Professional Documents
Culture Documents
A MISSED OPPORTUNITY TO
BOLSTER CONSUMER PROTECTION
IN MASSACHUSETTS: HOW
MASSACHUSETTS RESIDENTS ARE
STILL WITHOUT A PRIVATE RIGHT
OF ACTION AFTER THE TJX
SECURITY BREACH
Owen Weaver*
Abstract: In early 2007, The TJX Companies, Inc. (TJX) suffered one of
the largest security breaches in the history of the United States. Immediately
thereafter a class action lawsuit, In re TJX Companies Retail Security Breach
(In re TJX) was filed by aggrieved customers in the District Court of
Massachusetts, alleging that TJXs negligent failure to safeguard its wireless
network resulted in their suffering of injuries, including identity theft.
Several months later, the state of Massachusetts enacted Chapter 93H, a
security breach notification statute that aims to deter or mitigate the effects
of identity theft resulting from a security breach. While the aims of the
enactment was to put[]a number of critical safeguards in place to help the
people of Massachusetts protect their credit and their good names, it does
not include a private right of action. Consequently, a Massachusetts resident
whose personal information is compromised after a business suffers a
security breach has no statutory right of action under the act and instead must
look elsewhere for redress. After the passage of Chapter 93H, In re TJX
settled without addressing the question whether the aggrieved customer had a
common law cause of action against TJX. This Note examines whether
residents of Massachusetts should be given a private right of action. This
Note argues that a private right of action is necessary for two reasons. First,
because consumers bear the brunt of costs caused by identity theft, a private
right of action is necessary to help shift those costs back to the businesses.
Second, a private right of action provides a cheap and effective way to police
businesses who maintain personal information databases, which in turn,
675
WEAVER FINAL 1/4/2010 11:29:37 AM
ultimately helps to deter the occurrence of identity theft. Finally, this Note,
proposes that a private right of action is attainable in Massachusetts by way
of either the legislative or judicial process because such a right is consistent
with either the legislative intent of 93H or with Massachusetts common law.
INTRODUCTION ..........................................................................................677
BACKGROUND ............................................................................................679
I. Massachusetts and Identity Theft ............................................679
A. The TJX Security Breach...................................................679
B. The Enactment of 93H......................................................681
II. A Broader Look at Identity Theft .......................................682
A. What is Identity Theft and How is it Committed?.............682
1. What is Identity Theft?................................................682
2. How is Identity Theft Committed?..............................683
B. The Countrys Growing Identity Theft Problem ...............684
C. The Adverse Impact of Identity Theft ...............................686
D. The Nations Response to the Problem..............................686
1. Federal Legislation......................................................687
2. State Legislation..........................................................687
a. Definition of Personal Information.......................689
b. Triggering Events .................................................690
c. Mechanics of Notification ....................................691
d. Enforcement of Notice Statutes ............................691
3. Class Action Litigation................................................692
a. The Majority Approach ........................................693
b. The Minority Approach ........................................694
i. Remsburg v. Docusearch ......................................695
ii. Bell v. Michigan Council 25 .................................695
iii. Daly v. Metropolitan Life Ins. Co. ........................696
c. Massachusetts Case Law ......................................697
ANALYSIS ..................................................................................................698
III. Why Massachusetts Should Adopt a Private Right of
Action ......................................................................................698
A. The Necessity of a Private Right of Action ......................699
B. Amending 93H...................................................................702
C. Deciding In re TJX in the Plaintiffs Favor .......................704
CONCLUSION ..............................................................................................706
WEAVER FINAL 1/4/2010 11:29:37 AM
INTRODUCTION
On January 17, 2007, the TJX Companies, Inc. (TJX), a
Massachusetts corporation, announced that it had suffered a security breach
which resulted in the theft of over 47.5 million credit and debit card
numbers and other personal information concerning 451,000 of its
customers. 1 In May of 2007, a consolidated consumer class action lawsuit
was filed in the United States District Court for the District of
Massachusetts alleging, among other things, that TJX was liable, under a
theory of negligence, for damages incurred by the consumers. 2 The
plaintiffs alleged that TJX breached an assumed duty of care to keep their
personal information secure when it failed to adequately safeguard its
wireless network, and as a result of that breach, the plaintiffs incurred
economic and non-economic injuries, including identity theft. 3
In a motion to dismiss, TJX argued that the plaintiffs could not bring
their claim for negligence because in a majority of jurisdictions, the mere
exposure to identity theft does not constitute a cognizable injury. 4
Consequently, TJX contended that the plaintiffs either lacked the requisite
injury-in-fact to have standing to bring their claims, or in the alternative,
the plaintiffs could not prove that they suffered an actual loss. 5 The issue of
whether the class suffered the requisite injury-in-fact to either have
standing or to prove negligence presented novel issues under Massachusetts
law, but it was never resolved by the court because the parties eventually
settled. 6
* Candidate for Juris Doctor, New England School of Law (2009), B.A., History, cum
laude, Ursinus College (2006).
1. Joseph Pereira, Breaking the Code: How Credit-Card Data Went Out Wireless
Door, WALL ST. J., May 4, 2007, at A1.
2. Consolidated Class Action Complaint at 34-39, In re TJX Cos. Retail Security
Breach Litigation, Consumer Track Actions, No. 07-10162-WGY (D. Mass. May 9, 2007)
[hereinafter Complaint].
3. See id.
4. Memorandum of Law in Support of Defendant The TJX Cos., Inc.s Motion to
Dismiss the Consolidated Complaint at 2, In re TJX Cos. Retail Security Breach Litigation,
Consumer Track Actions, No. 07-10162-WGY (D. Mass.) [hereinafter Defense
Memorandum].
5. Id. at 5, 10.
6. See Settlement Agreement at 3-5, In re TJX Cos. Retail Security Breach Litigation,
Consumer Track Actions, No. 07-10162-WGY (D. Mass. Sept. 21, 2007) [hereinafter
Settlement Agreement] (noting each party believed its claims or defenses had merit, but
found it desirable to settle).
WEAVER FINAL 1/4/2010 11:29:37 AM
7. See Gov. Patrick Signs Identity Theft Prevention Bill, U.S. STATE NEWS, Aug. 3,
2007, available at 2007 WLNR 14963183.
8. See MASS. GEN. LAWS ch. 93H (2007).
9. See Philip Gordon, Employees Face New Compliance Challenges as Massachusetts
Becomes the 39th State to Enact a Security Breach Notice Law, MONDAQ, Sept. 17, 2007,
available at 2007 WLNR 18187282.
10. Ch. 93H, 3.
11. Gov. Patrick Signs Identity Theft Prevention Bill, supra note 7.
12. Id.
13. See ch. 93H, 6 (noting that only the Attorney General has the right to enforce the
provisions of the chapter).
14. See id. (noting no private right of action).
WEAVER FINAL 1/4/2010 11:29:37 AM
BACKGROUND
20. Kathleen Burdett Shields, Identity Theft: Lessons from the TJX Case, 51 BOSTON
B.J. 8, 8 (Oct. 2007); Pereira, supra note 1, at A1. On March 23, 2007, it was reported in the
Wall Street Journal that Florida police arrested six individuals for using credit card data
stolen from TJX. Joseph Pereira, TJX Card Data Is Focus of Arrests of Six in Florida,
WALL ST. J., Mar. 23, 2007, at A8.
21. Mark Jewell, 07 Logs Record Number in Data Theft, CHARLESTON GAZETTE, Dec.
31, 2007, at 7A.
22. Shields, supra note 20, at 8.
23. Memorandum and Order at 1-2, In re TJX Cos. Retail Security Breach Litigation,
No. 07-10161-WGY (D. Mass. Oct. 2, 2007).
24. Complaint, supra note 2, at 34-39.
25. Id. at 34-42 (alleging negligence, breach of contract in which plaintiffs and class
members were third party beneficiaries, breach of implied contract, unfair trade practices
under MASS. GEN. LAWS ch. 93A, 9 (2008) and unfair trade practices under MASS. GEN.
LAWS ch. 93A, 11 (2008)).
26. Id. at 34-39.
27. Id. at 34, 37.
28. Id. at 9, 34-35.
WEAVER FINAL 1/4/2010 11:29:37 AM
outdated, but was also severely flawed. 29 The plaintiffs also argued that
TJX was negligent because it took TJX eighteen months to detect the
intrusions into its network. 30 As a result of TJXs negligence, the plaintiffs
alleged that they suffered several injuries, which included a loss of time
and money in trying to protect their financial and personal well-being. 31
Specifically, one of the named plaintiffs incurred a fourteen dollar charge
for a credit report that revealed fraudulent credit inquiries had been made
in her name, and another of the named plaintiffs had her debit card
cancelled as a result of the breach, which caused her to incur[] a $20
penalty because her automatic bill-pay transaction failed. 32
TJX vehemently denied these allegations and argued, in a motion to
dismiss, that the plaintiffs either lacked standing or could not prove
negligence because consumers who are merely exposed to identity theft,
or who then take steps or incur costs to thwart possible identity theft, have
incurred no cognizable damage. 33 The district court never resolved the
dispute of whether the plaintiffs suffered the requisite injury needed for
standing or to prove negligence because the parties settled out-of-court. 34
29. Id. at 9-11, 34-37. The complaint alleges that most merchants by 2003 had
abandoned WEP encryption for a more secure system called Wi-Fi Protected Access
(WPA). See id. at 17.
30. Complaint, supra note 2, at 18, 38 (TJX failed to detect the data intrusion in a
timely manner.).
31. See Plaintiffs Memorandum in Opposition to Defendant TJX Cos. Motion to
Dismiss at 1, In re TJX Cos. Retail Security Breach Litigation, Consumer Track Actions,
No. 07-10162-WGY (D. Mass. July 13, 2007) [hereinafter Plaintiffs Memorandum].
32. Id. at 4.
33. Defense Memorandum, supra note 4, at 2.
34. See Settlement Agreement, supra note 6, 3-5 (noting the parties decided to settle).
35. See Shields, supra note 20, at 10.
36. See State House News, House Session, ID Theft Conference Committee (July 12,
2007), http://www.statehousenews.com (noting a 155-0 roll call vote to accept the
conference report) (archives can only be accessed with a membership to this website).
37. See MASS. GEN. LAWS ch. 93H (Supp. 2007).
38. Id.
WEAVER FINAL 1/4/2010 11:29:37 AM
39. Id. 3.
40. Id.
41. Id.
42. Id. at 2.
43. MASS. GEN. LAWS ch. 93H, 6 (Supp. 2007).
44. See infra Part II.B (chronicling notable security breaches that occurred in 2005).
45. See infra Part II.A.
46. See infra Part II.B.
47. See infra Part II.C.
48. See infra Part II.D.
49. See Erin Font, Who Should Pay the Price for Identity Theft?, 54 FED. LAW. 24, 25
WEAVER FINAL 1/4/2010 11:29:37 AM
encompasses far more activities than just those that seek illegal financial
gain. 50 In actuality, identity theft occurs whenever a persons personal or
financial information is obtained and then used by another for an illegal or
unauthorized purpose. 51
The breadth of activity that can constitute or give rise to identity theft
is astonishing. For example, some identity theft involves the compromise
of a persons entire identity by an identity thief. 52 These long-term identity
thieves often assume the identity of another to avoid paying child support
or to gain the benefits of anothers college transcript or employment
history. 53 Furthermore, some identity theft is even motivated by a need for
deception. 54 For example, providing someone elses personal identifying
information to a law enforcement officer upon arrest constitutes identity
theft. 55 Consequently, the crime of identity theft can occur in a multitude of
settings or under a wide variety of circumstances.
(2007) (noting that in a recent survey, ninety-one percent of the respondents reported being
concerned that their identity might be stolen and u sed to make unauthorized purchases).
50. See DAVID A. MAY & JAMES E. HEADLEY, IDENTITY THEFT 17 (David A. Schultz &
Christina DeJong eds., 2004) (discussing in particular the non-economic motives of the
long-term identity thief).
51. See Holly K. Towle, Identity Theft: Myths, Methods, and New Law, 30 RUTGERS
COMPUTER & TECH. L.J. 237, 242 (2004).
52. MAY & HEADLEY, supra note 50, at 17.
53. Id.
54. See Towle, supra note 51, at 242.
55. Id. This type of identity theft is known as criminal identity theft. Id.
56. MAY & HEADLEY, supra note 50, at 4.
57. Font, supra note 49, at 26.
58. For a detailed discussion of various methods that give rise to identity theft, see
Font, supra note 49, at 26, and Towle, supra note 51, at 249.
WEAVER FINAL 1/4/2010 11:29:37 AM
69. See MAY & HEADLEY, supra note 50, at 26 (noting in 2000 the FTC received 31,000
complaints and 86,168 complaints in 2001, a 277% increase); Victor, supra note 65, at 274
(noting the FTC received nearly 250,000 complaints in 2004).
70. Jewell, supra note 24, at 7A.
71. FED. TRADE COMMN, ABOUT IDENTITY THEFT, http://www.ftc.gov/bcp/edu/
microsites/idtheft/consumers/about-identity-theft.html (last visited Nov. 25, 2008).
72. See St. Amant, supra note 68, at 521.
73. Id.
74. See id.; MAY & HEADLEY, supra note 50, at 24.
75. St. Amant, supra note 68, at 508; Tom Zeller Jr., Release of Consumers Data Spurs
ChoicePoint Inquires, N.Y. TIMES, Mar. 5, 2005, at C2, available at 2005 WLNR 3354817.
76. Sarah Ludington, Reining in the Data Traders: A Tort for the Misuse of Personal
Information, 66 MD. L. REV. 140, 155 (2006); see Tom Zeller Jr., Another Data Broker
Reports a Breach, N.Y. TIMES, Mar. 10, 2005, at C1, available at 2005 WLNR 3685658.
77. Derek A. Bishop, To Serve and Protect: Do Businesses Have a Legal Duty to
Protect Collections of Personal Information, 3 SHIDLER J. L. COM. & TECH. 7 (2006); see
Faulkner, supra note 60, at 1098.
WEAVER FINAL 1/4/2010 11:29:37 AM
brief synopsis of both the legislative response that Congress and the states
have taken to combat this growing problem and the litigation that has also
ensued.
1. Federal Legislation
Congress has taken essentially two approaches toward ensuring
information security and preventing identity theft. 88 During the 1990s,
Congress passed several acts that specifically promulgated or authorized
federal agencies to promulgate standards for keeping certain information
confidential. 89 For example, the Health Insurance Portability and
Accountability Act, better known as HIPAA, authorized the Department of
Health and Human Services to impose restrictions on how and when a
healthcare provider can disclose patient medical records. 90
More recently, several security breach notification bills have been
proposed in the House and in the Senate. 91 One proposed bill in the House
would instruct the FTC to establish minimum security practices and require
a business that suffers a security breach to provide nationwide notice of the
event. 92 A proposed bill in the Senate would require entities to notify all
affected Americans of a security breach after the entity knows or has
reason to believe personal information was compromised. 93 Neither of the
proposed bills, however, includes a private right of action; in fact, the
Senate bill would explicitly preempt any offered state remedy. 94 As of
today, Congress has yet to pass a general notification statute. 95
2. State Legislation
Almost all of the states have enacted legislation criminalizing identity
theft. 96 Forty-four states have specifically criminalized identity theft and
five other states have enacted laws that encompass activities that can
constitute identity theft. 97
88. For a greater discussion on proposed federal notification bills see Faulkner, supra
note 60, at 1114-15.
89. Id. at 1115.
90. See 45 C.F.R. 160.102, 164.502 (2005).
91. Faulkner, supra note 60, at 1114-15 (discussing House Bill 4127 and Senate Bill
1789).
92. Data Accountability and Trust Act, H.R. 4127, 109th Cong. (2005).
93. Personal Data Privacy and Security Act of 2005, S. 1789, 109th Cong. (2005).
94. Faulkner, supra note 60, at 1119-21 (discussing House Bill 4127 and Senate Bill
1789).
95. Id. at 1114-15.
96. See Towle, supra note 51, at 301-02.
97. Id. Only Vermont has not enacted legislation that either expressly criminalizes or
WEAVER FINAL 1/4/2010 11:29:37 AM
encompasses the activities that fit within the definition of identity theft. Id. at 301-02 n.298.
98. See, e.g., ARIZ. REV. STAT. ANN. 44-7501 (Supp. 2007); ARK. CODE ANN. 4-110-
105 (2007); CAL. CIV. CODE 1798.29 (West Supp. 2008); COLO. REV. STAT. 6-1-716
(2008); CONN. GEN. STAT. 36a-701b (2008); DEL. CODE ANN. tit. 6, 12B-102-03 (2007);
FLA. STAT. 817.5681 (2006); GA. CODE ANN. 10-1-912 (Supp. 2008); HAW. REV. STAT.
487N-2 (Supp. 2007); IDAHO CODE ANN. 28-51 to -105 (Supp. 2008); 815 ILL. COMP.
STAT. 530/10-12 (2008); IND. CODE 24-4.9-1-1 to -5-1 (2006); KAN. STAT. ANN. 50-
7a01 to -7a04 (Supp. 2007); LA. REV. STAT. ANN. 51:3071-:3077 (Supp. 2008); ME. REV.
STAT. ANN. tit. 10, 1347 to 1350-A (Supp. 2007); MD. CODE ANN., CRIM. LAW 8-304
to -305 (LexisNexis Supp. 2007); MASS. GEN. LAWS ch. 93H, 1-6 (2007); MICH. COMP.
LAWS 445.72 (2008); MINN. STAT. 325E.61 (2008); MONT. CODE ANN. 30-14-1701 to
-1705 (2007); NEB. REV. STAT. 87-801 to -807 (2006); NEV. REV. STAT. 603A.010-
.040, 633A.220 (2007); N.H. REV. STAT. ANN. 359-C:19 to :21 (2007); N.J. STAT. ANN.
56:8-163 (West Supp. 2008); N.Y. GEN. BUS. LAW 899-aa (McKinney Supp. 2008); N.C.
GEN. STAT. 75-65 (2007); N.D. CENT. CODE 51-30-01 to -07 (2007); OHIO REV. CODE
ANN. 1349.19 (West Supp. 2008); OKLA. STAT. tit. 74, 3113.1 (2008); OR. REV. STAT.
646A.604 (2007); 73 PA. STAT. ANN. 2303 (West Supp. 2008); R.I. GEN. LAWS 11-
49.2-1 to -7 (2007); TENN. CODE. ANN. 47-18-2107 (Supp. 2007); TEX. BUS. & COM. CODE
ANN. 48.103 (Vernon 2007); UTAH CODE ANN. 13-44-101 to -45-301 (Supp.2008); VT.
STAT. ANN. tit. 9, 2430, 2435 (2007); WASH. REV. CODE 19.255.010 (2006); WIS. STAT.
895.507 (2006); WYO. STAT. ANN. 40-12-502 (2007). The only states that have not
enacted a notice statute are: Alaska, Alabama, Iowa, Kentucky, Mississippi, Missouri, New
Mexico, South Carolina, South Dakota, Virginia, and West Virginia. Gordon, supra note 9,
at n.1.
99. Faulkner, supra note 60, at 1105.
100. Kennedy, supra note 61, at 101-02.
101. Id. at 101.
102. See Catherine M. Bump et al., Summary of State Data Security Laws as of March
2006, in SEVENTH ANNUAL INSTITUTE ON PRIVACY LAW: EVOLVING LAWS AND PRACTICES IN
A SECURITY-DRIVEN WORLD 39, 43 (Francoise Gilbert et al. eds., 2006); see also CAL. CIV.
CODE 1798.29 (West Supp. 2008).
WEAVER FINAL 1/4/2010 11:29:37 AM
most of the other notification statutes enacted by other states. 103 Some
states, however, have enacted notice statutes that vary considerably from
the California model. 104 Except for a few deviations, Massachusettss 93H
is of the California ilk. 105
Generally, all notice statutes contain provisions that pertain to what
type of personal information is protected under the law, when notification
is required, what forms of notifications are permissible, how long a
business has to deliver the notification and who may enforce the provisions
of the statute. 106
that 93H encompasses more data than the general definition. 111 Some other
states, such as North Carolina, have chosen to expand their definitions of
personal information to also include biometric data, fingerprints, account
passwords and parents legal surnames prior to marriage. 112
b. Triggering Events
Most states follow Californias definition that a data security breach is
the unauthorized acquisition of computerized data that compromises the
security, confidentiality, or integrity of personal information maintained by
the person or business. 113 Massachusetts and a minority of other states
have, however, adopted a stricter definition of security breach. 114 Chapter
93H defines security breach as:
[T]he unauthorized acquisition or unauthorized use of
unencrypted data or, encrypted electronic data and the
confidential process or key that is capable of compromising the
security, confidentiality, or integrity of personal information,
maintained by a person or agency that creates a substantial risk
of identity theft or fraud against a resident of the
commonwealth. 115
One commentator noted that the standard adopted by Massachusetts
relieves businesses of having to provide notice if the security breach does
not give rise to a subsequent threat of identity theft. 116 Other states that
have adopted stricter definitions of security breach include North Carolina
and Florida. 117
c. Mechanics of Notification
Most notification statutes allow businesses to notify residents through
the postal service or via electronic correspondence and Massachusetts has
not deviated from this norm. 118 Some states also permit notification by
telephone. 119 One unique variation is found in Utah, where the notification
requirement can be satisfied by publishing a disclosure in a generally
circulated newspaper. 120 93H, like other notification statutes, waives the
notification requirement if the business can demonstrate that the cost of
providing written notice will exceed $250,000 or the number of residents
that need to be notified is above 500,000 or if the business lacks sufficient
contact information to provide notice. 121
With respect to the timing of notification, Massachusetts closely
mirrors Californias statute in that 93H provides that notice should be
delivered as soon as practicable and without unreasonable delay. 122 One
caveat in 93H allows a business to delay giving notice if a law enforcement
agency determines that disclosure could impede a criminal investigation. 123
information where illegal use of the personal information has occurred or is reasonably
likely to occur or that creates a material risk of harm to a consumer).
118. See, e.g., CAL. CIV. CODE 1798.82(g)(1)-(2); MASS. GEN. LAWS ch. 93H, 1(a)(i)-
(ii); N.C. GEN. STAT. 75-65(e)(1)-(2).
119. See, e.g., N.C. GEN. STAT. 75-65(e)(3).
120. UTAH CODE ANN. 13-44-202(5)(a)(iv) (West 2008).
121. MASS. GEN. LAWS ch. 93H, 1(a)(iii). The substitute notice provision in 93H is
similar to the provision found in the California statute. Compare MASS. GEN. LAWS ch. 93H,
1(a)(iii), with CAL. CIV. CODE 1798.82(g)(3).
122. MASS. GEN. LAWS ch. 93H, 3(a). Californias statute requires that disclosure shall
be made in the most expedient time possible and without unreasonable delay. CAL. CIV.
CODE 1798.82(a).
123. MASS. GEN. LAWS ch. 93H, 4.
124. See, e.g., CAL. CIV. CODE 1798.84(b) (West 2008) (Any customer injured by a
violation of this title may institute a civil action to recover damages.); LA. REV. STAT. ANN.
51:3075 (2007) (A civil action may be instituted to recover actual damages resulting
from the failure to disclose in a timely manner to a person that there has been a breach of the
security system resulting in the disclosure of a person's personal information.); TENN. CODE
ANN. 47-18-2107(h) (West 2007) (Any customer of an information holder who is a
person or business entity, but who is not an agency of the state or any political subdivision
of the state, and who is injured by a violation of this section, may institute a civil action to
WEAVER FINAL 1/4/2010 11:29:37 AM
states, on the other hand, limit the right to enforce their notice statutes to
just the states attorney general. 125 93H authorizes the Attorney General to
bring an action pursuant to section 4 of chapter 93A against a person or
otherwise to remedy violations of this chapter and for other relief that may
be appropriate. 126
recover damages and to enjoin the person or business entity from further action in violation
of this section.).
125. See, e.g., ARK. CODE ANN. 4-110-108 (West 2007) (Any violation of this chapter
is punishable by action of the Attorney General under the provisions of 4-88-101 et seq.);
MASS. GEN. LAWS ch. 93H, 6 (The attorney general may bring an action pursuant to
section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter
and for other relief that may be appropriate.); OHIO REV. CODE ANN. 1349.19(I) (West
2007) (The attorney general may conduct pursuant to sections 1349.191 and 1349.192 of
the Revised Code an investigation and bring a civil action upon an alleged failure by a
person to comply with the requirements of this section.).
126. MASS. GEN. LAWS ch. 93H, 6.
127. See supra Part III.D.2.d.
128. See, e.g., Key v. DSW, Inc., 454 F. Supp. 2d 684, 685 (S.D. Ohio 2006); Complaint,
supra note 2, at 34-39 (alleging negligence).
129. See Kathryn E. Picanso, Protecting Information Security Under a Uniform Data
Breach Notification Law, 75 FORDHAM L. REV. 355, 376-77 (2006).
130. See Complaint, supra note 2, at 34-42 (noting the causes of action pursued by the
plaintiffs). The consumers complaint in TJX did include a claim of breach of fiduciary duty,
but it was within their claim of negligence. Id. at 34-37.
131. Glidden v. Maglio, 722 N.E.2d 971, 973 (Mass. 2000).
WEAVER FINAL 1/4/2010 11:29:37 AM
federal, that have addressed this issue have found against the application of
negligence in these settings. 132 Yet a small but growing number of minority
jurisdictions have begun to allow negligence claims to go forward. 133
132. See, e.g., Key, 454 F. Supp. 2d at 685 (finding that the plaintiff lacked standing to
bring a claim of negligence); Giordano v. Wachovia Sec., LLC., No. 06-476 (JBS), 2006
WL 2177036, at *4 (D. N.J. July 31, 2006) (finding that the plaintiff failed to prove an
injury-in-fact and therefore lacked standing).
133. See, e.g., Remsburg v. Docusearch, Inc., 816 A.2d 1001 (N.H. 2003) (finding that an
internet information broker had a duty of care to the person whose information it sold); Bell
v. Mich. Council 25 of Am. Fedn of State, County, Mun. Employees, AFL-CIO, Local
1023, No. 246684, 2005 WL 356306 (Mich. Ct. App. Feb. 15, 2005) (finding that a union
owes its members a duty of care to protect its members personal information from identity
theft); Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530 (N.Y. Sup. Ct. 2004) (recognizing
that holders of confidential personal information enter into a covenant of trust and
confidence with the person providing the information and therefore the holder has a duty to
protect that information from identity theft).
134. See, e.g., Giordano, 2006 WL 2177036 at *4 (finding that the plaintiff failed to
prove an injury-in-fact and therefore lacked standing).
135. See, e.g., Pisciotta v. Old Natl Bancorp, 499 F.3d 629 (7th Cir. 2007) (holding that
the mere allegation of an increased risk of identity theft does not constitute a recognizable
injury).
136. Key, 454 F. Supp. 2d at 689.
137. See id. at 689-91 (applying the majority approach).
WEAVER FINAL 1/4/2010 11:29:37 AM
i. Remsburg v. Docusearch
The New Hampshire Supreme Court considered the question of
whether an internet information broker, who sells a third partys
information to a client, has a duty to that third party. 146 The case arose after
Docusearch.com sold the Social Security number and employment
information of Amy Lynn Boyer to Liam Youens. 147 Several days after the
transaction, Youens drove to Boyers place of employment and shot and
killed her before taking his own life. 148
The New Hampshire Supreme Court held that the threats posed by
stalking and identity theft generate a sufficient foreseeable risk of criminal
misconduct so that an [internet information broker] has a duty to exercise
reasonable care in disclosing a third persons personal information to a
client. 149 The court noted that a private citizen has no general duty to
protect others from the criminal attacks of third parties, but that
exceptions to the rule exist when a party realizes or should realize that his
conduct has created a condition which involves an unreasonable risk of
harm to another. 150 The court imposed a duty here because it found it
foreseeable that stalkers may use internet information brokers to obtain
personal information about the victims. 151 The court also recognized the
prevalence and risk of identity theft after the disclosure of a individuals
personal information. 152
145. Bishop, supra note 77, at *4 (discussing the holdings of Remsberg and Bell).
146. Remsburg, 816 A.2d at 1004.
147. Id. at 1005-06.
148. Id. at 1006.
149. Id. at 1008.
150. Id. at 1006-07.
151. Id. at 1007.
152. Remsburg, 816 A.2d at 1007 (Identity theft . . . is an increasingly common risk
associated with the disclosure of personal information, such as a [Social Security
Number].).
153. Bell v. Mich. Council 25 of Am. Fedn of State, County, Mun. Employees, AFL-
WEAVER FINAL 1/4/2010 11:29:37 AM
CIO, Local 1023, No. 246684, 2005 WL 356306, at *1 (Mich. Ct. App. Feb. 15, 2005).
154. Id.
155. Id. at *2.
156. Id.
157. Id. at *3.
158. Id. at *4.
159. Bell, 2005 WL 356306, at *4.
160. Id. at *5.
161. Daly v. Metro. Life Ins. Co., 782 N.Y.S.2d 530, 531 (N.Y. Sup. Ct. 2004).
162. See id.
WEAVER FINAL 1/4/2010 11:29:37 AM
name. 163 In her suit, the plaintiff accused the defendant of negligently
allow[ing] non-Met Life employees unfettered access to [her] confidential
information. 164
In analogizing this case to cases involving breaches of fiduciary
duties, the court recognized that a covenant of trust and confidence may
be inferred in business dealings, and that here the plaintiff had placed her
trust in and relied upon the defendant. 165 Because of this relationship, the
defendant had a duty to protect the plaintiffs confidential information. In
denying the defendants motion to dismiss, the court noted that even the
defendant recognized a duty to safeguard its clients personal information
by the fact that it issued privacy notices that detailed the procedures the
defendant used to protect its customers personal information. 166
summary judgment on the grounds that the plaintiff could not prove either
that Capital One was responsible for the security breach or that she suffered
any damages. 172 The motion judge granted Capital Ones request because,
in her opinion, further depositions were unlikely to yield any information
that would affect the outcome. 173
ANALYSIS
172. Id.
173. Id.
174. Id. at *4.
175. Id. at *3.
176. Id.
177. See Kuhn, 2006 WL 3007931, at *3.
178. Id. (quoting RESTATEMENT (SECOND) OF TORTS 919 (1977)). The Restatement
(Second) of Torts 919 (1977) reads [o]ne whose legally protected interests have been
endangered by the tortious conduct of another is entitled to recover for expenditures
reasonably made or harm suffered in a reasonable effort to avert the harm threatened.
179. See supra Part II.C.
180. Gov. Patrick Signs Identity Theft Prevention Bill, supra note 7.
181. MASS. GEN. LAWS ch. 93H, 6 (2006).
WEAVER FINAL 1/4/2010 11:29:37 AM
negligence under the theory that mere exposure to identity theft does not
constitute a cognizable injury. 182 This section offers an argument for why a
private right of action is necessary and how it can be achieved either
statutorily or judicially in Massachusetts.
and 8% respectively from the year before. 191 This increase in profit does
not suggest that TJX intentionally passed its losses onto its customers, but
does illustrate two points. First, TJXs ability to generate capital in a
relatively short amount of time allowed TJX to off-set a significant portion
of losses that it incurred as a result of the security breach. 192 Second, TJXs
increased sales support the notion that consumers, and not businesses,
shoulder the costs stemming from identity theft. 193
While businesses like TJX can turn to the mechanisms described
above, consumers in Massachusetts, on the other hand, have no similar
options to turn to. Instead, after a security breach, Massachusetts
consumers are forced to absorb not only personal expenses, 194 but also the
expenses incurred by businesses. 195 A private right of action would help to
mitigate this burden by providing consumers with a mechanism through
which they can shift the costs of identity theft back to businesses, whose
negligence facilitated the identity theft in the first place. 196
A private right of action would not only help to shift the burden away
from consumers, 197 but it would also help to police businesses that
maintain personal information databases. 198 Under current Massachusetts
law, businesses have little economic incentive to employ stricter, more
expensive identity theft security measures. 199 From a cost-benefit analysis,
maintaining customer personal information facilitates business transactions
and encourages economic growth, 200 while the cost of identity theft can be
191. TJX Posts a Strong Q4 as it Settles Breach Claims, CARDLINE, Feb. 22, 2008, at 1,
available at 2008 WLNR 3508497.
192. See id.
193. See Victor, supra note 65, at 283.
194. See supra text accompanying note 32 for examples of personal expenses incurred by
consumers because of the TJX security breach.
195. For example, the $256 million in charges incurred by TJX after the security breach
included costs related to upgrading computer software and settlement agreements with the
injured consumers, banks, and credit card companies. See Kerber, supra note 190, at 1E;
Ross Kerber, N.E. Banks, TJX Reach Agreement on Breach, BOSTON GLOBE, Dec. 19, 2007,
at C3. Consumers like Hanna Lipman, whose credit card was cancelled by Visa because of
the breach, helped TJX cover its expenses by continuing to spend after the breach an
estimated $100 a month at TJX stores. See Kerber, supra note 190, at 1E.
196. See Faulkner, supra note 60, at 1122-25 (arguing for a private right of action under
the laws of fiduciary duty).
197. See id. (arguing for a private right of action under the laws of fiduciary duty).
198. See Victor, supra note 65, at 306.
199. See id. at 281. Massachusetts is not alone in that federal law and other states laws
have also failed to decrease identity theft incidents. See Ludington, supra note 76, at 151.
200. See Charles D. Morgan, Chief Executive Officer, Acxiom Corp., Before the Federal
Trade Commission Public Workshop: Information Flows: The Costs and Benefits to
Consumers and Businesses of the Collection and Use of Consumer Information (June 18,
WEAVER FINAL 1/4/2010 11:29:37 AM
businesses whose failure to comply with the law injured them. 211 Thus, to
avoid the prospect of facing such litigation, a business is likely to employ
strong security measures to ensure that it is in compliance with the law. 212
B. Amending 93H
There is currently no private right of action in 93H for consumers
whose personal information was compromised in a security breach. 213
Instead, the Massachusetts Legislature gave only the states Attorney
General the power to enforce 93H. 214 Adding a private right of action to
93H would be consistent with both the legislative goal behind 93H and the
statutory scheme of chapter 93A.
First, like the underlying goals of 93H, a private right helps to deter
identity theft and helps to protect personal information. 215 The legislative
history of 93H suggests that the Massachusetts Legislature sought to deter
and better protect consumers from identity theft after the TJX security
breach. 216 This legislative intent can be inferred from the fact that just prior
to 93Hs enactment, one representative praised House Bill 4144 as a means
of protecting the public from the crime of identity theft, 217 while another
insisted that this is a great day for consumers and [i]f TJX happened
under this bill, you would be notified in three days and be able to take steps
on your own to protect yourself. 218 Further evidence of the legislative
intent can be gathered from another representatives comment, made earlier
in the legislative history of House Bill 4144, that ID theft complaints
commonly [take] a backseat to prosecution of other crimes, and that
[p]assing laws to prevent the crime and creating a sophisticated team to
prosecute future crimes are essential steps. 219
220. In a Senate Session held on July 17, 2007, State Senator Morrissey summarized
House Bill 4144 in the following manner: If your data is compromised then you are
entitled to a notice and you will be able to get a security freeze, nothing more nothing less.
State House News, Senate Session (July 17, 2007), supra note 217 (statement by Senator
Morrissey) (emphasis added). Though Senator Morrisseys statement does not explicitly
reject the idea of a private right of action, it does suggest that he was only in favor of notice
and a security freeze. See id.
221. See supra Part III.A (discussing the benefits of a private right of action).
222. MASS. GEN. LAWS ch. 93A, 9 (2006).
223. Hershenow v. Enter. Rent-A-Car Co., 840 N.E.2d 526, 533 (Mass. 2006). Prior to
the 1979 amendment, the court had held that a loss of money or property was needed to
bring a claim under section 9 of chapter 93A. Baldassari v. Pub. Fin. Trust, 337 N.E.2d 701,
708 (Mass. 1975), superseded by statute, St. 1979 c. 406 1, as recognized in Leardi v.
Brown, 474 N.E.2d 1094, 1100 n.8 (Mass. 1985). The statute, St. 1979, c. 406 1, was later
codified in the Massachusetts General Laws at ch. 93A, 9(1). Id.
224. Hershenow, 840 N.E.2d at 534 (quoting Leardi, 474 N.E.2d at 1101).
225. Compare MASS. GEN. LAWS ch. 93A, 2(a) (declaring that businesses may not
engage in unfair or deceptive practices), with MASS. GEN. LAWS ch. 93H, 2 (Supp. 2007)
(requiring businesses to follow safeguard regulations promulgated by the Massachusetts
WEAVER FINAL 1/4/2010 11:29:37 AM
consumers. 226 Finally, the similarity between the statutes is also evidenced
by the fact that both statutes seek to protect consumers from crimes that can
cause both economic and noneconomic injuries. 227 Based on these
similarities it appears that both 93A and 93H share the common goal of
consumer protection and therefore it seems paradoxical or inconsistent that
93H does not also contain a private right of action.
unauthorized purpose. 233 The majority approach regards any injury caused
by the unauthorized use of anothers personal information as too
speculative to constitute an actual injury because the harm is contingent
upon the future conduct of a third actor. 234 The effect of this analysis is
twofold. First, it allows the court to reject the possibility that a businesss
failure to safeguard personal information caused or gave rise to any
subsequent unauthorized use by a third party. Second, it allows the court to
reject the argument that the initial theft of the personal information caused
the victim to incur an injury or incur costs associated with preventing
identity theft. Instead, the majority approach considers any future
misconduct by a third party to be speculative and any preventive costs
incurred as anticipatory to a possible, but not yet certain, future harm. 235 By
excluding the initial theft from the legal analysis, the majority approach
ignores the fact that the risks or harms of identity theft do not necessarily
materialize immediately after the initial theft, but can instead linger for a
considerable amount of time before they are discovered by the victim.
The Massachusetts Court of Appeals, in Kuhn v. Capital One
Financial Corp., recognized that the value of the time spent in seeking
to prevent or undo the harm caused by the tortious conduct of another is a
recoverable injury. 236 Unlike the majority approach, the Kuhn court and the
minority position described above recognized that the theft of an
individuals personal information can give rise to foreseeable risks. 237 The
inclusion of the initial theft in the analysis of whether the plaintiff incurred
an injury specifically allowed the Kuhn and Bell courts to recognize time
lost to preventing identity theft as an actual injury. 238 This approach
recognizes the reality that even though the harm caused by identity theft
does not necessarily materialize immediately after the initial theft of the
personal information, it nevertheless is caused by that initial theft. The
injuries alleged by the plaintiffs in In re TJX all followed from the initial
breach that occurred in July of 2005. Therefore, under the Kuhn and the
minority approach, the injuries should be recognized as actual injuries.
Once a court realizes that the risk of identity theft gives rise to foreseeable
injuries, then it can allow the plaintiffs negligence claim to go forward.
CONCLUSION
Since the announcement of the TJX incident and the passage of 93H,
identity theft has victimized Massachusetts residents on several different
occasions. Two notable incidents include the theft of a list containing the
Social Security numbers of some 480 seniors, 239 and the theft of student
identification information used to obtain admission to Harvard. 240 In fact,
in 2007 alone, 4,292 Massachusetts residents reported being victims of
identity theft, which was about a five percent increase from the 4,102
reported incidents in 2006. 241
The state legislature enacted 93H to combat incidents like the TJX
security breach and the two subsequent examples above. 242 Though helpful
in mitigating some of the damage caused by identity theft, the notification
safeguards set forth in 93H are not sufficient to obtain the legislatures goal
of mitigating or preventing the harm caused by identity theft. 93H falls
short of its goal because a requirement to provide only notice does not shift
the economic burden back to the business that failed to safeguard its
customers personal information and it does not increase the potential loss
that a business may incur because of identity theft. Consequently, under
93H, businesses are not inclined to employ stricter security measures.
The fight against identity theft in Massachusetts can be strengthened
considerably by adopting, either through amendment or judicial decision, a
private right of action for Massachusetts citizens who are injured because
of a businesss failure to safeguard its personal information. A private right
of action contributes to deterring and preventing identity theft because it
encourages businesses to employ stronger security measures by shifting the
239. Rachana Rathi, Mailed Flu Shot Lost; Probe on; Wellesley Elders Names on
Roster, BOSTON GLOBE, Feb. 29, 2008, at B3, available at 2008 WLNR 4031539.
240. New England In Brief: Identity Theft Cited in Harvard Admission, BOSTON GLOBE,
Feb. 5, 2008, at B2, available at 2008 WLNR 2171307.
241. Kytja Weir, This Year, Get Obsessed With Shredding, BOSTON GLOBE, Feb. 24,
2008, at K2, available at 2008 WLNR 3827635.
242. See supra Part I.B (discussing the passage of 93H); notes 239-240 and
accompanying text.
WEAVER FINAL 1/4/2010 11:29:37 AM
cost of identity theft away from consumers and back to businesses, and it
provides a means of recovery for the victims themselves. Adopting a
private right of action for Massachusetts citizens can be easily achieved as
well, since such a right is consistent with both the legislative intent of 93H
and the ruling in Kuhn v. Capital One Financial Corp. But until a private
right of action is recognized in Massachusetts, Massachusetts residents,
rather than the businesses they patronize and that fail to safeguard their
customers personal information, will continue to bear the full brunt of the
harm caused by identity theft.