Author Archives: Alex Pearce

Trust but Verify? Liability for Engaging in Transactions with an Identity Thief

After a data breach, consumers often sue to recover for injuries they suffer, or fear they will suffer, when identity thieves use the stolen data. These suits usually target the company that suffered the data breach. 

But can a company that allows an identity thief to make purchases or apply for credit in a consumer’s name using the stolen data also be subject to suit?

The U.S. District Court for the Eastern District of North Carolina recently considered that question in Rogers v. Keffer, Inc. Chief Judge James C. Dever III’s decision in Rogers raises several interesting issues. This post discusses two of them:

  • Can overlooking inconsistencies in information supplied by an identity thief to make purchases or to obtain credit in a consumer’s name give rise to liability under N.C. Gen. Stat. § 75-1.1?
  • Does disclosing stolen data supplied by an identity thief in furtherance of a fraudulent transaction constitute a “security breach” that requires notification to the affected consumer?

Gone (and Back) in 11 Days: an Unusually Brazen Car Thief

In November 2015, an impostor claiming to be Andrew Stutfield Rogers entered a Charlotte car dealership operated by Keffer, Inc. The impostor provided Rogers’s social security number and date of birth, along with a driver’s license with the name “Andrew Leon Rogers” and a nonexistent South Carolina mailing address. Rogers had not lived in South Carolina since 1992.

Keffer took this information and made inquiries into Rogers’s credit report. Keffer then used Rogers’s information to help the impostor obtain a car loan in Rogers’s name from JPMorgan Chase Bank. The impostor applied the loan proceeds to buy a car.    

Eleven days later, the impostor returned to Keffer and repeated the scheme. With Keffer’s help, he again obtained a car loan in Rogers’s name—this time from a different lender—and bought and drove away with a second car. 

Rogers, of course, didn’t know any of this when it happened.

Instead, he first learned of a problem several weeks later, when he received an email from JPMorgan that congratulated him on his new car loan. Rogers then repeatedly called JPMorgan to explain that he had not requested or authorized the loan and that his identity had been stolen.

Even after those contacts, JPMorgan continued to report the loan to credit reporting agencies as belonging to Rogers. JPMorgan also mailed two letters to Rogers that demanded he make payments on the loan. 

Rogers sued Keffer and JPMorgan (among other defendants) in Wake County Superior Court, complaining of injuries that included harm to his credit score, loss of employment opportunities, and emotional distress.  JPMorgan removed the case to federal court.   

Rogers’s claims against Keffer and JPMorgan included a section 75-1.1 claim based on their failure to recognize and to respond appropriately to the impostor’s fraudulent scheme. He also accused Keffer of violating N.C. Gen. Stat. § 75-65, which requires companies to notify individuals of security breaches that involve their personal information. 

Keffer and JPMorgan both moved to dismiss.

Unwitting Accomplice as Section 75-1.1 Defendant?

According to Rogers, Keffer violated section 75-1.1 by failing to verify the impostor’s identity and by overlooking inconsistencies in information supplied by the impostor to complete the car loan applications.

Judge Dever, however, determined the claim could not proceed on those grounds.   

Judge Dever first observed that, under North Carolina law, “wrongful and intentional” harm to a plaintiff’s credit rating and business prospects can support a claim under section 75-1.1. But he found that Rogers’s allegations against Keffer did not satisfy that standard.

Judge Dever acknowledged that Keffer’s actions may have been negligent. But, as often happens when courts confront direct unfairness claims, he concluded without much explanation that those actions were not unfair enough to violate section 75-1.1.  Rogers, he observed, simply had not shown those actions were “immoral, unethical, oppressive, or unscrupulous,” or met other formulations of the unfairness standard under the statute.

As to JPMorgan, Rogers’s section 75-1.1 claim rested on two grounds:

  • reporting the fraudulent loan to credit reporting agencies and failing to properly investigate and to correct erroneous information in its records; and
  • sending collection letters to Rogers despite multiple notifications from Rogers that the account was procured by fraud.

Relying on a 2010 opinion from the Fourth Circuit, Judge Dever held that the claim was preempted as to the first ground by the federal Fair Credit Reporting Act, under which Rogers had asserted a separate claim.  

As to the second ground, however, Judge Dever denied JPMorgan’s motion. He found that JPMorgan’s sending of collection letters to Rogers fell outside the scope of the Fair Credit Reporting Act and that the section 75-1.1 claim was not preempted insofar as it relied on that conduct. And because JPMorgan had reason to know that the loan was fraudulent before it sent those letters, the claim could proceed on that ground. 

Is Furnishing Stolen Information a Security Breach?

Rogers also alleged that Keffer violated section 75-65 by failing to notify him of a security breach involving his social security number. Notably, section 75-65 expressly states that violation of its notification requirement is a per se violation of section 75-1.1. 

According to Rogers, Keffer’s disclosure of his social security number to credit reporting agencies and banks in the course of helping the identity thief to obtain the car loans was a “security breach” for purposes of section 75-65. Keffer failed to notify him of that breach, he argued, and therefore violated the statute.

Judge Dever dismissed the claim. In doing so, however, Judge Dever did not directly address whether Keffer’s unwitting disclosure of Rogers’s social security number to other parties in furtherance of the impostor’s scheme qualified as a “security breach” giving rise to a duty to notify Rogers.

Even assuming it did, he reasoned, Rogers could not show that Keffer’s failure to notify him proximately caused Rogers any injury. Rogers discovered the fraud before Keffer discovered it; indeed, Rogers notified Keffer about the fraud. And Rogers could not point to any expenses that he could have avoided had Keffer found the fraud first and notified him.  

Lessons from Rogers

The prospect of recovery under 75-1.1 is no doubt attractive to consumers unwinding the effects of identity theft in the wake of a data breach. Judge Dever’s decision, however, indicates that these types of claims face an uphill battle. 

According to Rogers, they must allege more than a mere failure to recognize a thief’s scheme, even when the facts suggest it should have been obvious. Once a company has actual notice that fraud has occurred, though, continuing to act as if it has not may well be enough. 

As for per se claims premised on section 75-65, Rogers leaves open the intriguing question whether its breach notification requirement applies to companies who unwittingly share stolen information after an identity thief comes to call. But if a notification obligation does apply, Rogers confirms that would-be plaintiffs must allege specifically how they were harmed by the defendant’s failure to comply.

Author: Alex Pearce

Offers You Make May be Used against You: Free Credit Monitoring and Standing in Data Breach Cases

It’s become an unfortunate rite of passage for the modern age: the receipt of a letter from a company explaining that one’s personal information been lost or stolen in a data breach.

The letter usually offers to provide free credit monitoring or identity-theft insurance through a third-party vendor. The law usually does not require this type of offer, but companies do it anyway. One reason may be because these types of offers have been shown to reduce the chance of consumer lawsuits.

But if consumers do sue, can the company’s offer be used against it? 

This post addresses this question, one recently addressed by three federal appellate courts. As we’ll see, those courts analyzed whether the plaintiffs had Article III standing, a key issue in data-breach litigation.

Standing in data breach cases

In a typical data-breach case, individuals sue the breached company before thieves have misused their data. The alleged injury, then, is usually an increased risk of future fraud or identity theft.

Future harm, however, is often not enough to establish Article III standing in federal court. In Clapper v. Amnesty International, the U.S. Supreme Court confirmed that an alleged “future injury” constitutes an injury-in-fact—and satisfies Article III standing—only if that future injury is “certainly impending.”

This standard, the Supreme Court explained, does not always mean “literally certain.” Instead, a court may find standing based on a showing of “substantial risk” that harm will occur, “which may prompt the plaintiffs to reasonably incur costs to mitigate or avoid that harm.” 

Federal courts assessing standing in recent data-breach cases have turned to Clapper and the “substantial risk” standard. The Seventh Circuit’s decision in Remijas v. Neiman Marcus and the Sixth Circuit’s decision in Galaria v. Nationwide are two leading examples. In both cases:

  • the defendants suffered breaches of their networks by hackers who targeted and stole customers’ personal information;
  • the defendants sent consumers notification letters that included an offer to provide free credit monitoring and identify-theft protection insurance; and
  • the plaintiffs’ injuries consisted in part of an alleged risk of future identity theft.

On these facts, the district courts in both dismissed the plaintiffs’ claims for lack of standing. The appeals, however, yielded different results.

In Remijas, the Seventh Circuit concluded that the threat of future harm, and expenditures made by the plaintiffs to protect against that threat, established standing under Clapper. The Seventh Circuit focused specifically on “telling” evidence that Neiman Marcus had offered free protective services to consumers after the breach. The cost of that offer was not de minimis, the court noted. According to the Seventh Circuit, Neiman Marcus would not have offered the services if the risk to the plaintiffs were so “ephemeral” that it “could safely be disregarded.” 

Interestingly, the plaintiffs’ brief never argued this point.  It only appears to have arisen in questioning by Chief Judge Diane Wood, the author of the court’s decision, at oral argument

The Sixth Circuit followed the same reasoning in Galaria. It concluded that the plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to overcome a Rule 12(b)(1) motion. The Sixth Circuit relied in part on the defendant’s offer of free credit monitoring, reasoning that the offer must reflect the severity of the risk.

In doing so, the Sixth Circuit rejected the company’s public-policy argument: companies might stop offering these free services if the offers themselves give rise to lawsuits.

Beck v. McDonald: Don’t punish good deeds.

A third recent appellate case, however, is more favorable for defendants.

In Beck v. McDonald, the Fourth Circuit considered whether individuals had standing to assert claims arising from data breaches at a Veterans Affairs hospital. One breach was caused by the theft of a laptop containing patients’ unencrypted personal information. Another breach was caused by the theft or misplacement of four boxes of pathology reports. In each case, hospital officials notified affected individuals of the breach and offered free credit monitoring. 

Individuals affected by each incident filed separate class actions against the Secretary of Veterans Affairs and hospital officials. In each case, the plaintiffs’ alleged injuries consisted of the threat of future identity theft and measures taken to mitigate that threat.  In each case, the district court relied on Clapper to dismiss the plaintiffs’ claim for lack of standing.

On appeal, the plaintiffs turned to Remijas. They emphasized that the expenditure of federal funds on credit monitoring showed a substantial risk of harm to the plaintiffs. 

The Fourth Circuit, however, sidestepped this argument. Instead, the court distinguished Remijas and Galaria on the ground that those cases involved thieves who intentionally targeted personal information. In Beck, by contrast, there was no evidence the missing laptop or pathology reports were taken because of the personal information they contained. 

In addition, the Fourth Circuit adopted the very public-policy point that the Sixth Circuit disregarded in Galaria. The Fourth Circuit reasoned that, if an offer to provide free credit monitoring services is interpreted to imply a substantial risk of harm, organizations would be discouraged from offering these valuable services.

Implications for Companies

Remijas and Galaria deserve some consideration by companies deciding whether to offer free credit monitoring in the wake of a data breach.  But in most cases the benefits of offering these services—meeting customer expectations, preserving goodwill, and possibly avoiding the filing of an action—will outweigh the risk.  That’s especially true now that a defendant can turn to the Fourth Circuit’s decision in Beck if plaintiffs try to turn its generosity against it. 

Author: Alex Pearce