Summary
granting defendant summary judgment because of plaintiffs failure to demonstrate injury as there was no evidence of identity fraud or that plaintiffs information was accessed
Summary of this case from Caudle v. Towers, Perrin, Forster Crosby, Inc.Opinion
No. 1:05cv756.
May 16, 2007
Alan J. Statman, Colleen Marie Hegge, Jeffrey Phillip Harris, Statman, Harris Eyrich, LCC, Christian A. Jenkins, Mezibov Jenkins, LLP, Cincinnati, OH, for Plaintiff.
Andrew C. Glass, R. Bruce Allensworth, Ryan M. Tosi, Kirkpatrick Lockhart Preston Gates Ellis LLP, Boston, MA, Mark Alan Vanderlaan, Dinsmore Shohl, Cincinnati, OH, for Defendant.
ORDER
This matter is before the Court pursuant to Plaintiff's motion for class certification (Doc. 34), Defendant's motion for summary judgment (Doc. 44), and Plaintiff's motion to compel (Doc. 65). These motions are fully briefed and oral arguments were held on the class certification and summary judgment motions on April 16, 2007.
I. Background Information and Facts.
Plaintiff filed this matter in state court on October 25, 2005. Defendants timely removed to Federal Court on November 22, 2005. Plaintiff filed an amended complaint alleging negligence (Count I), Invasion of Privacy (Count II), Breach of Duty of Confidentiality (Count III), Fraud (Count IV), Unauthorized Use of Computer (Count V) and a violation of the Consumer Sales Practice Act (Count VI). Counts II-VI were dismissed by the Court (Doc. 64) pursuant to a Stipulation of Dismissal filed by the parties (Doc. 63). Thus, the only claim remaining is Plaintiff's claim of negligence.
Defendant Litton Loan Servicing LP ("Litton") is a mortgage loan service provider with its principal place of business in Houston, Texas. Litton maintains facilities in other cities, including Atlanta, Georgia. (Declaration of Jeff Roberts, dated September 28, 2006, ¶ 3-4 ("Roberts Decl.")). On August 27, 2005 certain computer equipment valued at over $60,000 was stolen from the Litton Atlanta office. The break-in set off the facility's ADT alarm system which notified police and a designated Litton contact who both responded. (Id. ¶ 7-12). Included in what was taken during the theft were six unmarked hard drives, four of which contained personal information of 229,501 former customers of Provident Bank, including Plaintiff Patricia Kahle. (Id. ¶ 24). Litton acquired the mortgage servicing rights to some of these customers as well as other customers whose loans Provident no longer owned or serviced. (Id. ¶ 13-14).
Approximately four weeks after the break-in, Litton provided notice of the theft to each person whose information was on the subject computer hard drives. The notice informed each person of the type of information on the hard drive. The notice provided information about a Federal Trade Commission website that could be of assistance; and provided a toll free telephone number to call Litton with any questions. Additionally, the notice stated:
We recommend that you place a fraud alert on your credit file. A fraud alerts lets creditors know to contact you before opening new accounts or making changes to your existing accounts. You may contact the three credit bureaus at the numbers listed below to place a fraud alert on your credit file, automatically and free of charge.
(Id. ¶ 15-16 and Exhibit A).
According to Litton, Litton's facility can only be accessed by way of an electronic keypass and has a security guard present during business hours as well as an alarm system that is monitored 24 hours a day. The stolen equipment was housed in a locked room to which only two employees had a key. (Id. ¶ 5-6). Apparently the thief or thieves threw a man-hole cover through a window. Plaintiff alleges that Litton was negligent in its protection of this personal information. (See generally Amended Complaint, Doc. 13). According to Plaintiff, the door to the room which housed the equipment was not secure and although a key may have been needed, one could gain access by simply pressing hard on the door. (Doc 67-10; Doc. 58-2, p35). Plaintiff also asserts that the theft may have been an "inside job". (Doc. 58, p12).
According to Litton, the stolen hard drives have several layers of security. First, the hard drives must be arranged in one specific order in a server to access any information. If the order is not accurate, the data may be corrupt and unuseable. (Roberts Decl. ¶ 22-24). Second, the password for accessing the hard drives is held by only two individuals who are still employed by Litton and is changed every six months. This password consists of a non-dictionary readable string of over ten characters that is drawn from any of the 94 computer keyboard characters, resulting in more than 53,861,500,000,000,000,000 different possibilities. (Id. ¶ 20-21). Plaintiff, however, disputes this asserting that Roberts testified that the password was only six characters long and that he did not know if it was changed every six months. (Doc. 58-2, p42-43). Further, Plaintiff argues that four people, not two, including an outside vender had keys to the server room. (Doc. 58-2, p46-47).
The police conducted an investigation and Litton hired a private investigator who also conducted an investigation. Neither were able to determine the person or persons responsible. (Roberts Decl. ¶ 11-12). Plaintiff alleges Litton prematurely terminated the private investigator.
Plaintiff did not place a fraud alert on her credit report as recommended in the letter from Litton (Patricia Kahle Deposition, July 26, 2005 ("Kahle Depo.") at 20, 63. Furthermore, Plaintiff has acknowledged that no unauthorized use of her personal information has occurred since the theft and that she has no knowledge of whether or not any of her information from the hard drives has been accessed. (Kahle Depo. at 12, 63, 84, 88). Plaintiff does have her birth date and social security number on her drivers license and she writes checks that contain her bank account number. (Id. at 29-31).
Several years prior to the theft Plaintiff had a false charge appear on one of her credit card bills and sometime in 2004 she lost her purse for twelve hours while on vacation in Florida (Kahle Depo. at 10-15, 26).
At some time prior to the theft, Plaintiff enrolled in a service through her Discover credit card, for $2.99 per month, called Wallet Protection. This service allows her to call one easily identifiable phone number to cancel all of her credit cards in the event they are lost or stolen. At the time of her deposition, Plaintiff had not purchased any credit monitoring services. (Id. at 23). However, approximately three weeks prior to her deposition, Plaintiff called Discover and was informed that they offered a free 90-day monitoring service. (Id. at 21). After the ninety days there is a monthly charge. Plaintiff testified at her deposition that she "told them no," she did not want the monthly service after the initial free period. (Id. at 22). When asked "so you haven't paid them for the — any additional moneys beyond what you're paying for the Wallet Protection?", Plaintiff responded "Right." (Id.) In direct conflict to her deposition testimony, Plaintiff filed an affidavit in which she states the purpose is "to clear up any confusion relating to my expenditure of money to protect my credit as a result of the theft of my personal information . . ." in which she states that "in direct response to the theft, I added an additional service under the Discover Card Wallet Protection Program to provide for complete three-in-one credit monitoring protection." (Doc. 58-2, ¶ 4). Plaintiff states that she is "paying $2.99 per month for the Discover Wallet Protection Program, and $12.99 per month for the additional Three-in-One identity theft protection and credit monitoring that I signed up for after the theft of my personal information." (Id. ¶ 6). Plaintiff fails to state in her affidavit when she signed up for the Three-in-One Protection.
II. Legal Analysis
Summary judgment is appropriate "if the pleadings, depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any, show that there is no genuine issue as to any material fact and that the moving party is entitled to a judgment as a matter of law." Fed.R.Civ.P. 56(c). A court must view the evidence and draw all reasonable inferences in favor of the nonmoving party. See Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587, (1986). The moving party has the burden of showing an absence of evidence to support the non-moving party's case. Celotex Corp. v. Catrett, 477 U.S. 317, 325 (1986). Once the moving party has met its burden of production, the non-moving party cannot rest on his pleadings, but must present significant probative evidence in support of his complaint to defeat the motion for summary judgment. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248-49 (1986). The mere existence of a scintilla of evidence to support the non-moving party's position will be insufficient; the evidence must be sufficient for a jury to reasonably find in favor of the non-moving party. Id. at 252.
To prevail on her negligence claim Plaintiff must establish that the defendant: (1) owed a duty of care to the plaintiff; (2) breached that duty; and (3) the breach of that duty proximately caused (4) injury to the plaintiff. Nye v. CSX Transp., Inc., 437 F.3d 556, 563 (6th Cir. 2006) (internal cites omitted). It is clear to the Court that Defendant owed a duty of care to the Plaintiff and that the duty was breached; however, Defendant argues that Plaintiff's cause of action fails as a matter of law because Plaintiff cannot establish injury or causation. In response, Plaintiff argues that the motion for summary judgment is premature as discovery is not yet complete and that there are genuine issues of material fact that exists as to liability and damages.
Although Plaintiff filed her memorandum in opposition on October 20, 2006, the discovery deadline has now passed and the trial is scheduled to start on July 9, 2007.
Plaintiff's first amended complaint alleges that "[i]t will be necessary for Plaintiff to have credit monitoring for many years, at great expense to Plaintiff . . ." Doc. 13, ¶ 29. Litton, relying on Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1020 (D. Minn. 2006), argues that the "threat of future harm, not yet realized, will not satisfy the damage requirement." This type of "identity exposure" or "lost data" case has not yet been considered by the Sixth Circuit; however, Judge Frost of this District Court has addressed a similar issue. See Key v. DSW, Inc., 454 F.Supp.2d 684 (D. Ohio, Sept. 27, 2006).
Plaintiff also alleged that she "has and will continue to suffer emotional distress over the theft of her identity and the possibility that unauthorized persons will use her information to her detriment." Doc. 13, ¶ 30. However, Plaintiff does not address the emotional distress issue in her memorandum in opposition to Defendant's motion for summary judgment. Thus, it appears that Plaintiff has abandoned this alleged injury. Regardless, Plaintiff has failed to set forth sufficient evidence to support any claim of emotional distress.
The Supreme Court has stated that in a class action lawsuit any named plaintiff who proposes to represent a class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Simon v. Eastern Ky. Welfare Rights Org., 426 U.S. 26, 40 n. 20 (1976). Therefore, summary judgment must be granted for the Defendant if the named Plaintiff has not suffered an injury.
As noted above, the only injury which plaintiff alleges to have incurred as a result of the theft are expenses which she has made to purchase a credit monitoring product. Although the amount of recoverable damages is a question of fact, the measure of damages upon which the factual computation is based is a question of law. Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d 775, 779 (D. Mich. 2006) citing Wolff Munier, Inc. v. Whiting-Turner Contracting Co., 946 F.2d 1003, 1009 (2d Cir. 1991); see Cold Metal Process Co. v. E.W. Bliss Co., 285 F.2d 231, 242 (6th Cir. 1960) (ruling on the measure of damages arising out of undisputed facts involved a question of law); see also Neyer v. United States, 845 F.2d 641, 644 (6th Cir. 1988) ("the exact amount of a damages award is left to the discretion of the trier of fact within the framework of allowable elements under the law"). Therefore, although Plaintiff alleges that she and the putative class have incurred or will incur damages represented by the costs of purchasing a credit monitoring product, the question of law for the court is whether such alleged damages are properly recoverable. See Hendricks v. DSW Shoe Warehouse Inc., 444 F. Supp. 2d at 779.
In Key v. DSW, Inc., the plaintiff brought a putative class action against DSW, Inc. when unauthorized persons obtained access to the store's customers' confidential financial information. Plaintiff alleged negligence, breach of contract, conversion and breach of fiduciary duty. Judge Frost dismissed the plaintiff's claims in Key for lack of standing, finding that her "potential injury [was] contingent upon her information being obtained and then used by an unauthorized person for an unlawful purpose" and that plaintiff had not "alleged evidence that a third party intend[ed] to make unauthorized use of her financial information or her identity." Key v. DSW, Inc., 454 F.Supp.2d at 690. While addressing whether her damages were properly recoverable, Judge Frost stated that:
In the identity theft context, courts have embraced the general rule that an alleged increase in risk of future injury is not an "actual or imminent" injury. Consequently, courts have held that plaintiffs do not have standing, or have granted summary judgment for failure to establish damages in cases involving identify theft or claims of negligence and breach of confidentiality brought in response to a third party theft or unlawful access to financial information from a financial institution. See Giordano v. Wachovia Sec., Civ. No. 06cv-476JBS, 2006 WL 2177036, at *1 (D.N.J. July 31, 2006); Forbes v. Wells Fargo, 420 F. Supp.2d 1018 (D. Minn. 2006); Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. Civ. 05-668, 2006 WL 288483 (D. Minn. Feb. 7, 2006); Stollenwerk v. Tri-West Healthcare Alliance, No. Civ. 030185PHXSRB, 2005 WL 2465906 (D. Ariz. Sept. 6, 2005).Key v. DSW, Inc., 454 F.Supp.2d at 689. Judge Frost went on to state that "Plaintiff's claims are based on nothing more than a speculation that she will be a victim of wrongdoing at some unidentified point in the indefinite future," thus "because Plaintiff has failed to allege that she suffered [an] injury-in-fact that was either `actual or imminent'" her claim must fail. Id. at 690.
Similarly, Plaintiffs in Randolph v. ING Life Ins. Annuity Co., 2007 U.S. Dist. LEXIS 11523 (D.D.C. 2007), alleged that they "have been placed at a substantial risk of harm in the form of identity theft." Id. at 18. The Randolph Court, relying on Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992), found that the Plaintiffs had failed to allege any injury that is "actual or imminent, not conjectural or hypothetical." Id. The Court went on to state that Plaintiffs did "not allege that the burglar who stole the laptop did so in order to access their Information, or that their Information has actually been accessed since the laptop was stolen." Id. The Court then concluded that "Plaintiffs' allegations therefore amount to mere speculation that at some unspecified point in the indefinite future they will be the victims of identity theft." Id.
In Guin v. Brazos Higher Education Service Corp., the Court held that as a matter of law, the plaintiff failed to establish a cognizable injury because there was no evidence that plaintiff's personal information was accessed by the thieves, plaintiff experienced no identity theft or other fraud as a result of the stolen information and no one else whose information was stolen had been the subject of identity theft to the defendant's knowledge. Guin v. Brazos Higher Education Service Corp., 2006 WL 288483 at *5-6.
As the Forbes Court explained, an argument that the time and money spent monitoring a plaintiff's credit suffices to establish an injury "overlook[s] the fact that their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that has not materialized." 420 F. Supp. 2d at 1021. Thus, the Forbes Court found that the plaintiffs had not shown a "present injury or reasonably certain future injury to support damages for any alleged increased risk of harm" because their injuries were "solely the result of a perceived risk of future harm." Id.; see also Key v. DSW, Inc., 454 F.Supp.2d at 690 ( citing Forbes).
There is a question as to whether or not Plaintiff timely purchased her credit monitoring service. However, even if she did timely purchase and pay for credit monitoring services, the cases cited by Defendant clearly reject the theory that a plaintiff is entitled to reimbursement for credit monitoring services or for time and money spent monitoring her credit. See Giordano, 2006 U.S. Dist. LEXIS 52266, 2006 WL 2177036, at *5 n. 5; Stollenwerk, 2005 U.S. Dist. LEXIS 41054, 2005 WL 2465906, at *1; Guin, 2006 U.S. Dist. LEXIS 4846, 2006 WL 288483, at *3; Forbes, 420 F. Supp. 2d at 1020-21.
Defendant argues that this case is substantially similar to Key and the other cases cited above. Plaintiff argues that this case is inapposite to Key and the other cases because in those cases the defendants had offered free credit monitoring which was not offered here. Plaintiff here argues that the plaintiffs in Forbes were immediately notified of the theft and were offered free credit/identity protection services. Doc. 58, p6. However, in Forbes, the Court stated "For purposes of this summary judgment motion, it is undisputed that plaintiffs have expended time and money to monitor their credit for any fraudulent use of their personal information." Forbes v. Wells Fargo Bank, N.A., 420 F. Supp.2d at 1019. Thus, it does not appear that the Court considered whether or not credit monitoring was offered when it granted summary judgment for the defendant. Key v. DSW, Inc. is silent as to whether or not credit monitoring was offered and, in fact, upon review of the complaint in that case, it appears that credit monitoring was not offered. See also Stollenwerk v. Tri-West Healthcare Alliance, supra. In Giordano v. Wachovia Sec., supra, Wachovia offered one year of credit monitoring, which Giordano accepted. However, despite the one year of credit monitoring, Plaintiff sued, on behalf of a putative class, seeking, among other things, a credit monitoring program. However, the Court did not give consideration to the fact that credit monitoring was offered. The Court dismissed the case finding that "Plaintiff's claims, at best, are speculative and hypothetical future injuries. A complaint alleging the mere potential for an injury does not satisfy Plaintiff's burden to prove standing. Instead, a plaintiff must allege an actual injury or that an injury is "so imminent as to be `certainly impending.'" Id. at *4 (internal citations omitted). Finally, in Guin v. Brazos Higher Educ. Serv. Corp., Inc., supra, credit monitoring was not offered but, like in this case, Brazos urged borrowers to place "a free 90-day security alert" on their credit bureau files. Thus, the Court does not find Plaintiff's argument persuasive.
Plaintiff also argues that the Sixth Circuit has held that a plaintiff must establish three elements to invoke the power of the Federal Court: (1) an injury-in-fact that is concrete and particularized; 2) a connection between the injury and the conduct at issue — the injury must be fairly traceable to the defendant's action; and (3) a likelihood that the injury would be readdressed by a favorable decision by the Court. Plaintiff relied on Courtney v. Smith, 297 F.3d 455, 459 (6th Cir. 2002); Allen v. Wright, 468 U.S. 737, 751 (1984); and Lujan v. Defendener of Wildlife, 504 US 555, 560 (1990). However, this test is inapplicable here as it is used to determine standing, whether or not the "case or controversy" requirement of Article III of the U.S. Constitution is met. Although some of the cases cited and relied on in this opinion are cases that were dismissed for a lack of standing, that is not the question before this Court. The question before this Court is one of summary judgment, whether there is a genuine issue of material fact as to Plaintiff's claim of negligence which includes, as an essential element, the existence of an injury.
Plaintiff then argues that the Stollenwerk Court analogized the negligent exposure of confidential personal information to that of negligent exposure to a toxic substance arguing that this Court should do the same and find credit monitoring to be a sufficient injury. However, the Stollenwerk Court specifically stated,
Although a victim of identity theft and/or fraud, like the victims in other negligence actions where present actual injury is required, may experience nonmonetary harm, the primary injury does not present a serious health risk. Thus, despite findings that identity theft results in more than purely pecuniary damages, including psychological or emotional distress, inconvenience, and harm to his credit rating or reputation, as a matter of law identity theft and credit monitoring must still be differentiated from toxic torts and medical monitoring.Stollenwerk, 2005 WL 2465906 at *4 (emphasis added) (internal citations omitted). See also Key v. DSW, Inc., 454 F.Supp.2d. at 691 (finding identity theft cases distinguishable from medical monitoring cases); Giordano v. Wachovia Sec., 2006 WL 2177036 at *3, N4.
Finally, Plaintiff argues that the Stollenwerk Court established a criteria derived from medical monitoring cases that should be applied in this case. These factors are: "(1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud." Stollenwerk, 2005 WL 2465906 at *4. The Court disagrees with its application here. First, this Court has found that "identity exposure" cases are not analogous to medical monitoring cases so that the criteria is not applicable here. Second, the criteria is to be used only if credit monitoring costs are a sufficient injury to state a cause of action for negligence. See Stollenwerk, supra, at *4. As set forth in more detail below, credit monitoring costs are not sufficient injury where no fraud has occurred.
Although the above cited cases are not binding on this Court, this Court finds them to be persuasive. Plaintiff has admitted, that to her knowledge, no unauthorized use of her personal information has occurred. She has not been a victim of identity fraud since the theft, which occurred 20 months ago. Additionally, Plaintiff waited until almost one full year after the theft to obtain credit monitoring and chose not to place a free fraud alert on her credit report. She also failed to allege in her complaint that the information was the target of the theft. Although in her briefs she theorizes that the break-in was an "inside job" and that the information was targeted there is no evidence to support this. The four hard drives were among $60,000 worth of equipment that was stolen from the server room. There is no evidence that the information was the target of the theft as opposed to the actual hard drive themselves. Neither the Atlanta Police Department nor the private investigator hired by Litton came to any such a determination. Furthermore, even if the information was the target of the theft, there is no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it would be used for unlawful purposes. Thus, any injury of Plaintiff is purely speculative. It is Plaintiff's choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.
Since it has been held that Plaintiff has failed to establish an injury, Plaintiff's negligence claim cannot survive. Therefore, the Court will not address the further arguments of the parties.
III. Conclusion
Defendant's motion for summary judgment (Doc. 44) is hereby GRANTED. Plaintiff's motion to certify the class (Doc. 34) and Plaintiff's motion to compel (Doc. 65) are denied as MOOT. The Clerk of Court is directed to CLOSE this case and TERMINATE it from the docket of this Court.