Weaver: A Missed Opportunity To Bolster Consumer Protection in Massachusetts

WEAVER FINAL 1/4/2010 11:29:37 AM
A MISSED OPPORTUNITY TO
BOLSTER CONSUMER PROTECTION
IN MASSACHUSETTS: HOW
MASSACHUSETTS RESIDENTS ARE
STILL WITHOUT A PRIVATE RIGHT
OF ACTION AFTER THE TJX
SECURITY BREACH
Owen Weaver*
Abstract: In early 2007, The TJX Companies, Inc. (TJX) suffered one of
the largest security breaches in the history of the United States. Immediately
thereafter a class action lawsuit, In re TJX Companies Retail Security Breach
(In re TJX) was filed by aggrieved customers in the District Court of
Massachusetts, alleging that TJXs negligent failure to safeguard its wireless
network resulted in their suffering of injuries, including identity theft.
Several months later, the state of Massachusetts enacted Chapter 93H, a
security breach notification statute that aims to deter or mitigate the effects
of identity theft resulting from a security breach. While the aims of the
enactment was to put[]a number of critical safeguards in place to help the
people of Massachusetts protect their credit and their good names, it does
not include a private right of action. Consequently, a Massachusetts resident
whose personal information is compromised after a business suffers a
security breach has no statutory right of action under the act and instead must
look elsewhere for redress. After the passage of Chapter 93H, In re TJX
settled without addressing the question whether the aggrieved customer had a
common law cause of action against TJX. This Note examines whether
residents of Massachusetts should be given a private right of action. This
Note argues that a private right of action is necessary for two reasons. First,
because consumers bear the brunt of costs caused by identity theft, a private
right of action is necessary to help shift those costs back to the businesses.
Second, a private right of action provides a cheap and effective way to police
businesses who maintain personal information databases, which in turn,
675
WEAVER FINAL 1/4/2010 11:29:37 AM
676 NEW ENGLAND LAW REVIEW [Vol. 43:675
ultimately helps to deter the occurrence of identity theft. Finally, this Note,
proposes that a private right of action is attainable in Massachusetts by way
of either the legislative or judicial process because such a right is consistent
with either the legislative intent of 93H or with Massachusetts common law.
INTRODUCTION ..........................................................................................677
BACKGROUND ............................................................................................679
I. Massachusetts and Identity Theft ............................................679
A. The TJX Security Breach...................................................679
B. The Enactment of 93H......................................................681
II. A Broader Look at Identity Theft .......................................682
A. What is Identity Theft and How is it Committed?.............682
1. What is Identity Theft?................................................682
2. How is Identity Theft Committed?..............................683
B. The Countrys Growing Identity Theft Problem ...............684
C. The Adverse Impact of Identity Theft ...............................686
D. The Nations Response to the Problem..............................686
1. Federal Legislation......................................................687
2. State Legislation..........................................................687
a. Definition of Personal Information.......................689
b. Triggering Events .................................................690
c. Mechanics of Notification ....................................691
d. Enforcement of Notice Statutes ............................691
3. Class Action Litigation................................................692
a. The Majority Approach ........................................693
b. The Minority Approach ........................................694
i. Remsburg v. Docusearch ......................................695
ii. Bell v. Michigan Council 25 .................................695
iii. Daly v. Metropolitan Life Ins. Co. ........................696
c. Massachusetts Case Law ......................................697
ANALYSIS ..................................................................................................698
III. Why Massachusetts Should Adopt a Private Right of
Action ......................................................................................698
A. The Necessity of a Private Right of Action ......................699
B. Amending 93H...................................................................702
C. Deciding In re TJX in the Plaintiffs Favor .......................704
CONCLUSION ..............................................................................................706
WEAVER FINAL 1/4/2010 11:29:37 AM
2009] CONSUMER PROTECTION AFTER TJX 677
INTRODUCTION
On January 17, 2007, the TJX Companies, Inc. (TJX), a
Massachusetts corporation, announced that it had suffered a security breach
which resulted in the theft of over 47.5 million credit and debit card
numbers and other personal information concerning 451,000 of its
customers. 1 In May of 2007, a consolidated consumer class action lawsuit
was filed in the United States District Court for the District of
Massachusetts alleging, among other things, that TJX was liable, under a
theory of negligence, for damages incurred by the consumers. 2 The
plaintiffs alleged that TJX breached an assumed duty of care to keep their
personal information secure when it failed to adequately safeguard its
wireless network, and as a result of that breach, the plaintiffs incurred
economic and non-economic injuries, including identity theft. 3
In a motion to dismiss, TJX argued that the plaintiffs could not bring
their claim for negligence because in a majority of jurisdictions, the mere
exposure to identity theft does not constitute a cognizable injury. 4
Consequently, TJX contended that the plaintiffs either lacked the requisite
injury-in-fact to have standing to bring their claims, or in the alternative,
the plaintiffs could not prove that they suffered an actual loss. 5 The issue of
whether the class suffered the requisite injury-in-fact to either have
standing or to prove negligence presented novel issues under Massachusetts
law, but it was never resolved by the court because the parties eventually
settled. 6
* Candidate for Juris Doctor, New England School of Law (2009), B.A., History, cum
laude, Ursinus College (2006).
1. Joseph Pereira, Breaking the Code: How Credit-Card Data Went Out Wireless
Door, WALL ST. J., May 4, 2007, at A1.
2. Consolidated Class Action Complaint at 34-39, In re TJX Cos. Retail Security
Breach Litigation, Consumer Track Actions, No. 07-10162-WGY (D. Mass. May 9, 2007)
[hereinafter Complaint].
3. See id.
4. Memorandum of Law in Support of Defendant The TJX Cos., Inc.s Motion to
Dismiss the Consolidated Complaint at 2, In re TJX Cos. Retail Security Breach Litigation,
Consumer Track Actions, No. 07-10162-WGY (D. Mass.) [hereinafter Defense
Memorandum].
5. Id. at 5, 10.
6. See Settlement Agreement at 3-5, In re TJX Cos. Retail Security Breach Litigation,
Consumer Track Actions, No. 07-10162-WGY (D. Mass. Sept. 21, 2007) [hereinafter
Settlement Agreement] (noting each party believed its claims or defenses had merit, but
found it desirable to settle).
WEAVER FINAL 1/4/2010 11:29:37 AM
While the consumer action against TJX was pending in August of

2007, Massachusetts Governor Deval Patrick, signed into law House Bill
4144, 7 which would later be codified as chapter 93H of Massachusetts
General Laws (93H). 8 With the passage of 93H, Massachusetts became
the thirty-ninth state to impose a notice requirement on businesses whose
customer data is exposed by a security breach. 9 Under 93H, businesses that
keep personal and financial information concerning residents of
Massachusetts are required to provide notice, usually through the mail, to
those residents if the business knows or has reason to know of a breach of
security or knows or has reason to know that the personal information of
such resident[s] was acquired or used by an unauthorized person or used
for an unauthorized purpose. 10
At the time of the signing, Governor Patrick hailed the new law by
proclaiming that [t]his law recognizes the new risks facing consumers
today and puts a number of critical safeguards in place to help the people of
Massachusetts protect their credit and their good names. 11 Consumer
Affairs and Business Regulation Director Daniel C. Crane summarized the
purpose behind 93H when he noted that [c]onsumers should have a set of
tools at their disposal when their personal information becomes
compromised, and that [a]ssuring them that they will be contacted if and
when a breach occurs . . . will give them more control and help them
mitigate the impact of identity theft and fraud. 12
While the state Legislature intended the act to protect consumers, it
notably limited the power to enforce 93H to only the states Attorney
General. 13 Consequently, a Massachusetts resident whose personal
information is compromised after a business suffers a security breach has
no statutory right of action under the act and instead must look elsewhere
for redress. 14 One option, as demonstrated by the plaintiffs in In re TJX
Companies Retail Security Breach (In re TJX) is to bring a claim of
7. See Gov. Patrick Signs Identity Theft Prevention Bill, U.S. STATE NEWS, Aug. 3,
2007, available at 2007 WLNR 14963183.
8. See MASS. GEN. LAWS ch. 93H (2007).
9. See Philip Gordon, Employees Face New Compliance Challenges as Massachusetts
Becomes the 39th State to Enact a Security Breach Notice Law, MONDAQ, Sept. 17, 2007,
available at 2007 WLNR 18187282.
10. Ch. 93H, 3.
11. Gov. Patrick Signs Identity Theft Prevention Bill, supra note 7.
12. Id.
13. See ch. 93H, 6 (noting that only the Attorney General has the right to enforce the
provisions of the chapter).
14. See id. (noting no private right of action).
WEAVER FINAL 1/4/2010 11:29:37 AM
negligence under Massachusetts common law. 15 Whether a Massachusetts

resident can bring a claim of negligence against a business entity that fails
to safeguard the residents personal information remains an unanswered
question in Massachusetts, however, because In re TJX was settled out-of-
court before the issue was decided by the court. 16
This Note will examine and offer a solution to the question of whether
Massachusetts residents should have a private right of action against
businesses that fail to safeguard personal information. Part I of this Note
will first document the TJX security breach and the passage of 93H. In Part
II, this Note will take a broader look at security breaches and identity theft,
and devote particular attention to the impact that the two have had on the
economy and the law. Part III of this Note will address why a private right
of action is necessary and how such a right can be realized in
Massachusetts. Specifically, this Note will argue that a private right of
action can be obtained either through the legislative or judicial process
because such a right is consistent with either the goals of 93H or with
Massachusetts common law. 17
BACKGROUND
I. Massachusetts and Identity Theft
A. The TJX Security Breach

On January 17, 2007, TJX, the owner and operator of off-priced
retailers of apparel, announced that it had suffered what would later be
described as the largest retail security breach in history. 18 In its
announcement, TJX disclosed that unauthorized intrusions into its network,
over a span of eighteen months, resulted in the compromise of certain
customer personal and financial information. 19 After an internal
investigation, TJX discovered that more than 47.5 million credit and debit
card numbers and the drivers license, military identification and Social
Security numbers of some 451,000 customers had been downloaded by
15. See, e.g., Complaint, supra note 2, at 34.

16. Settlement Agreement, supra note 6, at 3-5 (noting the parties decided to settle).
17. See infra Part III.
18. Pereira, supra note 1, at A1.
19. Id.; Defense Memorandum, supra note 4, at 1.
WEAVER FINAL 1/4/2010 11:29:37 AM
unauthorized personnel. 20 Later estimates by a consumer protection group

suggest that, in total, the hackers were able to gain access to and
compromise 94 million records from TJXs network. 21
Almost immediately after TJXs announcement, twenty-seven
putative class action lawsuits were brought against TJX on behalf of both
the victimized consumers, whose personal information had been stolen, and
the financial institutions that had issued the credit and debit cards that had
been stolen. 22 The cases were consolidated into one action in the United
States District Court for the District of Massachusetts, which then split the
case into a consumer track and a financial institutions track. 23
With respect to the consumer track, the plaintiffs accused TJX of
failing to adequately protect its customer information and as a result of that
failure the plaintiffs suffered substantial losses. 24 In support of this
contention, the plaintiffs presented several theories of liability, 25 including
an argument for why TJX should be held liable under a theory of
negligence. 26
In their complaint, the plaintiffs argued that TJX was negligent in
safeguarding its consumer information. 27 In support of this contention, the
plaintiffs noted that in September of 2006, auditors had informed TJX that
its security measures failed to meet several industry standards. 28 These
violations included allegations that TJX failed to install on its computers
both firewall and data encryption software; failed to follow Card
Operating Regulations set forth by Visa and MasterCard; and that TJXs
wireless network system, Wired Equivalent Privacy (WEP), was not only
20. Kathleen Burdett Shields, Identity Theft: Lessons from the TJX Case, 51 BOSTON
B.J. 8, 8 (Oct. 2007); Pereira, supra note 1, at A1. On March 23, 2007, it was reported in the
Wall Street Journal that Florida police arrested six individuals for using credit card data
stolen from TJX. Joseph Pereira, TJX Card Data Is Focus of Arrests of Six in Florida,
WALL ST. J., Mar. 23, 2007, at A8.
21. Mark Jewell, 07 Logs Record Number in Data Theft, CHARLESTON GAZETTE, Dec.
31, 2007, at 7A.
22. Shields, supra note 20, at 8.
23. Memorandum and Order at 1-2, In re TJX Cos. Retail Security Breach Litigation,
No. 07-10161-WGY (D. Mass. Oct. 2, 2007).
24. Complaint, supra note 2, at 34-39.
25. Id. at 34-42 (alleging negligence, breach of contract in which plaintiffs and class
members were third party beneficiaries, breach of implied contract, unfair trade practices
under MASS. GEN. LAWS ch. 93A, 9 (2008) and unfair trade practices under MASS. GEN.
LAWS ch. 93A, 11 (2008)).
26. Id. at 34-39.
27. Id. at 34, 37.
28. Id. at 9, 34-35.
WEAVER FINAL 1/4/2010 11:29:37 AM
outdated, but was also severely flawed. 29 The plaintiffs also argued that
TJX was negligent because it took TJX eighteen months to detect the
intrusions into its network. 30 As a result of TJXs negligence, the plaintiffs
alleged that they suffered several injuries, which included a loss of time
and money in trying to protect their financial and personal well-being. 31
Specifically, one of the named plaintiffs incurred a fourteen dollar charge
for a credit report that revealed fraudulent credit inquiries had been made
in her name, and another of the named plaintiffs had her debit card
cancelled as a result of the breach, which caused her to incur[] a $20
penalty because her automatic bill-pay transaction failed. 32
TJX vehemently denied these allegations and argued, in a motion to
dismiss, that the plaintiffs either lacked standing or could not prove
negligence because consumers who are merely exposed to identity theft,
or who then take steps or incur costs to thwart possible identity theft, have
incurred no cognizable damage. 33 The district court never resolved the
dispute of whether the plaintiffs suffered the requisite injury needed for
standing or to prove negligence because the parties settled out-of-court. 34
B. The Enactment of 93H

In July of 2007, while In re TJX was pending, the Massachusetts
Legislature enacted House Bill No. 4144. 35 The bill, which garnered bi-
partisan support, 36 was codified as chapter 93H 37 and took effect on
October 31, 2007. 38 Under 93H, businesses or others who maintain
databases containing information about residents of Massachusetts are
required to provide notice to those residents if the business knows or has
reason to know of a breach of security or knows or has reason to know
29. Id. at 9-11, 34-37. The complaint alleges that most merchants by 2003 had
abandoned WEP encryption for a more secure system called Wi-Fi Protected Access
(WPA). See id. at 17.
30. Complaint, supra note 2, at 18, 38 (TJX failed to detect the data intrusion in a
timely manner.).
31. See Plaintiffs Memorandum in Opposition to Defendant TJX Cos. Motion to
Dismiss at 1, In re TJX Cos. Retail Security Breach Litigation, Consumer Track Actions,
No. 07-10162-WGY (D. Mass. July 13, 2007) [hereinafter Plaintiffs Memorandum].
32. Id. at 4.
33. Defense Memorandum, supra note 4, at 2.
34. See Settlement Agreement, supra note 6, 3-5 (noting the parties decided to settle).
35. See Shields, supra note 20, at 10.
36. See State House News, House Session, ID Theft Conference Committee (July 12,
2007), http://www.statehousenews.com (noting a 155-0 roll call vote to accept the
conference report) (archives can only be accessed with a membership to this website).
37. See MASS. GEN. LAWS ch. 93H (Supp. 2007).
38. Id.
WEAVER FINAL 1/4/2010 11:29:37 AM
that the personal information of such resident was acquired or used by an

unauthorized person or used for an unauthorized purpose. 39 Within the
notice, the business must inform the resident that he or she has the right to
obtain a police report and it must provide instructions on how the resident
can request a security freeze on his or her credit. 40 The notice, however,
cannot include information on how the security breach occurred. 41 93H
also delegated the power to adopt regulations for business entities and
others who maintain personal information databases to the Department of
Consumer Affairs and Business Regulations. 42 Finally, section 6 of 93H
limits the right to enforce any provisions of the act to only the states
Attorney General, who has the right to bring any action against an offender
under section 4 of chapter 93A. 43
II. A Broader Look at Identity Theft

Though unprecedented in its scope, the TJX security breach is just
one of the most recent examples of a growing epidemic that is sweeping
across the entire United States. 44 Part III of this Note explores the impact
that this epidemic has had on the country. Section A first defines what
identity theft is and then describes how it is committed. 45 Section B
chronicles the recent rise in identity theft incidents through both statistics
and recent examples. 46 Section C examines the economic impact that
identity theft has had on the country. 47 Section D concludes by taking a
look at how the states, the federal government and the courts have reacted
to this problem. 48
A. What is Identity Theft and How is it Committed?
1. What is Identity Theft?

Most people equate identity theft with fraudulent charges or other
activities that facilitate financial fraud. 49 Identity theft as a crime, however,
39. Id. 3.
40. Id.
41. Id.
42. Id. at 2.
43. MASS. GEN. LAWS ch. 93H, 6 (Supp. 2007).
44. See infra Part II.B (chronicling notable security breaches that occurred in 2005).
45. See infra Part II.A.
46. See infra Part II.B.
47. See infra Part II.C.
48. See infra Part II.D.
49. See Erin Font, Who Should Pay the Price for Identity Theft?, 54 FED. LAW. 24, 25
WEAVER FINAL 1/4/2010 11:29:37 AM
encompasses far more activities than just those that seek illegal financial
gain. 50 In actuality, identity theft occurs whenever a persons personal or
financial information is obtained and then used by another for an illegal or
unauthorized purpose. 51
The breadth of activity that can constitute or give rise to identity theft
is astonishing. For example, some identity theft involves the compromise
of a persons entire identity by an identity thief. 52 These long-term identity
thieves often assume the identity of another to avoid paying child support
or to gain the benefits of anothers college transcript or employment
history. 53 Furthermore, some identity theft is even motivated by a need for
deception. 54 For example, providing someone elses personal identifying
information to a law enforcement officer upon arrest constitutes identity
theft. 55 Consequently, the crime of identity theft can occur in a multitude of
settings or under a wide variety of circumstances.
2. How is Identity Theft Committed?

Identity theft can also be caused by a plethora of criminal activity. 56
Crimes that can give rise to identity theft range from the simple
pickpocketer, who then gains access to the victims bank account, to phony
businesses that steal their victims personal identifying information through
mass email campaigns. 57 Furthermore, the methods by which identity
thieves steal personal information has recently grown from simplistic
methods, like rummaging through anothers garbage, to more sophisticated
methods like disguising oneself as a legitimate mail order or internet
company. 58
(2007) (noting that in a recent survey, ninety-one percent of the respondents reported being
concerned that their identity might be stolen and u sed to make unauthorized purchases).
50. See DAVID A. MAY & JAMES E. HEADLEY, IDENTITY THEFT 17 (David A. Schultz &
Christina DeJong eds., 2004) (discussing in particular the non-economic motives of the
long-term identity thief).
51. See Holly K. Towle, Identity Theft: Myths, Methods, and New Law, 30 RUTGERS
COMPUTER & TECH. L.J. 237, 242 (2004).
52. MAY & HEADLEY, supra note 50, at 17.
53. Id.
54. See Towle, supra note 51, at 242.
55. Id. This type of identity theft is known as criminal identity theft. Id.
56. MAY & HEADLEY, supra note 50, at 4.
57. Font, supra note 49, at 26.
58. For a detailed discussion of various methods that give rise to identity theft, see
Font, supra note 49, at 26, and Towle, supra note 51, at 249.
WEAVER FINAL 1/4/2010 11:29:37 AM
The TJX security breach illustrates one of the more sophisticated

methods used by identity thieves. 59 Today, businesses like TJX are
attractive targets for identity thieves because many maintain vast databases
that contain the financial and personal information of their customers. 60 By
gaining access to these databases, identity thieves can acquire credit card or
debit card numbers, or the names, addresses and social security numbers of
the businesss customers. 61
A company can suffer a security breach in a number of different
ways. A security breach can be caused from within the company by an
employee who oversteps his or her authorized access to classified
information. 62 Or as the TJX security breach illustrates, a security breach
can also be caused by an outsider who hacks into or gains access to the
companys wireless network. 63
B. The Countrys Growing Identity Theft Problem

Identity theft has been labeled one of the fastest growing criminal
offenses in the twenty-first century, 64 and the cybercrime of the
millennium. 65 These proclamations are supported by statistics that chart
the recent growth of identity theft. From 1999 to early 2003, there were
27.3 million reported cases of identity theft in the United States. 66 In 2003
and 2004 roughly 19.4 million Americans were victims of identity theft, 67
but that number jumped to over 50 million in 2005 alone. 68 Since 2000, the
59. See infra Part I.A.

60. See Brandon Faulkner, Hacking into Data Breach Notification Laws, 59 FLA. L.
REV. 1097, 1097-98 (2007); see also Danielle Keats Citron, Reservoirs of Danger: The
Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. CAL. L. REV.
241, 244 (2007) (noting that over 1,000 companies today collect and sell personal
information).
61. John B. Kennedy, Slouching Towards Security Standards: The Legacy of
Californias SB 1386, in SEVENTH ANNUAL INSTITUTE ON PRIVACY LAW: EVOLVING LAWS
AND PRACTICES IN A SECURITY-DRIVEN WORLD 91, 98 (Francoise Gilbert et al., 2006).
62. Towle, supra note 51, at 249.
63. See, e.g., Complaint, supra note 2, at 16-18 (discussing how hackers gained access
to TJXs network).
64. Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 535 (N.Y. Sup. Ct. 2004).
65. Gary M. Victor, Identity Theft, Its Environment and Proposals for Change, 18 LOY.
CONSUMER L. REV. 273, 274 (2006).
66. Daly, 782 N.Y.S.2d at 535 (discussing Thomas Fedorek, Computers + Connectivity
= New Opportunities for Criminals and Dilemmas for Investigators, 76 N.Y. ST. B.J. 10, 15
(2004)).
67. Victor, supra note 65, at 274.
68. Brendan St. Amant, The Misplaced Role of Identity Theft in Triggering Public
Notice of Database Breaches, 44 HARV. J. ON LEGIS. 505, 508 (2007).
WEAVER FINAL 1/4/2010 11:29:37 AM
number of identity theft complaints received by the Federal Trade

Commission has also increased annually. 69 Finally, recent estimates
suggest that in 2007 over 79 million records were reported stolen in the
United States 70 and that about 9 million Americans are affected by identity
theft annually. 71
These numbers are however likely low estimates of the actual impact
that identity theft has had on Americans because most identity theft
incidents go unreported. 72 It is estimated that 62% of identity theft victims
never contact the police or other law enforcement agencies. 73 Though the
above estimates help to illustrate the magnitude of the problem, the actual
impact of identity theft remains an unknown. 74
Besides the TJX security breach, the events of 2005 probably best
illustrate the magnitude of the identity theft problem in the United States.
In February of 2005, ChoicePoint, a commercial data broker, reported that
it had three months earlier inadvertently sold records containing the
personal information of some 145,000 consumers to a ring of identity
thieves who were disguised as small businesses. 75 In March of 2005,
LexisNexis, a compiler of legal and consumer information, announced that
hackers stole from its database information including Social Security
numbers and private passwords belonging to some 32,000 individual
users. 76 Finally, in June of 2005, hackers stole the names, numbers and
security codes for 40 million credit cards issued by CardSystems Solutions,
Inc., a credit card processor. 77
69. See MAY & HEADLEY, supra note 50, at 26 (noting in 2000 the FTC received 31,000
complaints and 86,168 complaints in 2001, a 277% increase); Victor, supra note 65, at 274
(noting the FTC received nearly 250,000 complaints in 2004).
70. Jewell, supra note 24, at 7A.
71. FED. TRADE COMMN, ABOUT IDENTITY THEFT, http://www.ftc.gov/bcp/edu/
microsites/idtheft/consumers/about-identity-theft.html (last visited Nov. 25, 2008).
72. See St. Amant, supra note 68, at 521.
73. Id.
74. See id.; MAY & HEADLEY, supra note 50, at 24.
75. St. Amant, supra note 68, at 508; Tom Zeller Jr., Release of Consumers Data Spurs
ChoicePoint Inquires, N.Y. TIMES, Mar. 5, 2005, at C2, available at 2005 WLNR 3354817.
76. Sarah Ludington, Reining in the Data Traders: A Tort for the Misuse of Personal
Information, 66 MD. L. REV. 140, 155 (2006); see Tom Zeller Jr., Another Data Broker
Reports a Breach, N.Y. TIMES, Mar. 10, 2005, at C1, available at 2005 WLNR 3685658.
77. Derek A. Bishop, To Serve and Protect: Do Businesses Have a Legal Duty to
Protect Collections of Personal Information, 3 SHIDLER J. L. COM. & TECH. 7 (2006); see
Faulkner, supra note 60, at 1098.
WEAVER FINAL 1/4/2010 11:29:37 AM
C. The Adverse Impact of Identity Theft

As the section above illustrates, identity theft affects millions of
Americans each year. 78 This in turn has had a tremendous adverse affect on
the nations economy. 79 Estimates suggest that identity theft costs
consumers and businesses over $52 billion a year. 80 In 2004, the mean cost
of identity theft per victim was $5,686, which translated into a mean out-
of-pocket expense per victim of $652. 81 The following year, identity theft
victims incurred out-of-pocket expenses totaling over $6 billion. 82 Finally,
in 2006, identity theft cost the country an estimated $55.7 billion dollars. 83
The impact of identity theft goes beyond monetary losses as well.
Between 2004 and 2005, victims of identity theft spent close to 600 million
hours resolving issues that arose from identity theft incidents. 84 In 2006 it
was estimated that each identity theft victim spent an average of 40 hours
resolving fraudulent transactions or negative credit reporting. 85 Couple the
monetary losses with the number of hours spent resolving issues related to
identity theft and one can see how devastating identity theft can be on its
victims and the economy.
D. The Nations Response to the Problem

The increase of security breaches and the rise of identity theft
complaints have not only had a great impact on the nations economy, but
they have also had a profound impact on the law. First, legislation aimed at
preventing identity theft has been introduced in Congress and in the
legislatures of the states, with the latter proving more efficient at enacting
legislation. 86 Second, plaintiffs have brought an increasing number of
consumer class action lawsuits against businesses that fail to safeguard
their personal information databases from intrusion. 87 This section offers a
78. See supra Part II.B.

79. See Font, supra note 49, at 25; St. Amant, supra note 68, at 521; Victor, supra note
65, at 279.
80. Priscilla Yeon, ID Theft Bills Lead to Debate over Consumer Fees for Freezing
Credit Reports, STATE HOUSE NEWS SERVICE, April 10, 2007,
http://www.statehousenews.com (archives can only be accessed with a membership to this
website).
81. Victor, supra note 65, at 278-79.
82. Id. at 279.
86. See Faulkner, supra note 60, at 1105, 1114-15 (providing a discussion of state and
federal legislation).
87. See infra Part II.D.3.
WEAVER FINAL 1/4/2010 11:29:37 AM
brief synopsis of both the legislative response that Congress and the states
have taken to combat this growing problem and the litigation that has also
ensued.
1. Federal Legislation
Congress has taken essentially two approaches toward ensuring
information security and preventing identity theft. 88 During the 1990s,
Congress passed several acts that specifically promulgated or authorized
federal agencies to promulgate standards for keeping certain information
confidential. 89 For example, the Health Insurance Portability and
Accountability Act, better known as HIPAA, authorized the Department of
Health and Human Services to impose restrictions on how and when a
healthcare provider can disclose patient medical records. 90
More recently, several security breach notification bills have been
proposed in the House and in the Senate. 91 One proposed bill in the House
would instruct the FTC to establish minimum security practices and require
a business that suffers a security breach to provide nationwide notice of the
event. 92 A proposed bill in the Senate would require entities to notify all
affected Americans of a security breach after the entity knows or has
reason to believe personal information was compromised. 93 Neither of the
proposed bills, however, includes a private right of action; in fact, the
Senate bill would explicitly preempt any offered state remedy. 94 As of
today, Congress has yet to pass a general notification statute. 95
2. State Legislation
Almost all of the states have enacted legislation criminalizing identity
theft. 96 Forty-four states have specifically criminalized identity theft and
five other states have enacted laws that encompass activities that can
constitute identity theft. 97
88. For a greater discussion on proposed federal notification bills see Faulkner, supra
note 60, at 1114-15.
89. Id. at 1115.
90. See 45 C.F.R. 160.102, 164.502 (2005).
91. Faulkner, supra note 60, at 1114-15 (discussing House Bill 4127 and Senate Bill
1789).
92. Data Accountability and Trust Act, H.R. 4127, 109th Cong. (2005).
93. Personal Data Privacy and Security Act of 2005, S. 1789, 109th Cong. (2005).
94. Faulkner, supra note 60, at 1119-21 (discussing House Bill 4127 and Senate Bill
1789).
95. Id. at 1114-15.
96. See Towle, supra note 51, at 301-02.
97. Id. Only Vermont has not enacted legislation that either expressly criminalizes or
WEAVER FINAL 1/4/2010 11:29:37 AM
Thirty-nine states have also enacted notification statutes, 98 which are

aimed at deterring the adverse effects of identity theft. 99 All the states that
have enacted a notice statute require certain entities that maintain personal
information of state residents to notify those residents after a security
breach occurs. 100 The generally accepted rationale behind requiring
disclosure of a security breach is that prompt consumer awareness of
unauthorized access to sensitive personal information is a key step in
combating fraud and identity theft and in mitigating the consequence of
both. 101
The first notice statute was passed by California in 2002. 102 Since
then, the language of the California statute, known as the California
Security Breach Notification Act, has served as the general template for
encompasses the activities that fit within the definition of identity theft. Id. at 301-02 n.298.
98. See, e.g., ARIZ. REV. STAT. ANN. 44-7501 (Supp. 2007); ARK. CODE ANN. 4-110-
105 (2007); CAL. CIV. CODE 1798.29 (West Supp. 2008); COLO. REV. STAT. 6-1-716
(2008); CONN. GEN. STAT. 36a-701b (2008); DEL. CODE ANN. tit. 6, 12B-102-03 (2007);
FLA. STAT. 817.5681 (2006); GA. CODE ANN. 10-1-912 (Supp. 2008); HAW. REV. STAT.
487N-2 (Supp. 2007); IDAHO CODE ANN. 28-51 to -105 (Supp. 2008); 815 ILL. COMP.
STAT. 530/10-12 (2008); IND. CODE 24-4.9-1-1 to -5-1 (2006); KAN. STAT. ANN. 50-
7a01 to -7a04 (Supp. 2007); LA. REV. STAT. ANN. 51:3071-:3077 (Supp. 2008); ME. REV.
STAT. ANN. tit. 10, 1347 to 1350-A (Supp. 2007); MD. CODE ANN., CRIM. LAW 8-304
to -305 (LexisNexis Supp. 2007); MASS. GEN. LAWS ch. 93H, 1-6 (2007); MICH. COMP.
LAWS 445.72 (2008); MINN. STAT. 325E.61 (2008); MONT. CODE ANN. 30-14-1701 to
-1705 (2007); NEB. REV. STAT. 87-801 to -807 (2006); NEV. REV. STAT. 603A.010-
.040, 633A.220 (2007); N.H. REV. STAT. ANN. 359-C:19 to :21 (2007); N.J. STAT. ANN.
56:8-163 (West Supp. 2008); N.Y. GEN. BUS. LAW 899-aa (McKinney Supp. 2008); N.C.
GEN. STAT. 75-65 (2007); N.D. CENT. CODE 51-30-01 to -07 (2007); OHIO REV. CODE
ANN. 1349.19 (West Supp. 2008); OKLA. STAT. tit. 74, 3113.1 (2008); OR. REV. STAT.
646A.604 (2007); 73 PA. STAT. ANN. 2303 (West Supp. 2008); R.I. GEN. LAWS 11-
49.2-1 to -7 (2007); TENN. CODE. ANN. 47-18-2107 (Supp. 2007); TEX. BUS. & COM. CODE
ANN. 48.103 (Vernon 2007); UTAH CODE ANN. 13-44-101 to -45-301 (Supp.2008); VT.
STAT. ANN. tit. 9, 2430, 2435 (2007); WASH. REV. CODE 19.255.010 (2006); WIS. STAT.
895.507 (2006); WYO. STAT. ANN. 40-12-502 (2007). The only states that have not
enacted a notice statute are: Alaska, Alabama, Iowa, Kentucky, Mississippi, Missouri, New
Mexico, South Carolina, South Dakota, Virginia, and West Virginia. Gordon, supra note 9,
at n.1.
99. Faulkner, supra note 60, at 1105.
100. Kennedy, supra note 61, at 101-02.
101. Id. at 101.
102. See Catherine M. Bump et al., Summary of State Data Security Laws as of March
2006, in SEVENTH ANNUAL INSTITUTE ON PRIVACY LAW: EVOLVING LAWS AND PRACTICES IN
A SECURITY-DRIVEN WORLD 39, 43 (Francoise Gilbert et al. eds., 2006); see also CAL. CIV.
CODE 1798.29 (West Supp. 2008).
WEAVER FINAL 1/4/2010 11:29:37 AM
most of the other notification statutes enacted by other states. 103 Some
states, however, have enacted notice statutes that vary considerably from
the California model. 104 Except for a few deviations, Massachusettss 93H
is of the California ilk. 105
Generally, all notice statutes contain provisions that pertain to what
type of personal information is protected under the law, when notification
is required, what forms of notifications are permissible, how long a
business has to deliver the notification and who may enforce the provisions
of the statute. 106
a. Definition of Personal Information

Most states follow a standard definition for personal information,
which is modeled after the California statute. 107 Personal information is
generally defined as:
[A]n individuals first name or first initial and his or her last
name in combination with any one or more of the following data
elements, when either the name or the data element is not
encrypted or redacted: (a) Social Security number; (b) drivers
license number or state identification card number; (c) account
number, credit card number, or debit card number in
combination with any required security code, access code, or
password, that would permit access to an individuals financial
108
account.
Most states also exclude from the definition of personal identifying
information, public information that can be obtained from federal, state or
local government records. 109 In Massachusetts, 93Hs definition of
personal information adheres to the general definition provided above,
except that it also includes a credit or debit card number, with or without
any required security code. 110 This additional language arguably means
103. Bump et al., supra note 102, at 43.

104. See, e.g., FLA. STAT. 817.5681 (2006); N.C. GEN. STAT. 75-65 (2007); see also
Faulkner, supra note 60, at 1105-14 (contrasting the notice statutes of California, Florida,
and North Carolina).
105. Compare MASS. GEN. LAWS ch. 93H (2008), with CAL. CIV. CODE 1798.29 (West
Supp. 2008).
106. Compare MASS. GEN. LAWS ch. 93H, with CAL. CIV. CODE 1798.29.
107. See Bump, supra note 105, at 43-44.
108. Id. at 44; see, e.g., CAL. CIV. CODE 1798.82(e) (West 2008); TEX. BUS. & COM.
CODE ANN. 48.002 (Vernon 2007).
109. See CAL. CIV. CODE 1798.82(f)(1); MASS. GEN. LAWS ch. 93H, 1(c).
110. MASS. GEN. LAWS ch. 93H, 1(a) (emphasis added).
WEAVER FINAL 1/4/2010 11:29:37 AM
that 93H encompasses more data than the general definition. 111 Some other
states, such as North Carolina, have chosen to expand their definitions of
personal information to also include biometric data, fingerprints, account
passwords and parents legal surnames prior to marriage. 112
b. Triggering Events
Most states follow Californias definition that a data security breach is
the unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information maintained by
the person or business. 113 Massachusetts and a minority of other states
have, however, adopted a stricter definition of security breach. 114 Chapter
93H defines security breach as:
[T]he unauthorized acquisition or unauthorized use of
unencrypted data or, encrypted electronic data and the
confidential process or key that is capable of compromising the
security, confidentiality, or integrity of personal information,
maintained by a person or agency that creates a substantial risk
of identity theft or fraud against a resident of the
commonwealth. 115
One commentator noted that the standard adopted by Massachusetts
relieves businesses of having to provide notice if the security breach does
not give rise to a subsequent threat of identity theft. 116 Other states that
have adopted stricter definitions of security breach include North Carolina
and Florida. 117
111. Gordon, supra note 9.

112. See, e.g., N.C. GEN. STAT. 14-113.20 (2007). Some states have even gone farther
than North Carolina and include employer and tax identification numbers, Medicaid or food
stamp account numbers, and postal or e-mail addresses in their definition of personal
information. See, e.g., FLA. STAT. 817.568(1)(f) (2006).
113. CAL. CIV. CODE 1798.82(d); see also Faulkner, supra note 60, at 1107.
114. See, e.g., FLA. STAT. 817.5681(4); MASS. GEN. LAWS ch. 93H, 1(a); N.C. GEN.
STAT. 75-61(14).
115. MASS. GEN. LAWS ch. 93H, 1(a) (emphasis added).
116. See Gordon, supra note 9.
117. See FLA. STAT. 817.5681(4). The statute states:
[N]otification is not required if, after an appropriate investigation or
after consultation with relevant federal, state, and local agencies
responsible for law enforcement, the person reasonably determines that
the breach has not and will not likely result in harm to the individual
whose personal information has been acquired and accessed.
Id.; N.C. GEN. STAT. 75-61(14) (requiring notification when [a]n incident of unauthorized
access to and acquisition of unencrypted and unredacted records or data containing personal
WEAVER FINAL 1/4/2010 11:29:37 AM
c. Mechanics of Notification
Most notification statutes allow businesses to notify residents through
the postal service or via electronic correspondence and Massachusetts has
not deviated from this norm. 118 Some states also permit notification by
telephone. 119 One unique variation is found in Utah, where the notification
requirement can be satisfied by publishing a disclosure in a generally
circulated newspaper. 120 93H, like other notification statutes, waives the
notification requirement if the business can demonstrate that the cost of
providing written notice will exceed $250,000 or the number of residents
that need to be notified is above 500,000 or if the business lacks sufficient
contact information to provide notice. 121
With respect to the timing of notification, Massachusetts closely
mirrors Californias statute in that 93H provides that notice should be
delivered as soon as practicable and without unreasonable delay. 122 One
caveat in 93H allows a business to delay giving notice if a law enforcement
agency determines that disclosure could impede a criminal investigation. 123
d. Enforcement of Notice Statutes

State notification statutes probably vary the most with respect to who
can enforce the statute. The states fall into two categories. First, some states
follow Californias statute, which allows for a private right of action for
either damages or injunctive relief. 124 Massachusetts and several other
information where illegal use of the personal information has occurred or is reasonably
likely to occur or that creates a material risk of harm to a consumer).
118. See, e.g., CAL. CIV. CODE 1798.82(g)(1)-(2); MASS. GEN. LAWS ch. 93H, 1(a)(i)-
(ii); N.C. GEN. STAT. 75-65(e)(1)-(2).
119. See, e.g., N.C. GEN. STAT. 75-65(e)(3).
120. UTAH CODE ANN. 13-44-202(5)(a)(iv) (West 2008).
121. MASS. GEN. LAWS ch. 93H, 1(a)(iii). The substitute notice provision in 93H is
similar to the provision found in the California statute. Compare MASS. GEN. LAWS ch. 93H,
1(a)(iii), with CAL. CIV. CODE 1798.82(g)(3).
122. MASS. GEN. LAWS ch. 93H, 3(a). Californias statute requires that disclosure shall
be made in the most expedient time possible and without unreasonable delay. CAL. CIV.
CODE 1798.82(a).
123. MASS. GEN. LAWS ch. 93H, 4.
124. See, e.g., CAL. CIV. CODE 1798.84(b) (West 2008) (Any customer injured by a
violation of this title may institute a civil action to recover damages.); LA. REV. STAT. ANN.
51:3075 (2007) (A civil action may be instituted to recover actual damages resulting
from the failure to disclose in a timely manner to a person that there has been a breach of the
security system resulting in the disclosure of a person's personal information.); TENN. CODE
ANN. 47-18-2107(h) (West 2007) (Any customer of an information holder who is a
person or business entity, but who is not an agency of the state or any political subdivision
of the state, and who is injured by a violation of this section, may institute a civil action to
WEAVER FINAL 1/4/2010 11:29:37 AM
states, on the other hand, limit the right to enforce their notice statutes to
just the states attorney general. 125 93H authorizes the Attorney General to
bring an action pursuant to section 4 of chapter 93A against a person or
otherwise to remedy violations of this chapter and for other relief that may
be appropriate. 126
3. Class Action Litigation

Identity theft has not only prompted legislation, but it has also
triggered the filing of many lawsuits. Since many state statutes do not
provide a private right of action, 127 many consumers throughout the
country, like the plaintiffs in In re TJX, have turned to the common law as a
means to achieve redress against business entities that fail to safeguard
their personal information databases. 128 Typically, consumers who resort to
the common law raise claims of negligence, breach of contract, or breach
of fiduciary duty. 129 The complaint in In re TJX included claims of
negligence and breach of contract, but did not set forth a separate claim for
a breach of fiduciary duty. 130
Whether the law of negligence applies to business entities that fail to
safeguard personal information from security breaches is a novel question
in Massachusetts. To prove negligence in Massachusetts, a plaintiff must
show that the defendant committed a breach of the duty to use reasonable
care, that the plaintiffs suffered actual loss, and that the defendants
negligence caused their loss. 131 A majority of other courts, both state and
recover damages and to enjoin the person or business entity from further action in violation
of this section.).
125. See, e.g., ARK. CODE ANN. 4-110-108 (West 2007) (Any violation of this chapter
is punishable by action of the Attorney General under the provisions of 4-88-101 et seq.);
MASS. GEN. LAWS ch. 93H, 6 (The attorney general may bring an action pursuant to
section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter
and for other relief that may be appropriate.); OHIO REV. CODE ANN. 1349.19(I) (West
2007) (The attorney general may conduct pursuant to sections 1349.191 and 1349.192 of
the Revised Code an investigation and bring a civil action upon an alleged failure by a
person to comply with the requirements of this section.).
126. MASS. GEN. LAWS ch. 93H, 6.
127. See supra Part III.D.2.d.
128. See, e.g., Key v. DSW, Inc., 454 F. Supp. 2d 684, 685 (S.D. Ohio 2006); Complaint,
supra note 2, at 34-39 (alleging negligence).
129. See Kathryn E. Picanso, Protecting Information Security Under a Uniform Data
Breach Notification Law, 75 FORDHAM L. REV. 355, 376-77 (2006).
130. See Complaint, supra note 2, at 34-42 (noting the causes of action pursued by the
plaintiffs). The consumers complaint in TJX did include a claim of breach of fiduciary duty,
but it was within their claim of negligence. Id. at 34-37.
131. Glidden v. Maglio, 722 N.E.2d 971, 973 (Mass. 2000).
WEAVER FINAL 1/4/2010 11:29:37 AM
federal, that have addressed this issue have found against the application of
negligence in these settings. 132 Yet a small but growing number of minority
jurisdictions have begun to allow negligence claims to go forward. 133
a. The Majority Approach

Plaintiffs who assert claims of negligence against business entities
that fail to safeguard their personal information from security breaches
have encountered considerable opposition in two respects. First, many
courts have found that consumers whose personal information is stolen
during a security breach lack standing to bring a claim of negligence
against the business entity. 134 Second, other courts have granted
defendants motions to dismiss on the grounds that the plaintiffs cannot
prove one of the elements of negligencetypically the damage element. 135
One court articulated that the general rule in identity theft cases is that an
alleged increase in risk of future injury is not an actual or imminent
injury. 136
Key v. DSW, Inc., which, like In re TJX, involved the exposure of
customer personal information after a retail store suffered a security breach,
encapsulates the legal analysis behind the majority approach. 137 In Key v.
DSW, Inc., a class action lawsuit was brought in federal court against
DSW, Inc. (DSW) after unauthorized persons obtained personal and
132. See, e.g., Key, 454 F. Supp. 2d at 685 (finding that the plaintiff lacked standing to
bring a claim of negligence); Giordano v. Wachovia Sec., LLC., No. 06-476 (JBS), 2006
WL 2177036, at *4 (D. N.J. July 31, 2006) (finding that the plaintiff failed to prove an
injury-in-fact and therefore lacked standing).
133. See, e.g., Remsburg v. Docusearch, Inc., 816 A.2d 1001 (N.H. 2003) (finding that an
internet information broker had a duty of care to the person whose information it sold); Bell
v. Mich. Council 25 of Am. Fedn of State, County, Mun. Employees, AFL-CIO, Local
1023, No. 246684, 2005 WL 356306 (Mich. Ct. App. Feb. 15, 2005) (finding that a union
owes its members a duty of care to protect its members personal information from identity
theft); Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530 (N.Y. Sup. Ct. 2004) (recognizing
that holders of confidential personal information enter into a covenant of trust and
confidence with the person providing the information and therefore the holder has a duty to
protect that information from identity theft).
134. See, e.g., Giordano, 2006 WL 2177036 at *4 (finding that the plaintiff failed to
prove an injury-in-fact and therefore lacked standing).
135. See, e.g., Pisciotta v. Old Natl Bancorp, 499 F.3d 629 (7th Cir. 2007) (holding that
the mere allegation of an increased risk of identity theft does not constitute a recognizable
injury).
136. Key, 454 F. Supp. 2d at 689.
137. See id. at 689-91 (applying the majority approach).
WEAVER FINAL 1/4/2010 11:29:37 AM
confidential financial information concerning approximately 1.5 million

customers of DSW. 138 The named plaintiff alleged, among other things,
that DSW was negligent in safeguarding its collection of consumer credit,
debit, and checking account numbers. 139 DSW subsequently filed a motion
to dismiss, arguing that the plaintiff lacked standing because substantial
increased risk of identity theft or other related financial crimes is
insufficient to confer standing to sue. 140
The United States District Court for the Southern District of Ohio
agreed with DSW, finding that the plaintiffs alleged injuries were
contingent upon several factors and therefore she lacked the necessary
injury-in-fact to have standing. 141 The court noted that in order for the
plaintiff to suffer an injury-in-fact, her information would first have to be
used by an unauthorized person for an unlawful purpose. 142 In granting
DSWs motion to dismiss, the court found that the plaintiff had failed to
present evidence that any unauthorized third party had or intended to use
her personal information in any unauthorized or illegal way and instead, the
plaintiffs alleged injuries rested on pure speculation that she will be a
victim of wrongdoing at some unidentified point in the indefinite future. 143
b. The Minority Approach

Not all jurisdictions have subscribed to the majority approach that the
common law of negligence cannot be applied to entities that fail to
safeguard their personal information databases from security breaches. 144
In rejecting the majority approach, some courts have not only recognized
that the holder of anothers personal information has a duty to protect that
information from illegal use by a third party, but have also recognized that
138. Id. at 685.

139. See id. at 688.
140. Id.
141. Id. at 690.
142. See Key, 454 F. Supp. 2d at 690.
143. Id.
144. See, e.g., Remsburg v. Docusearch, Inc., 816 A.2d 1001, 1008 (N.H. 2003) (holding
that an internet information broker had a duty to protect the personal information that it
collected from illegal use by a third party); Bell v. Mich. Council 25 of Am. Fedn of State,
County, Mun. Employees, AFL-CIO, Local 1023, No. 246684, 2005 WL 356306, at *1
(Mich. Ct. App. Feb. 15, 2005) (holding that a union owed its members a duty and therefore
the question of negligence was properly submitted to the jury); Daly v. Metro. Life Ins. Co.,
782 N.Y.S.2d 530, 535 (N.Y. Sup. Ct. 2004) (holding that an insurance company had a duty
to protect the confidential personal information provided to it by a customer).
WEAVER FINAL 1/4/2010 11:29:37 AM
the illegal use of stolen personal information gives rise to foreseeable

injuries. 145 The minority approach is best illustrated by the following three
cases.
i. Remsburg v. Docusearch
The New Hampshire Supreme Court considered the question of
whether an internet information broker, who sells a third partys
information to a client, has a duty to that third party. 146 The case arose after
Docusearch.com sold the Social Security number and employment
information of Amy Lynn Boyer to Liam Youens. 147 Several days after the
transaction, Youens drove to Boyers place of employment and shot and
killed her before taking his own life. 148
The New Hampshire Supreme Court held that the threats posed by
stalking and identity theft generate a sufficient foreseeable risk of criminal
misconduct so that an [internet information broker] has a duty to exercise
reasonable care in disclosing a third persons personal information to a
client. 149 The court noted that a private citizen has no general duty to
protect others from the criminal attacks of third parties, but that
exceptions to the rule exist when a party realizes or should realize that his
conduct has created a condition which involves an unreasonable risk of
harm to another. 150 The court imposed a duty here because it found it
foreseeable that stalkers may use internet information brokers to obtain
personal information about the victims. 151 The court also recognized the
prevalence and risk of identity theft after the disclosure of a individuals
personal information. 152
ii. Bell v. Michigan Council 25

In an unpublished opinion, the Michigan Court of Appeals held that
the trial judge properly submitted the question of negligence to the jury
because the defendant, a union, owed the plaintiffs, its members, a duty to
protect their personal information from theft. 153 In Bell, a notebook
145. Bishop, supra note 77, at *4 (discussing the holdings of Remsberg and Bell).
146. Remsburg, 816 A.2d at 1004.
147. Id. at 1005-06.
148. Id. at 1006.
149. Id. at 1008.
150. Id. at 1006-07.
151. Id. at 1007.
152. Remsburg, 816 A.2d at 1007 (Identity theft . . . is an increasingly common risk
associated with the disclosure of personal information, such as a [Social Security
Number].).
153. Bell v. Mich. Council 25 of Am. Fedn of State, County, Mun. Employees, AFL-
WEAVER FINAL 1/4/2010 11:29:37 AM
containing the Social Security and drivers license numbers of union

members was stolen by the daughter of the unions treasurer, who had
brought the notebook home. 154
Like the New Hampshire Supreme Court, the Michigan Court of
Appeals noted the general rule that there is no duty to protect against the
acts of a third person. 155 However, the court went on to note that an
exception does exist if a special relationship exists between the parties. 156
Here, the court found a special relationship existed because the
defendant, as the plaintiffs representative, had a duty to act in the best
interest of the plaintiffs and from that obligation it follows that the
defendant should be responsible for safeguarding the plaintiffs personal
information. 157 With respect to the foreseeability of injury, the court found
that there was a great risk of harm that someone might misuse the
plaintiffs personal information. 158 In arriving at this conclusion, the court
noted that identity theft has been gaining momentum in recent years and
therefore the potential risk of harm in taking personal information to an
unsecured location is high. 159 Consequently, under the circumstances the
court had no trouble finding that criminal activity was foreseeable. 160
iii. Daly v. Metropolitan Life Ins. Co.

Finally, in Daly v. Metropolitan Life Ins. Co., the Supreme Court of
New York County, New York addressed the novel question of whether
liability may attach to an entity that fails to safeguard personal and
confidential information obtained in conjunction with the purchase of a life
insurance policy. 161 The issue arose after the plaintiff conveyed certain
personal information to the defendant as part of an application for life
insurance. 162 Shortly after completing the application, the plaintiff
discovered that new, fraudulent credit accounts had been opened in her
CIO, Local 1023, No. 246684, 2005 WL 356306, at *1 (Mich. Ct. App. Feb. 15, 2005).
154. Id.
155. Id. at *2.
156. Id.
157. Id. at *3.
158. Id. at *4.
159. Bell, 2005 WL 356306, at *4.
160. Id. at *5.
161. Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 531 (N.Y. Sup. Ct. 2004).
162. See id.
WEAVER FINAL 1/4/2010 11:29:37 AM
name. 163 In her suit, the plaintiff accused the defendant of negligently
allow[ing] non-Met Life employees unfettered access to [her] confidential
information. 164
In analogizing this case to cases involving breaches of fiduciary
duties, the court recognized that a covenant of trust and confidence may
be inferred in business dealings, and that here the plaintiff had placed her
trust in and relied upon the defendant. 165 Because of this relationship, the
defendant had a duty to protect the plaintiffs confidential information. In
denying the defendants motion to dismiss, the court noted that even the
defendant recognized a duty to safeguard its clients personal information
by the fact that it issued privacy notices that detailed the procedures the
defendant used to protect its customers personal information. 166
c. Massachusetts Case Law

As noted above, no court in Massachusetts has yet determined
whether a business entity that fails to safeguard customer personal
information can be held liable under a theory of negligence. 167 In In re TJX,
TJX adamantly argued that prior security breach cases tried throughout the
country mandated that the court find that the mere exposure to identity theft
does not cause a cognizable injury. 168 However, TJX cited no
Massachusetts case law that directly supported this position. 169 The
plaintiffs, on the other hand, cited one Massachusetts case, Kuhn v. Capital
One Financial Corp., as authority for the position that time and money
spent in seeking to prevent or undo harm can constitute a cognizable
injury. 170
In Kuhn v. Capital One Financial Corp., a holder of a Capital One
Bank Visa card alleged that her personal information was stolen after an
intrusion into an undisclosed website had occurred, and that Capital One
thereafter failed to safeguard her information. 171 Capital One moved for
163. Id. at 532-33.

164. Id. at 532.
165. See id. at 535.
166. Id. at 535-36.
167. See Defense Memorandum, supra note 4, at 4-10 (noting that TJX cites no
Massachusetts cases on point); Plaintiffs Memorandum, supra note 31, at 7-13 (noting that
the plaintiffs cite to no Massachusetts case that directly held a business entity liable for
negligence for failure to safeguard its customers personal information).
168. Defense Memorandum, supra note 4, at 2.
169. See id. at 4-10.
170. Plaintiffs Memorandum, supra note 31, at 12-13.
171. Kuhn v. Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931, at *1 (Mass.
App. Ct. Oct. 23, 2006).
WEAVER FINAL 1/4/2010 11:29:37 AM
summary judgment on the grounds that the plaintiff could not prove either
that Capital One was responsible for the security breach or that she suffered
any damages. 172 The motion judge granted Capital Ones request because,
in her opinion, further depositions were unlikely to yield any information
that would affect the outcome. 173
The Appeals Court of Massachusetts reversed, finding that summary

judgment was inappropriate. 174 In reversing the motion, the court
determined that there was a genuine material disputed fact about whether
Capital One is the source of the breach and therefore the plaintiff was
entitled to further discovery. 175 The court also rejected Capital Ones
argument that Kuhn could not prove damages. 176 The court noted that she
alleged that she spent a great deal of time and money trying to get rid of the
fraudulent accounts under her name. 177 The court found that the value of
time spent in seeking to prevent or undo the harm can constitute a
cognizable injury under the Restatement (Second) of Torts 919 (1979). 178
ANALYSIS
III. Why Massachusetts Should Adopt a Private Right of Action

Given the reality and prevalence of identity theft today, 179 a private
right of action, either statutorily or by way of the common law, is not only
a necessary tool to help alleviate or mitigate the harm incurred by
consumers, but also a necessary provision to help police businesses that
maintain personal information databases. Despite this apparent utility, the
Massachusetts Legislature limited the ability to enforce 93H, which was
characterized as a necessary tool to help [consumers] mitigate the impact
of identity theft and fraud, 180 to just the states Attorney General. 181 A
majority of jurisdictions throughout the country have dismissed claims of
172. Id.
173. Id.
174. Id. at *4.
175. Id. at *3.
176. Id.
177. See Kuhn, 2006 WL 3007931, at *3.
178. Id. (quoting RESTATEMENT (SECOND) OF TORTS 919 (1977)). The Restatement
(Second) of Torts 919 (1977) reads [o]ne whose legally protected interests have been
endangered by the tortious conduct of another is entitled to recover for expenditures
reasonably made or harm suffered in a reasonable effort to avert the harm threatened.
179. See supra Part II.C.
180. Gov. Patrick Signs Identity Theft Prevention Bill, supra note 7.
181. MASS. GEN. LAWS ch. 93H, 6 (2006).
WEAVER FINAL 1/4/2010 11:29:37 AM
negligence under the theory that mere exposure to identity theft does not
constitute a cognizable injury. 182 This section offers an argument for why a
private right of action is necessary and how it can be achieved either
statutorily or judicially in Massachusetts.
A. The Necessity of a Private Right of Action

As discussed earlier, each year individuals and businesses incur
tremendous losses because of identity theft. 183 For the year 2004 alone, it
was estimated that identity theft cost Americans $52.6 billion, roughly $6
billion in out-of-pocket expenses incurred by consumers and more than $46
billion incurred by businesses. 184 Yet as one scholar noted, if these
estimates represented true losses for both businesses and individuals, then
businesses would have immediately embraced and lobbied for stricter
identity theft prevention laws. 185
In reality, consumers, and not businesses, have incurred greater losses
because of identity theft. 186 Businesses have not embraced stricter identity
theft prevention laws because unlike consumers, businesses have
mechanisms through which they can mitigate or even erase losses caused
by identity theft. 187 Businesses, through various revenue creating schemes,
like raising their prices, charging higher interest rates, or imposing
institutional fees like membership dues, are able to distribute or pass along
the cost of identity theft to their consumers. 188 Consequently, consumers
ultimately shoulder the economic losses that a business may incur as a
result of identity theft. 189
The aftermath of the TJX security breach is a perfect illustration of
this point. It was reported in the Boston Globe that by December of 2007
TJX had incurred $256 million in costs related to the security breach. 190
Yet thirteen months after the breach, TJX reported a fourth quarter net
income of $301.1 million and revenue of $5.5 billion, an increase of 47%
182. See supra Part II.D.3.a (discussing the majority approach).

183. See supra note 80 and accompanying text (noting that individuals and businesses
incur an estimated $52 billion in costs related to identity theft each year).
185. See id. at 283-84.
186. See id.
187. See id. (discussing how businesses pass the costs of identity theft on to their
customers).
188. Id.
189. See id.
190. Ross Kerber, For TJX, a Store of Consumer Loyalty: Even After Credit Breach,
Retailers Sales Are Strong, BOSTON GLOBE, Dec. 21, 2007, at 1E.
WEAVER FINAL 1/4/2010 11:29:37 AM
and 8% respectively from the year before. 191 This increase in profit does
not suggest that TJX intentionally passed its losses onto its customers, but
does illustrate two points. First, TJXs ability to generate capital in a
relatively short amount of time allowed TJX to off-set a significant portion
of losses that it incurred as a result of the security breach. 192 Second, TJXs
increased sales support the notion that consumers, and not businesses,
shoulder the costs stemming from identity theft. 193
While businesses like TJX can turn to the mechanisms described
above, consumers in Massachusetts, on the other hand, have no similar
options to turn to. Instead, after a security breach, Massachusetts
consumers are forced to absorb not only personal expenses, 194 but also the
expenses incurred by businesses. 195 A private right of action would help to
mitigate this burden by providing consumers with a mechanism through
which they can shift the costs of identity theft back to businesses, whose
negligence facilitated the identity theft in the first place. 196
A private right of action would not only help to shift the burden away
from consumers, 197 but it would also help to police businesses that
maintain personal information databases. 198 Under current Massachusetts
law, businesses have little economic incentive to employ stricter, more
expensive identity theft security measures. 199 From a cost-benefit analysis,
maintaining customer personal information facilitates business transactions
and encourages economic growth, 200 while the cost of identity theft can be
191. TJX Posts a Strong Q4 as it Settles Breach Claims, CARDLINE, Feb. 22, 2008, at 1,
available at 2008 WLNR 3508497.
192. See id.
193. See Victor, supra note 65, at 283.
194. See supra text accompanying note 32 for examples of personal expenses incurred by
consumers because of the TJX security breach.
195. For example, the $256 million in charges incurred by TJX after the security breach
included costs related to upgrading computer software and settlement agreements with the
injured consumers, banks, and credit card companies. See Kerber, supra note 190, at 1E;
Ross Kerber, N.E. Banks, TJX Reach Agreement on Breach, BOSTON GLOBE, Dec. 19, 2007,
at C3. Consumers like Hanna Lipman, whose credit card was cancelled by Visa because of
the breach, helped TJX cover its expenses by continuing to spend after the breach an
estimated $100 a month at TJX stores. See Kerber, supra note 190, at 1E.
196. See Faulkner, supra note 60, at 1122-25 (arguing for a private right of action under
the laws of fiduciary duty).
197. See id. (arguing for a private right of action under the laws of fiduciary duty).
199. See id. at 281. Massachusetts is not alone in that federal law and other states laws
have also failed to decrease identity theft incidents. See Ludington, supra note 76, at 151.
200. See Charles D. Morgan, Chief Executive Officer, Acxiom Corp., Before the Federal
Trade Commission Public Workshop: Information Flows: The Costs and Benefits to
Consumers and Businesses of the Collection and Use of Consumer Information (June 18,
WEAVER FINAL 1/4/2010 11:29:37 AM
offset by passing it off to the consumers. 201 Consequently, spending more

to prevent identity theft is not a priority because the potential loss from
identity theft rarely exceeds potential profit. 202 TJXs increase in net
income thirteen months after the security breach illustrates perfectly how a
businesss potential profit after a security breach can negate the need for
heightened security. 203
Until potential losses exceed potential profits, businesses will not be
inclined to employ stronger security measures. 204 A private right of action
for consumers is one way to encourage businesses to employ greater
security measures because the prospect of facing and defending against
litigation increases a businesss potential losses stemming from identity
theft. 205 However, the prospect of facing litigation can be easily avoided if
the business maintains up-to-date security measures, which are likely to be
less expensive than the cost of litigation. 206 Consequently, under a cost-
benefit analysis, a private right of action encourages businesses to employ
stronger security measures. 207
A private right of action would also provide a cheap and effective
way to enforce 93H. 208 Enforcement of notice statutes through a state
agency, such as the Attorney General, depends upon funding, manpower,
the size of the incident, the publicity the event may be receiving, and even
the philosophy of the administration in power. 209 A private action does not
depend upon these factors, but is instead driven by the consumers own
self-interest to seek recovery. 210 This strong self-economic interest
consequently turns consumers into private attorneys general who go after
2003), http://www.ftc.gov/bcp/workshops/infoflows/present/030618morgan.pdf. (The

efficient flow of consumer information to businesses has significantly contributed to our
nations economic growth and stability by (1) enhancing variety in consumer goods and
services; (2) facilitating lower domestic prices . . . ; and (3) accelerating the accuracy, speed
and ease with which transactions can be completed.).
201. See supra notes 186-187 and accompanying text.
203. See supra notes 191-193 and accompanying text.
205. See id. at 307-08.
206. See id.
207. See id.
208. See id. at 306; see also Faulkner, supra note 60, at 1122-25 (arguing that a private
right of action under the laws of fiduciary duty will encourage businesses to protect
consumer personal information).
210. See id.
WEAVER FINAL 1/4/2010 11:29:37 AM
businesses whose failure to comply with the law injured them. 211 Thus, to
avoid the prospect of facing such litigation, a business is likely to employ
strong security measures to ensure that it is in compliance with the law. 212
B. Amending 93H
There is currently no private right of action in 93H for consumers
whose personal information was compromised in a security breach. 213
Instead, the Massachusetts Legislature gave only the states Attorney
General the power to enforce 93H. 214 Adding a private right of action to
93H would be consistent with both the legislative goal behind 93H and the
statutory scheme of chapter 93A.
First, like the underlying goals of 93H, a private right helps to deter
identity theft and helps to protect personal information. 215 The legislative
history of 93H suggests that the Massachusetts Legislature sought to deter
and better protect consumers from identity theft after the TJX security
breach. 216 This legislative intent can be inferred from the fact that just prior
to 93Hs enactment, one representative praised House Bill 4144 as a means
of protecting the public from the crime of identity theft, 217 while another
insisted that this is a great day for consumers and [i]f TJX happened
under this bill, you would be notified in three days and be able to take steps
on your own to protect yourself. 218 Further evidence of the legislative
intent can be gathered from another representatives comment, made earlier
in the legislative history of House Bill 4144, that ID theft complaints
commonly [take] a backseat to prosecution of other crimes, and that
[p]assing laws to prevent the crime and creating a sophisticated team to
prosecute future crimes are essential steps. 219
211. See id.

212. See id. at 306-08.
213. See MASS. GEN. LAWS ch. 93H, 6 (2007) (noting that only the Attorney General
has the right to enforce the provisions of the chapter).
214. Id.
215. See supra notes 11-12 and accompanying text (discussing underlying goals of 93H).
216. See State House News, Senate Session (July 17, 2007),
http://www.statehousenews.com (archives can only be accessed with a membership to this
website); State House News, House Session (July 12, 2007), supra note 36; State House
News State Capitol Briefs (Jan. 11, 2007), http://www.statehousenews.com (archives can
only be accessed with a membership to this website).
217. State House News, House Session (July 12, 2007), supra note 12 (statement by Rep.
Straus).
218. Id. (statement by Rep. Costello).
219. State House News, State Capitol Briefs (Jan. 11, 2007), supra note 217 (statement
by Rep. Costello).
WEAVER FINAL 1/4/2010 11:29:37 AM
The legislative history does not explicitly mention the incorporation

of a private right of action in 93H, and it can even be inferred that some
legislators were against such an idea. 220 Nevertheless, a private right of
action would be consistent with and would help achieve the legislative
intent of 93H. A private right of action corresponds with and helps to
further the legislative intent of deterring and protecting consumers from
identity theft because a private right of action not only helps to shift the
economic burden away from consumers, but it also encourages businesses
to maintain stronger security measures. 221 Shifting the economic burden
away from consumers helps to protect them from the economic harms of
identity theft and encouraging businesses to adopt stronger security
measures helps to deter the occurrence of identity theft.
Second, a private right of action for consumers is also consistent with
the statutory scheme of chapter 93A, Massachusetts consumer protection
statute, which provides a private right of action to [a]ny person . . . who
has been injured by another persons use or employment of any method, act
or practice declared to be unlawful. 222 The Supreme Judicial Court of
Massachusetts has interpreted 93A, after it was amended in 1979, as
providing a private right of action to any person who incurred a loss of
property, money, or suffered a personal injury from an unfair or deceptive
act. 223 The court has furthered explained that this injury can be caused by
anyone who invades any legally protected interest of another. 224
Chapter 93H does not explicitly prohibit unfair or deceptive acts, but
it is akin to 93A nevertheless. First, both statutes regulate business
activity. 225 Second, both statutes seek to protect the welfare and safety of
220. In a Senate Session held on July 17, 2007, State Senator Morrissey summarized
House Bill 4144 in the following manner: If your data is compromised then you are
entitled to a notice and you will be able to get a security freeze, nothing more nothing less.
State House News, Senate Session (July 17, 2007), supra note 217 (statement by Senator
Morrissey) (emphasis added). Though Senator Morrisseys statement does not explicitly
reject the idea of a private right of action, it does suggest that he was only in favor of notice
and a security freeze. See id.
221. See supra Part III.A (discussing the benefits of a private right of action).
222. MASS. GEN. LAWS ch. 93A, 9 (2006).
223. Hershenow v. Enter. Rent-A-Car Co., 840 N.E.2d 526, 533 (Mass. 2006). Prior to
the 1979 amendment, the court had held that a loss of money or property was needed to
bring a claim under section 9 of chapter 93A. Baldassari v. Pub. Fin. Trust, 337 N.E.2d 701,
708 (Mass. 1975), superseded by statute, St. 1979 c. 406 1, as recognized in Leardi v.
Brown, 474 N.E.2d 1094, 1100 n.8 (Mass. 1985). The statute, St. 1979, c. 406 1, was later
codified in the Massachusetts General Laws at ch. 93A, 9(1). Id.
224. Hershenow, 840 N.E.2d at 534 (quoting Leardi, 474 N.E.2d at 1101).
225. Compare MASS. GEN. LAWS ch. 93A, 2(a) (declaring that businesses may not
engage in unfair or deceptive practices), with MASS. GEN. LAWS ch. 93H, 2 (Supp. 2007)
(requiring businesses to follow safeguard regulations promulgated by the Massachusetts
WEAVER FINAL 1/4/2010 11:29:37 AM
consumers. 226 Finally, the similarity between the statutes is also evidenced
by the fact that both statutes seek to protect consumers from crimes that can
cause both economic and noneconomic injuries. 227 Based on these
similarities it appears that both 93A and 93H share the common goal of
consumer protection and therefore it seems paradoxical or inconsistent that
93H does not also contain a private right of action.
C. Deciding In re TJX in the Plaintiffs Favor

If the Massachusetts Legislature declines to amend 93H, consumers
can nevertheless obtain a private right of action through Massachusetts
common law. A compelling argument can be made under the dicta of Kuhn
v. Capital One Financial Corp. and the rationale of the minority position
described above, that the In re TJX court could have allowed the plaintiffs
negligence claim to go forward. 228
As documented above, the parties in In re TJX differed over whether
the security breach caused the plaintiffs to suffer actual injuries. 229 The
plaintiffs claimed that they suffered numerous injuries, which included out-
of-pocket expenses, fear and apprehension of identity theft, the burden of
and time lost to closely examining account statements for unauthorized
activity, the burden of contesting fraudulent charges, damage to credit
history, and loss of privacy. 230 These injuries typify injuries incurred by
identity theft victims. 231 Yet a majority of courts have found these harms to
be insufficient to constitute actual injuries, finding instead that an alleged
increase in risk of future injury is not an actual or imminent injury. 232
The majority approach rejects the argument that an alleged increase in
risk of identity theft is an actual injury because it misconstrues the nature of
identity theft. In order for identity theft to occur, an individuals personal
information must first be obtained by another person and then used for an
Department of Consumer Affairs and Business Regulations).

226. Compare MASS. GEN. LAWS ch. 93A, 9 (providing consumers with a private right
of action), with MASS. GEN. LAWS ch. 93H, 3 (requiring businesses to notify residents after
they incur a security breach).
227. Compare Hershenow, 840 N.E.2d at 532-33 (noting 93A permits recovery for loss
of money and for emotional distress), with MASS. GEN. LAWS ch. 93H, 2 (recognizing
substantial harm (economic loss) and inconvenience (noneconomic loss)).
228. See Kuhn v. Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931, at *3 (Mass.
App. Ct. Oct. 23, 2006); supra Part II.D.3.b.
229. See supra Part I.A.
230. Complaint, supra note 2, at 30-31.
231. See MAY & HEADLEY, supra note 50, at 36-38 (discussing the injuries incurred by
consumers as a result of identity theft).
232. Key v. DSW Inc., 454 F. Supp. 2d 684, 689 (S.D. Ohio 2006).
WEAVER FINAL 1/4/2010 11:29:37 AM
unauthorized purpose. 233 The majority approach regards any injury caused
by the unauthorized use of anothers personal information as too
speculative to constitute an actual injury because the harm is contingent
upon the future conduct of a third actor. 234 The effect of this analysis is
twofold. First, it allows the court to reject the possibility that a businesss
failure to safeguard personal information caused or gave rise to any
subsequent unauthorized use by a third party. Second, it allows the court to
reject the argument that the initial theft of the personal information caused
the victim to incur an injury or incur costs associated with preventing
identity theft. Instead, the majority approach considers any future
misconduct by a third party to be speculative and any preventive costs
incurred as anticipatory to a possible, but not yet certain, future harm. 235 By
excluding the initial theft from the legal analysis, the majority approach
ignores the fact that the risks or harms of identity theft do not necessarily
materialize immediately after the initial theft, but can instead linger for a
considerable amount of time before they are discovered by the victim.
The Massachusetts Court of Appeals, in Kuhn v. Capital One
Financial Corp., recognized that the value of the time spent in seeking
to prevent or undo the harm caused by the tortious conduct of another is a
recoverable injury. 236 Unlike the majority approach, the Kuhn court and the
minority position described above recognized that the theft of an
individuals personal information can give rise to foreseeable risks. 237 The
inclusion of the initial theft in the analysis of whether the plaintiff incurred
an injury specifically allowed the Kuhn and Bell courts to recognize time
lost to preventing identity theft as an actual injury. 238 This approach
233. See supra note 51 and accompanying text.

234. See Key, 454 F. Supp. 2d at 690 (arguing that identity theft injuries are too
speculative because they are contingent upon the unauthorized use of personal information
by another).
235. See Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 710-11 (S.D. Ohio
2007) (discussing why identity theft causes speculative, rather than actual injuries).
236. Kuhn v. Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931, at *3 (Mass.
App. Ct. Oct. 23, 2006).
237. See Kuhn, 2006 WL 3007931, at *3 (recognizing that the value of time spent in
preventing or undoing harm caused by anothers tortious activity is a recoverable injury);
Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 535 (N.Y. Sup. Ct. 2004) (discussing the
growth in damages caused by identity theft); Bell v. Mich. Council 25 of Am. Employees,
AFL-CIO, Local 1023, No. 246684, 2005 WL 356306, at *5 (Mich. Ct. App. Feb. 15, 2005)
(noting that the possibility of identity theft is all too commonplace).
238. See Kuhn, 2006 WL 3007931, at *3 (noting that the plaintiff spent considerable
time and money attempting to remove the charges from her account); Bell, 2005 WL
356306, at *7 (noting that the plaintiffs spent numerous hours trying to correct the
problems created by the identity theft, which left their collective credit in ruins).
WEAVER FINAL 1/4/2010 11:29:37 AM
recognizes the reality that even though the harm caused by identity theft
does not necessarily materialize immediately after the initial theft of the
personal information, it nevertheless is caused by that initial theft. The
injuries alleged by the plaintiffs in In re TJX all followed from the initial
breach that occurred in July of 2005. Therefore, under the Kuhn and the
minority approach, the injuries should be recognized as actual injuries.
Once a court realizes that the risk of identity theft gives rise to foreseeable
injuries, then it can allow the plaintiffs negligence claim to go forward.
CONCLUSION
Since the announcement of the TJX incident and the passage of 93H,
identity theft has victimized Massachusetts residents on several different
occasions. Two notable incidents include the theft of a list containing the
Social Security numbers of some 480 seniors, 239 and the theft of student
identification information used to obtain admission to Harvard. 240 In fact,
in 2007 alone, 4,292 Massachusetts residents reported being victims of
identity theft, which was about a five percent increase from the 4,102
reported incidents in 2006. 241
The state legislature enacted 93H to combat incidents like the TJX
security breach and the two subsequent examples above. 242 Though helpful
in mitigating some of the damage caused by identity theft, the notification
safeguards set forth in 93H are not sufficient to obtain the legislatures goal
of mitigating or preventing the harm caused by identity theft. 93H falls
short of its goal because a requirement to provide only notice does not shift
the economic burden back to the business that failed to safeguard its
customers personal information and it does not increase the potential loss
that a business may incur because of identity theft. Consequently, under
93H, businesses are not inclined to employ stricter security measures.
The fight against identity theft in Massachusetts can be strengthened
considerably by adopting, either through amendment or judicial decision, a
private right of action for Massachusetts citizens who are injured because
of a businesss failure to safeguard its personal information. A private right
of action contributes to deterring and preventing identity theft because it
encourages businesses to employ stronger security measures by shifting the
239. Rachana Rathi, Mailed Flu Shot Lost; Probe on; Wellesley Elders Names on
Roster, BOSTON GLOBE, Feb. 29, 2008, at B3, available at 2008 WLNR 4031539.
240. New England In Brief: Identity Theft Cited in Harvard Admission, BOSTON GLOBE,
Feb. 5, 2008, at B2, available at 2008 WLNR 2171307.
241. Kytja Weir, This Year, Get Obsessed With Shredding, BOSTON GLOBE, Feb. 24,
2008, at K2, available at 2008 WLNR 3827635.
242. See supra Part I.B (discussing the passage of 93H); notes 239-240 and
accompanying text.
WEAVER FINAL 1/4/2010 11:29:37 AM
cost of identity theft away from consumers and back to businesses, and it
provides a means of recovery for the victims themselves. Adopting a
private right of action for Massachusetts citizens can be easily achieved as
well, since such a right is consistent with both the legislative intent of 93H
and the ruling in Kuhn v. Capital One Financial Corp. But until a private
right of action is recognized in Massachusetts, Massachusetts residents,
rather than the businesses they patronize and that fail to safeguard their
customers personal information, will continue to bear the full brunt of the
harm caused by identity theft.

Weaver: A Missed Opportunity To Bolster Consumer Protection in Massachusetts

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Weaver: A Missed Opportunity To Bolster Consumer Protection in Massachusetts

Uploaded by

Copyright:

Available Formats

WEAVER FINAL 1/4/2010 11:29:37 AM

676 NEW ENGLAND LAW REVIEW [Vol. 43:675

2009] CONSUMER PROTECTION AFTER TJX 677

678 NEW ENGLAND LAW REVIEW [Vol. 43:675

While the consumer action against TJX was pending in August of

2009] CONSUMER PROTECTION AFTER TJX 679

negligence under Massachusetts common law. 15 Whether a Massachusetts

I. Massachusetts and Identity Theft

A. The TJX Security Breach

15. See, e.g., Complaint, supra note 2, at 34.

680 NEW ENGLAND LAW REVIEW [Vol. 43:675

unauthorized personnel. 20 Later estimates by a consumer protection group

2009] CONSUMER PROTECTION AFTER TJX 681

B. The Enactment of 93H

682 NEW ENGLAND LAW REVIEW [Vol. 43:675

that the personal information of such resident was acquired or used by an

II. A Broader Look at Identity Theft

A. What is Identity Theft and How is it Committed?

1. What is Identity Theft?

2009] CONSUMER PROTECTION AFTER TJX 683

2. How is Identity Theft Committed?

684 NEW ENGLAND LAW REVIEW [Vol. 43:675

The TJX security breach illustrates one of the more sophisticated

B. The Countrys Growing Identity Theft Problem

59. See infra Part I.A.

2009] CONSUMER PROTECTION AFTER TJX 685

number of identity theft complaints received by the Federal Trade

686 NEW ENGLAND LAW REVIEW [Vol. 43:675

C. The Adverse Impact of Identity Theft

D. The Nations Response to the Problem

78. See supra Part II.B.

2009] CONSUMER PROTECTION AFTER TJX 687

688 NEW ENGLAND LAW REVIEW [Vol. 43:675

Thirty-nine states have also enacted notification statutes, 98 which are

2009] CONSUMER PROTECTION AFTER TJX 689

a. Definition of Personal Information

103. Bump et al., supra note 102, at 43.

690 NEW ENGLAND LAW REVIEW [Vol. 43:675

111. Gordon, supra note 9.

2009] CONSUMER PROTECTION AFTER TJX 691

d. Enforcement of Notice Statutes

692 NEW ENGLAND LAW REVIEW [Vol. 43:675

3. Class Action Litigation

2009] CONSUMER PROTECTION AFTER TJX 693

a. The Majority Approach

694 NEW ENGLAND LAW REVIEW [Vol. 43:675

confidential financial information concerning approximately 1.5 million

b. The Minority Approach

138. Id. at 685.

2009] CONSUMER PROTECTION AFTER TJX 695

the illegal use of stolen personal information gives rise to foreseeable

ii. Bell v. Michigan Council 25

696 NEW ENGLAND LAW REVIEW [Vol. 43:675

containing the Social Security and drivers license numbers of union

iii. Daly v. Metropolitan Life Ins. Co.

2009] CONSUMER PROTECTION AFTER TJX 697

c. Massachusetts Case Law

163. Id. at 532-33.

698 NEW ENGLAND LAW REVIEW [Vol. 43:675

The Appeals Court of Massachusetts reversed, finding that summary

III. Why Massachusetts Should Adopt a Private Right of Action

2009] CONSUMER PROTECTION AFTER TJX 699

A. The Necessity of a Private Right of Action