Duane Morris Class Action Review - 2023 - Report - Page 135
identity theft and to guard against the heightened risk for fraud and identity theft likely to
occur in the future, including by purchasing additional credit monitoring and identity theft
protection services. The plaintiffs also asserted that they incurred “costs associated with
requested credit freezes,” and also suffered lowered credit scores as a result of
repeated inquiries into their credit. Id. at *5. First focusing on independent standing
issues, the court concluded that the plaintiffs adequately plead injuries-in-fact in the
form of a loss of privacy, as well as the harm incurred by attempting to mitigate existing
and future identity theft. Further, because plaintiffs adequately plead an imminent risk of
future identity theft, the costs the plaintiffs allegedly incurred mitigating that risk
(including fees for credit freezes, fees for credit monitoring services, and the time and
resources spent monitoring credit and financial transactions) constituted an independent
injury-in-fact. The court discussed the two types of alleged injuries and held that the loss
of privacy arising out of the data breach, against which the DPPA was intended to
protect, bears a sufficiently “close relationship” to the tort of public disclosure of private
information, recognized at common law and it is plausible that such disclosure would be
highly offensive to a reasonable person; and the plaintiffs allegations that they have
incurred “costs associated with credit freezes” as well as “lowered credit scores
resulting from [their] credit inquiries following fraudulent activities” are sufficiently
concrete to constitute an injury-in-fact because these alleged losses implicate monetary
harm directly caused by the data breach. Id. at *12. Accordingly, the Court held that the
plaintiffs plausibly alleged facts, taken together, to support the inference that the USAA
owed the plaintiffs a duty of reasonable care under New York law. The court’s holding
as to class standing was based on three factual premises, including: (i) the plaintiffs
plausibly alleged that the USAA obtained and then redisclosed plaintiffs’ PII without their
knowledge or consent as part of its ordinary course of business, and was thus “in the
best position” as between the USAA and the plaintiffs to protect the information; (ii) the
allegation that the USAA actively marketed the strength of its cybersecurity to the public
and “knew it was the target of cyber-attacks”; and (iii) imposing a duty on the USAA
under these alleged circumstances limited the USAA’s liability to only individuals whose
personal information had already been stolen by cybercriminals from other sources. For
these reasons, the court reasoned that fixing a duty of care under these circumstances
best realized the expectations of the parties without imposing unlimited liability on the
USAA.
In Rand, et al. v. Travelers Indemnification Co., 2022 U.S. Dist. LEXIS 196029
(S.D.N.Y. Oct. 27, 2022), the plaintiff filed a putative class action against the defendant
arising out of Travelers’s disclosure of the plaintiff’s personal identifying information (PII)
to non-party cybercriminals. The plaintiff asserted claims under the Driver’s Privacy
Protection Act (the DPPA) and Section 349 of the New York State General Business
Law, as well as state law claims for negligence and negligence per se. Travelers moved
to dismiss for lack of standing and for failure to state a cause of action individually and
on behalf of the class. The court granted the defendant’s motion to dismiss on the
plaintiff’s claim under New York General Business Law § 349 and denied the
defendant’s motion on all other claims. In analyzing the plaintiffs’ individual and class
standing, the court focused on the plaintiffs’ allegations that Travelers designed its
website to ensure agents could generate insurance quotes for consumers as
seamlessly as possible through a “shortcut process.” Id. at *2. Specifically, the plaintiffs
134
© Duane Morris LLP 2023
Duane Morris Class Action Review – 2023
