Identity Theft Litigation
Identity Theft Litigation: Overview
Identity theft litigation arises when an individual or entity sues another for unlawfully obtaining and using personal identifying information—such as Social Security numbers, credit card information, or other sensitive data—for fraudulent purposes. The litigation often involves claims under federal laws like the Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028), state statutes, and common law claims such as negligence, invasion of privacy, or breach of contract.
Key Issues in Identity Theft Litigation:
Proving unauthorized use of identity
Showing damages resulting from identity theft
Liability of third parties (e.g., data holders or service providers)
Jurisdiction and applicability of state vs. federal laws
Case 1: United States v. Morris, 928 F.2d 504 (2d Cir. 1991)
Facts:
This is one of the earliest significant cases involving identity theft and computer crimes. Robert Morris released a self-replicating program (the "Morris Worm") that affected thousands of computers by exploiting vulnerabilities. Although this is a computer crime case, it laid groundwork for cyber identity misuse.
Legal Issue:
The case examined the interpretation of the Computer Fraud and Abuse Act (CFAA) and the scope of unauthorized access, including when identity theft overlaps with unauthorized use of computer systems.
Outcome:
The court held that Morris violated the CFAA because the worm caused damage by unauthorized access and manipulation of computer systems. This case set an important precedent for prosecution of identity theft when linked with computer misuse.
Case 2: United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009)
Facts:
In this case, Lori Drew created a fake MySpace profile to harass a teenage girl, which eventually led to the victim's suicide. Drew was charged under the Computer Fraud and Abuse Act (CFAA) for unauthorized access.
Legal Issue:
The case raised questions about what constitutes “unauthorized access” when identity theft or impersonation is involved online. Is merely creating a fake identity a crime under CFAA?
Outcome:
The court ruled that violating terms of service (creating a fake profile) did not necessarily mean unauthorized access under CFAA. The case was dismissed due to vagueness, but it emphasized limits on prosecuting identity theft solely based on online impersonation without clear statutory authorization.
Case 3: Doe v. Chao, 540 U.S. 614 (2004)
Facts:
This case involved the Privacy Act of 1974 and identity theft stemming from the unauthorized disclosure of personal information by a government agency (Department of Labor). The plaintiff’s Social Security number was improperly disclosed.
Legal Issue:
The court examined whether the plaintiff could recover damages under the Privacy Act for willful disclosure of personal data, which contributed to identity theft risk.
Outcome:
The Supreme Court ruled that to recover damages, plaintiffs must prove actual damages, not just the increased risk of identity theft. This decision clarified that identity theft litigation requires concrete harm, not just speculative risks.
Case 4: Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)
Facts:
AvMed, a healthcare provider, suffered a data breach exposing patients' personal health information. Resnick and other plaintiffs sued alleging negligence and violations of the Health Insurance Portability and Accountability Act (HIPAA) due to identity theft risk.
Legal Issue:
Could plaintiffs sue for damages based on the risk of identity theft and potential misuse of their data?
Outcome:
The court held that the plaintiffs had standing because the data breach created a substantial risk of identity theft and financial harm, even if actual identity theft hadn’t yet occurred. This case reinforced that risk and potential harm could be enough for litigation in identity theft cases involving data breaches.
Case 5: In re Target Corporation Customer Data Security Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014)
Facts:
Target experienced a massive data breach compromising millions of customers' credit and debit card information, leading to numerous lawsuits alleging negligence and failure to protect consumer data.
Legal Issue:
The court considered whether consumers had standing to sue for damages due to identity theft risk and costs incurred post-breach.
Outcome:
The court allowed claims to proceed, stating that victims who suffered actual costs (like credit monitoring or fraudulent charges) had standing. The case led to substantial settlements and clarified consumer rights in identity theft litigation following large-scale data breaches.
Summary of Key Principles from Cases
| Principle | Case Example |
|---|---|
| Unauthorized access under CFAA | United States v. Morris |
| Limits of criminal liability for online impersonation | United States v. Drew |
| Actual damages requirement in Privacy Act | Doe v. Chao |
| Standing based on risk of identity theft | Resnick v. AvMed |
| Standing based on actual losses after data breach | In re Target Data Breach |
RELATED Blog
0 comments