Thursday, April 8, 2010

Court says "NO" to "potential damage" from data breach

When I first saw alerts on this story I thought it was another case of a bad court decision in favor of a corporation. Then I read Mark Mcreary's blog post, Aetna Wins Dismissal on "Increased Risk of Identity Theft" Damages Sought for Class Action. I also read the amended decision by Judge Legrome D. Davis, and after all that reading, I can see two things:

1. Had this lottery ticket paid off, it would have paid off big.
2. Even so, no lawyer should have been willing to plead this case.

Aetna had a security breach on their employment website. The email addresses of over 400,000 applicants and 65,000 employees were stolen. Other information may have been stolen, but no one knows for sure (except the thief). Aetna sent notification of the breach to everyone who might have been affected by the breach. Some of those people received a bogus email claiming to be from Aetna asking for more information. One of the people who received the notice from Aetna, but not the phishing email, decided to sue Aetna for potential damages from potential identity theft.

Yes, that's right. Cornelius Allison sued Aetna for damages because he might, someday, have his identity stolen. Since he did not receive the phishing email, he didn't even know if his email address or any other data had been part of the breach.

He was suing for money the maybe perps would possibly take if they ever stole his identity. I wonder if either he or his lawyer was really surprised when the case was thrown out?