The case, bought by Cornelius Allison, stemmed from an alleged security breach of the Aetna online job application database. The breach, which was announced by Aetna last May, caused it to send notification letters to 65 000 current and former employees telling them that personal information may have been exposed.
Allison, who worked for the company as an office assistant from 1998 until May 2005, applied for a customer service position at Aetna using its website. He uploaded his personal information and his resume.
According to the complaint filed in the lawsuit, Allison became aware last May of a breach in the job application website, when applicants reported receiving phishing emails from Aetna asking for additional personal information in response to job enquiries.
Aetna argued in the case that Allison's claim was invalid, because it merely speculated that there may have been material damage. "Courts have recognized that allegations of 'increased risk of harm' and related costs for preventative measures are not legally cognizable injuries." In short, Allison could not prove that any harm had been done.
The case was dismissed even though Allison contended that he had incurred out-of-pocket expenses, lost time, and an increased risk of identity theft. "Plaintiffs alleged injury or an increased risk of identity theft is far too speculative," the judge said in a decision. "Plaintiff's allegation that his personal information was even accessed is conjecture. Plaintiff never received the phishing email. In addition, defendants letter stated that they were unable to verify whether plaintiff's information was even accessed."
Allison had also admitted that only email addresses had been accessible in the breach, the court said. "At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft."
The decision carries particular significance for future data breach cases bought by victims who cannot prove that their identities have been stolen.
Aetna's job application website contained the email addresses of 450 000 job applicants, along with the social security numbers of current and former employees. The social security numbers, telephone numbers for addresses, and employment histories of those who had been offered jobs by Aetna were also in the system.