Strautins v. Trustwave Holdings, Inc.
27 F. Supp. 3d 871
N.D. Ill.2014Background
- In 2012 hackers breached the South Carolina Department of Revenue (SCDOR); state announced millions of SSNs and hundreds of thousands of card numbers potentially exposed. Plaintiff Amber Strautins filed a putative class action against Trustwave Holdings, a contractor that provided security services to SCDOR.
- Strautins alleged Trustwave failed to safeguard SCDOR systems, failed to discover/timely report the breach, and that her PII was "stolen and compromised." She sued on behalf of taxpayers who filed SC returns 1998–2011. Claims: willful/negligent FCRA violations, negligence, public disclosure/invasion of privacy, and third-party-beneficiary breach of contract.
- Trustwave disputed both the breach vector (phishing vs. exposed portal) and whether Strautins’ data in fact was accessed; it noted many card numbers were encrypted and the state provided a hotline for individuals to check whether they were affected.
- Trustwave moved to dismiss for lack of Article III standing and, alternatively, for failure to state a claim. The court treated plaintiff’s factual allegations as entitled to inference but applied Clapper’s “certainly impending” standard for probabilistic injuries.
- The court held Strautins’ allegations of increased risk of future identity theft were too speculative to establish injury-in-fact under Clapper and found her complaint also failed to plausibly plead that her PII was actually stolen — a necessary predicate for all asserted causes of action.
- The court dismissed the complaint without prejudice and granted leave to replead within 28 days.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing based on increased risk of identity theft | Strautins: increased risk from breach and delayed/insufficient notice gives injury-in-fact | Trustwave: risk is speculative; no concrete or imminent injury alleged | Denied — risk of future identity theft is too speculative under Clapper’s “certainly impending” standard |
| Standing/pleading that plaintiff’s PII was actually accessed | Strautins: SCDOR press releases and scale of breach show her data was compromised | Trustwave: press release urged individuals to check hotline; breach did not necessarily include every filer and many card numbers were encrypted | Denied — complaint fails to plausibly allege Strautins’ data were ‘‘stolen and compromised’’; allegations are merely consistent with, not plausibly showing, actual access |
| Sufficiency of FCRA claims against Trustwave | Strautins: Trustwave’s role assembling/security of data makes it liable under FCRA | Trustwave: not a consumer reporting agency and did not furnish consumer reports to third parties | Denied — plaintiff fails to allege statutory injury and Trustwave is not plausibly a consumer reporting agency; FCRA claim infirm and risk of Rule 11 problems |
| Failure-to-state-a-claim on negligence/privacy/breach theories | Strautins: Trustwave’s negligence/inaction caused privacy loss and mitigation costs | Trustwave: complaint lacks factual allegations showing actual compromise or resulting damages | Denied — each claim depends on actual data compromise which complaint does not plausibly allege; alternatively dismissed for failure to state a claim |
Key Cases Cited
- Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013) (threatened injury must be “certainly impending” to confer Article III standing)
- Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007) (Seventh Circuit recognized standing based on risk of future harm in data-breach context; court discussed tension with Clapper)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (complaint must state a plausible claim to survive dismissal)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (legal conclusions and conclusory allegations not entitled to presumption of truth; plausibility standard applies)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (Article III injury-in-fact must be concrete and particularized and actual or imminent)
- Kathrein v. City of Evanston, 636 F.3d 906 (7th Cir. 2011) (plaintiff bears burden to demonstrate standing; courts construe allegations in plaintiff’s favor)