names and addresses to advertise via direct mail. Levine has since been convicted for these illegal activities.
United States v. Scott Levine, 4:04CR00175 (E.D. Ark. 2006).
After Levine's conviction, the Plaintiff, April Bell, filed suit against Acxiom on behalf of herself and all others similarly situated. She alleged that Acxiom failed to protect its clients' data. Plaintiff also alleged that she is at a higher risk of receiving junk mail and of being an identity theft victim.
II. Standard of Review
The standard for a motion to dismiss under Fed.R.Civ.P. 12(b)(1) and 12(b)(6) is that the court must construe the facts alleged in the complaint in the most favorable light towards the plaintiffs. The court should not dismiss the complaint unless it appears that there are no set of facts which would entitle the plaintiffs to relief. The court is "free to ignore legal conclusions, unsupported conclusions, unwarranted inferences and sweeping legal conclusions cast in the form of factual allegations." Finally, on a motion to dismiss (as opposed to a motion for summary judgment) the court should assume that general factual allegations embrace the specific facts necessary to support the plaintiff's claim.
In re Staffmark, Inc. Securities Litigation, 123 F. Supp.2d 1160, 1162-1163 (E.D. Ark. 2000).
Id.
Wiles v. Capitol Indemnity Corp., 280 F.3d 868, 870 (8th Cir. 2002).
Lujan v. National Wildlife Federation, 497 U.S. 871, 889 (1990) ( citing U.S. v. Students Challenging Regulatory Agency Procedures ( SCRAP), 412 U.S. 669 (1973)).
III. Analysis
In its motion to dismiss, Acxiom contends that Plaintiff does not have standing, and in the alternative, that she has not stated a claim upon which relief can be granted. In order to have standing, a plaintiff must meet three requirements. First, a plaintiff must demonstrate that she has suffered an injury in fact which is actual, concrete, and particularized. Second, the plaintiff must show a causal connection between the conduct complained of and the injury. Third, the plaintiff must establish that the injury will be redressed by a favorable decision. The plaintiff has the burden of establishing each of these three requirements.
Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-561 (1992).
Id. See also, O'Shea v. Littleton, 414 U.S. 488, 494 (1974); Los Angeles v. Lyons, 461 U.S. 95, 101-102 (1983); Whitmore v. Arkansas, 495 U.S. 149, 155 (1990) (city residents did not have standing to sue USDA over construction of two sewage ponds in the 100 year flood plain, because although there was a possibility that the flood would occur while the residents owned or occupied land in proximity to the ponds, it was a matter of `sheer speculation' that there would be a flood and that if a flood happened, it would damage the plaintiffs' properties.).
Id. See also, Simon v. Eastern Kentucky Welfare Rights Organization, 426 U.S. 26, 38, 41 (1976).
Id.
Shain v. Veneman, 376 F.3d 815, 817 (8th Cir. 2004), cert denied, 543 U.S. 1090 (2005).
The burden to show standing is not a mere pleading requirement, but "an indispensable part of the plaintiff's case." "Each and every element of the standing requirements `must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.'" Strict compliance with this jurisdictional standing requirement is mandated. Assertions of potential future injury do not satisfy the injury-in-fact test. "A threatened injury must be certainly impending to constitute injury in fact."
Delorme v. U.S., 354 F.3d 810, 815 (8th Cir. 2004) ( quoting Lujan, 504 U.S. at 561).
Id.
Johnson v. Missouri, 142 F.3d 1087, 1088 (8th Cir. 1998) (internal citation omitted).
Sierra Club v. Robertson, 28 F.3d 753, 758 (8th Cir. 1994) ("assertions of potential future injury do not satisfy the `injury-in-fact' test"); see also Whitmore v. Arkansas, 495 U.S. 149, 158 (1990).
In Lujan, environmental groups challenged governmental regulations concerning the Endangered Species Act. The groups contended that they had traveled abroad to view endangered species in the past and intended to do so in the future, and that the regulations would negatively affect their ability to do so. Reasoning that the groups did not show that one or more of their members would be directly affected by the regulations and that intentions to view endangered species at some "indefinite future time" did not demonstrate an imminent injury, the Supreme Court ruled that the groups failed to show an injury in fact, and thus did not have standing to contest the regulations.
Lujan, 504 U.S. at 563-64.
Id.
Id. at 556.
In this case, Plaintiff alleged that she suffered an increased risk of both receiving unsolicited mailing advertisements and of identity theft. In response, Defendant argues that both Plaintiff's alleged injuries are speculative — Plaintiff has not plead that she has received a single marketing mailer or had her identity stolen. Moreover, several courts have held that the receipt of unsolicited and unwanted mail does not constitute actual harm. Additionally, while there have been several lawsuits alleging an increased risk of identity theft, no court has considered the risk itself to be damage. Only where the plaintiff has actually suffered identity theft has the court found that there were damages.
Smith v. Chase Manhattan Bank, 293 A.D.2d 598, 599-600 (N.Y.App. 2002) (finding that where bank had sold names, addresses and financial data to marketing company, the receipt of unwanted marketing solicitations was not an actual harm); Shibley v. Time, Inc., 341 N.E.2d 337, 339-40 (Ohio App. 1975) (finding that the "right of privacy does not extend to the mailbox" and finding that under Ohio law, sale of `personality profiles' does not constitute an invasion of privacy); Lamont v. Commissioner of Motor Vehicles, 269 F. Supp. 880, 883 (S.D.N.Y. 1967) ("The mail box, however noxious its advertising contents often seem to judges as well as other people, is hardly the kind of enclave that requires constitutional defense to protect `the privacies of life.' The short, though regular, journey from mail box to trash can . . . is an acceptable burden, at least so far as the Constitution is concerned.").
Walters v. DHL Express, 2006 WL 1314132 at 5 (C.D. Ill. May 12, 2006) (dismissing claim for damages of increased risk of identity theft under 49 U.S.C. § 14706 et seq. The court reasoned that damages for risk of identity theft would be based on speculation, as opposed to actual loss.); Guin v. Brazos Higher Education Service Corp., Inc., 2006 WL 288483 at 5 (D. Minn. Feb. 7, 2006) (rejecting that an increased risk of identity theft constituted damages where a laptop containing sensitive data was stolen and there was no evidence that any party whose information could have been on the laptop had experienced identity theft as a result.); Stollenwerk v. Tri-West Healthcare Alliance, 2005 WL 2465906 at 4 (D. Ariz. Sept. 6, 2005) (dismissing case where hard drives containing personal information were stolen from defendant's facility, reasoning that plaintiffs must, at a minimum, establish "1) significant exposure of sensitive personal information, 2) a significantly increased risk of identity fraud as a result of that exposure and 3) the necessity and effectiveness of credit monitoring in detecting, treating and/or preventing identity fraud.").
Remsburg v. Docusearch, Inc., 816 A.2d 100, 1007-8 (N.H. 2003) (holding an private investigatory firm liable where they had sold information, including the social security number and work address of plaintiff's daughter, to a man who had been stalking and then killed plaintiff's daughter. The court reasoned that a private investigator owed a duty to exercise reasonable care to not subject a third party to an increased risk of criminal misconduct, including stalking and identity theft.).
Furthermore, Plaintiff does not know whether her name and information were contained within the databases stolen by Levine. More than three years after the theft, Plaintiff has not alleged that she has suffered anything greater than an increased risk of identity theft. Because Plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement.
76% of all identity theft is discovered before 24 months after the theft. Only 12 % is discovered more than 48 months after the theft. Federal Trade Commission Identity Theft Victim Complaint Data 2005, p. 11, http://www.consumer.gov/idtheft/pdf/clearinghouse_2005.pdf.
Alternatively, Plaintiff argues that she satisfies the `identifiable trifle' doctrine found in U.S. v. Students Challenging Regulatory Agency Procedures (SCRAP). In this case, the Court held that SCRAP had standing because their use of area parks and nature areas would be affected. The Court held, "[t]he basic idea that comes out in numerous cases is that an identifiable trifle is enough for standing to fight out a question of principle; the trifle is the basis for standing and the principle supplies the motivation." However, the `identifiable trifles' that the Court was referring to were, respectively, a fraction of a vote, a $5 fine and costs, and a $1.50 poll tax. In this case, the plaintiff is not trying to protect something as concrete as her political right to be free of fines and taxes — she is asking for protection against a harm that is speculative. Because "assertions of potential future injury do not satisfy the injury-in-fact test," Plaintiff's claims must be dismissed for lack of standing.
412 U.S. 669, 690 n. 14 (1973).
Id.
Id.
Sierra Club, 28 F.3d at 758.
IV. Conclusion
For the above reasons Defendant's Motion to Dismiss is GRANTED.
IT IS SO ORDERED.