Jeff Neuburger points to a 9th Circuit decision [pdf] largely affirming a grant of summary judgment against plaintiffs in a data breach case.  The court adopts the prevailing "no harm, no foul" mode of analysis (as Neuburger describes it):  if you cannot show actual identity theft-type harm, as an aggrieved consumer you are not even entitled to credit-monitoring damages.  The decision is unpublished, but is certainly significant in its treatment of data breach claims (and because it seems to present one of the first instances of a successful data breach claim).  The plaintiff who showed actual harm was allowed to proceed with this claim while the other two plaintiffs were rebuffed.

The basic facts are straightforward enough:  Tri-West Health Care Alliance suffered a burglary in which numerous pieces of hardware were stolen.  Among the pieces of hardware were those containing the personal information (names, addresses, social security numbers) of its customers.  (The opinion does not mention the health/privacy-related ramifications of the information, if any.)  Three plaintiffs brought suit, two of them had experienced no identity theft issues, and one had.  One of the plaintiffs actually presented proof that someone created numerous accounts in his name following the theft at issue.  Although the opinion is not 100% clear, defendants offered "basic" credit-monitoring services - which are freely provided by credit agencies anyway (?).  The district court granted summary judgment against all claims.  The 9th Circuit affirmed with respect to the two plaintiffs who failed to show any instances of actual harm (in the form of identity theft issues) but reversed with respect to the other plaintiff (who had suffered identity theft issues). 

My take:  the case is interesting on a variety of levels, and in my mind really shows the nonchalant attitude with which courts approach identity theft issues suffered by individual plaintiffs. 

First and foremost, it's quite odd, given that all plaintiffs alleged claims arising out of the same theft that the court didn't allow one group of plaintiffs to use the evidence of identity theft suffered by the other group.  Given the court's acceptance of the evidence put forth by Brandt (the plaintiff who had suffered identity theft issues), it's safe to assume that someone misused the information contained in the servers.  This is precisely the type of information the other two plaintiffs would have to show to satisfy the evidentiary hurdle set by the court.  Yet there's no real logical reason to accept the evidence in favor of one plaintiff while not allowing the other plaintiffs to benefit from this evidence. 

Second, in cases sometimes you see inferences based on common sense and experience.  For example, if a car was stolen and a third party ended up with a stolen part, factfinders are likely to assume that someone chopped up the car and sold it for parts.  Or, if you are caught with a high quantity of drugs and a large quantity of baggies, this may raise an inference that you have an intent to sell/distribute.  Here, the court turns a blind eye to common sense, going so far as to say that given the type of theft that occurred, the "risk [that the thieves would use the personal information] was low."  I would think the first thing anyone (let alone a miscreant) would do upon coming into possession of a piece of hardware would be to find out what type of information is on it and how you can further exploit this information.  Even if the original thieves don't take this step, those to whom the hardware is sold or those who come into possession of the hardware are sure to do so.  In this day and age, this should be fairly obvious stuff.  Yet the court takes pains to point out that the underlying theft wasn't about identity theft (i.e., the thieves didn't just steal information) and therefore it's not likely that someone will exploit the compromised information.  This strains common sense.

Third, it's interesting to see how the court views the adequacy of credit-monitoring services.  Here, defendants put on evidence that plaintiffs could obtain free "credit-monitoring" services which can be renewed for seven years.  Meanwhile plaintiffs' expert supposedly failed to articulate why enhanced or premium credit-monitoring services would be necessary.  The court seems to miss the fact that free credit monitoring services don't amount to much, and enrolling in them will require you to put aside your worries about automatically being enrolled and having your credit card charged for premium services, receiving spam, and generally being at the mercy of nefarious credit reporting agencies.   (See, e.g., " Marketer of 'Free Credit Reports' Settles FTC Charges.")

Maybe I'm being unduly critical of the decision.  Either way, I'm surprised time and time at how in the view of courts the fact that you lost your personal information after having entrust it to a third party doesn't itself amount to injury.
 
NB:  see Jeff's post where he cites to earlier cases that go in the same direction and notes the possible disconnect in the 9th Circuit's approach here with respect to the two sets of plaintiffs.