United States District Court, N.D. Illinois, Eastern Division
AMBER J. STRAUTINS, individually and on behalf of all others similarly situated, Plaintiff,
TRUSTWAVE HOLDINGS, INC., Defendant
For Amber J Strautins, individually and on behalf of all others similarly situated, Plaintiff: Ben Barnow, LEAD ATTORNEY, Blake Anthony Strautins, Sharon Harris, Barnow and Associates, P.C., Chicago, IL; Richard Lyle Coffman, PRO HAC VICE, The Coffman Law Firm, Beaumont, TX.
For Trustwave Holdings, Inc., Defendant: Brian Patrick Kavanaugh, LEAD ATTORNEY, Matthew Joseph Martin, Kirkland and Ellis LLP, Chicago, IL.
MEMORANDUM OPINION AND ORDER
John J. Tharp, Jr., United States District Judge.
In late 2012, a hacker launched a cyber-attack on the South Carolina Department of Revenue (" SCDOR" ). In their initial disclosure of the attack, state officials announced that approximately 3.6 million Social Security numbers, 387,000 credit and debit card numbers, and tax records for 657,000 businesses had been exposed. Media reports called it potentially " the largest cyber-attack ever on a state government," putting " other states on high alert." 
Before the Court is a class action suit asserting claims arising from this cyber-attack. The plaintiff, Amber Strautins, has sued Trustwave Holdings, Inc. (" Trustwave" ), a Chicago-based data security company. According to its website, Trustwave " helps businesses fight cybercrime, protect data and reduce security risk."  One of Trustwave's clients is the SCDOR. Strautins alleges that Trustwave inadequately protected her personal identifying information (" PII" ), which was kept in the SCDOR's database. Trustwave's Motion to Dismiss Strautins' Amended Class Action Complaint is granted for the reasons discussed below.
Strautins filed South Carolina tax returns for calendar years 2007 through 2010. Am. Compl. ¶ 12. It is undisputed that in August and September 2012, a hacker cyber-attacked the SCDOR. Am. Compl. ¶ ¶ 14, 16, 17; Def.'s Mot. to Dismiss (Dkt. 30) (" Def.'s Mot.) at 2-3. The parties offer competing versions of how the attacks occurred, but for the most part the disputes are not material to Trustwave's challenges to the complaint and can be briefly summarized. Strautins alleges that hackers gained access to SCDOR data through " an exposed portal" on the SCDOR website. Am. Compl. ¶ ¶ 16-17. She further alleges that the hackers " stole and compromised" her PII and that of a putative class comprising of taxpayers who have filed South Carolina tax returns since 1998. Am. Compl. ¶ ¶ 3, 33.
Trustwave acknowledges that it has provided, and continues to provide, products and services to the SCDOR. Def.'s Mot. at 2. It argues, however, that the data breach was not accomplished through an " exposed portal" on SCDOR's website " or other external vulnerability," but rather was accomplished with authorized user credentials obtained from a " phishing" email sent to, and apparently opened by, a SCDOR employee. Id. at 3-4. More significantly, with respect to the issues presented by its motion, Trustwave takes issue with Strautins' claim that all of the data potentially exposed during the attacks was actually " stolen and compromised," arguing that the complaint lacks allegations to support that conclusion, asserting that most of the credit card numbers affected were encrypted, and pointing to media reports suggesting that only tax data of electronic filers was exposed. Id. at 4. Unlike the question of how the attack occurred, the dispute over what actually occurred during the attack matters to the disposition of the defendant's motion and is discussed in greater detail below.
After discovery and disclosure of the cyber-attack, SCDOR announced that it would provide notice to taxpayers whose PII may have been disclosed during the attack. In the meantime, the state set up a website and toll-free hotline for taxpayers to determine if their data was compromised. South Carolina also offered free credit monitoring and protection services, identity-theft insurance, and lifetime credit-fraud resolution to affected individuals. Trustwave emphasizes that Strautins admits that she has not received notice that her data was compromised and that she does not allege that she has used the website or hotline to confirm whether her PII was compromised in the breach. Am. Compl. ¶ 12 (" To date, Plaintiff Strautins has not received formal notification from either Trustwave or SCDOR regarding the Data Breach." ); Def.'s Mot. at 5.
Strautins accuses Trustwave of " fail[ing] to adequately safeguard, protect and monitor SCDOR's computer systems" and of " fail[ing] to discover and timely report" the data breach " even though it allegedly scanned SCDOR's computer systems on September 14, 2012, and on October 14, 2012." Am. Compl. ¶ ¶ 25-26. She maintains that Trustwave's actions " and/or inaction" as well as the data breach have placed the other class members and her at an " imminent, immediate and continuing increased risk of identity theft and identity fraud," and that they " will now be required to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives ...." Id. ¶ ¶ 7, 33. On behalf of a putative class comprising " all individuals and businesses who filed ... a South Carolina tax return for any year from 1998 through and including 2011," id. ¶ 44, Strautins asserts claims against Trustwave for: (1) willful violation of the Fair Credit Reporting Act (Count I); (2) negligent violation of the Fair Credit Reporting Act (Count II); (3) negligence (Count III); (4) invasion of privacy by public disclosure of private facts (Count IV); and (5) breach of contract -- third party beneficiary (Count V). Id. ¶ ¶ 55-88.
Trustwave moves to dismiss Strautins' First Amended Complaint for lack of standing pursuant to Federal Rule of Civil Procedure 12(b)(1). Alternatively, it moves for dismissal pursuant to Rule 12(b)(1) for failure to state a claim.
" In essence the question of standing is whether [Strautins] is entitled to have the court decide the merits of the dispute or particular issues." See Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009) (citations and quotations ...