Jaikumar Vijayam has posted an article at ComputerWorld regarding the Express Scripts Data Breach class action suit. This is the case where, in 2008, Express Scripts received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter included personal information on people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Many of the insured were seeking damages, and the judge has thrown the case out citing lack of evidence.
Without any actual harm being done, there can be no damages sought.
To me, this means that privacy is worthless.
“Abstract injury is not enough to demonstrate injury-infact,” Judge Buckles wrote. “The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical.”
and …
“Plaintiff alleges that he would be injured “if” his personal information was compromised, and “if” such information was obtained by an unauthorized third party, and “if” his identity was stolen as a result, and “if” the use of his stolen identity caused him harm.” These multiple “if’s” put his claims in the realm of the hypothetical, Judge Buckles noted.
I get the argument. And I get that laws don’t protect our feelings. But Express Scripts has been entrusted with the data, and they earn revenue from having this data, which means they inherit the custodial responsibility for the security and privacy of that information. Not being able to quantify damages should not be considered the same as not being damaged. Should the burden of proof on this point fall on the person who had their information stolen?
Considered in light of credit card processors, health insurers, 3rd party service providers, and law enforcement not sharing information about breach specifics, it will be neigh on impossible for average citizens to gather information necessary to demonstrate the chain of events that led to damages. Damages and costs come in many forms, most of which are not fully quantifiable, so it becomes a quagmire. This sets a bad precedent, IMO, and does not promote or incentivize companies to secure data. When it gets bad enough, consumers will push for legislation to curb the behavior, and we have seen how that works out.
Reader interactions
3 Replies to “Class Action Against Express Scripts Dismissed”
I think this is why so many press/media blurbs on data breaches invariably include, “no evidence of misuse of data potentially taken..” or something to that effect.
I imagine if personal information is misused and it gets traced back to this company as the source of the breach, then they’re in for trouble.
Thansk for posting this, by the way! I certainly had not read about it!
Adrian,
It’s important to realize that this appears to be an issue specifically with bulk / class action suits. If (*after*) you are personally defrauded, you clearly have the standing. In this case ES knows a few people had their data compromised (from the demand letters), but I doubt they told those people their data was *definitely* compromised.
The problem is that individual breach compensation is generally trivial to the company in these cases, so you effectively need a class action to make an impact, and also to perform the investigation that might get more substantial information. Of course, getting a class action certified against you is almost as scary as losing one, so companies like ES fight hard to avoid the suits graduating to class action status.
I think this was a good decision on the part of the courts because if there is no actual, quantifiable loss then how can it be proven with any reasonable degree of certainty. I think that Express Scripts could definitely be proven negligent if they caused damages. However if the judge accepted this case it could set a very dangerous precedent because then you get into the argument of what is loss, and that could be twisted to mean just about anything.
Other legislation should be put in place for companies that handle sensitive data but it should be separate from the negligence law, and should even be separate from the data breach notification laws because I think the more important issue is preventing the breach/accountability not notification.