Regina A. RANDOLPH, et al., Appellants,
v.
ING LIFE INSURANCE AND ANNUITY COMPANY, Appellee.
No. 07-CV-791.
District of Columbia Court of Appeals.
Argued December 4, 2008. Decided June 18, 2009.*704 Gregory L. Lattimer, Washington, DC, for appellants.
Juan P. Morillo, Washington, DC, with whom Stephen M. Nickelsburg and Sarra Cho were on the brief, for appellee.
Before KRAMER and THOMPSON, Associate Judges and FARRELL, Senior Judge.[*]
THOMPSON, Associate Judge:
Appellants in this case are seven current or retired District of Columbia employees whose personal information related to their participation in an employee deferred compensation plan administered by ING Life Insurance and Annuity Company ("ING") was stored on a laptop computer that was stolen from an ING employee's home. Citing a "substantial risk" of identity theft and other dangers from the possible unauthorized use of their personal information, appellants sued ING for damages and other relief.[1] The Superior Court dismissed the suit for lack of standing. We affirm the order of dismissal.
I.
On June 11, 2006, an ING agent's home was burglarized. Among the items stolen during the burglary was the agent's personal laptop computer, onto which he had downloaded, allegedly without encryption or password protection, personal information (including Social Security numbers) of participants in the "District of Columbia 457 Deferred Compensation Plan."[2] ING *705 provides investment advice, administrative services and recordkeeping with respect to the deferred compensation plan.
On or about June 19, 2006, ING notified the District about the computer theft. ING also began alerting affected participants individually, communicating to them instructions about how to enroll in a complimentary credit-monitoring service for which ING would pay. Not satisfied with ING's response to the situation, appellants filed suit in the Superior Court on June 27, 2006. They claimed, inter alia, that ING failed "to establish and enforce appropriate... safeguards to ensure the security and confidentiality of records." The counts of the complaint advanced several common-law theories of recovery, including negligence, gross negligence, and invasion of privacy.
ING removed the case to the United States District Court for the District of Columbia on the basis of diversity and thereafter filed a motion to dismiss on the grounds of lack of standing, failure to state a claim, and mootness. The District Court (the Honorable Colleen Kollar-Kotelly) concluded that appellants had failed to establish Article III standing and therefore remanded the case to the Superior Court pursuant to 28 U.S.C. § 1447(c). Appellants then amended their complaint, adding both common-law and statutory causes of action. As amended, the complaint alleges negligence, gross negligence, breach of fiduciary duty, willful violation of appellants' right of privacy, and violations of D.C.Code §§ 1-626.13 and 1-741 (describing the responsibilities of trustees and other fiduciaries of certain District employee retirement plans). ING moved to dismiss the amended complaint for lack of standing, failure to state a claim, and mootness. (App. 15-18.) Reaching only the first of those issues and reasoning that appellants "cannot allege an injury in fact," the Superior Court (the Honorable Frederick Weisberg) dismissed the amended complaint for lack of standing in an order dated June 13, 2007.[3] This appeal followed.
II.
"Whether appellants have standing is a question of law which we consider on appeal de novo." Board of Dirs., Wash. City Orphan Asylum v. Board of Trs., Wash. City Orphan Asylum, 798 A.2d 1068, 1074 (D.C.2002). Because our review is de novo, "we are not limited to reviewing the legal adequacy of the grounds the trial court relied on for its ruling; if there is an alternative basis that dictates the same result, a correct judgment must be affirmed on appeal." Nicola v. Washington Times Corp., 947 A.2d 1164, 1176 n. 9 (D.C.2008) (quoting Kerrigan v. Britches of Georgetowne, Inc., 705 A.2d 624, 628 (D.C.1997)).
III.
"[S]tanding requirements are met when a party demonstrates (1) an injury in fact, (2) a causal connection between the injury and the conduct of which the party complains, and (3) redressability, i.e., that it is likely that a favorable decision will redress the injury." Riverside Hosp. v. District of Columbia Dep't of Health, 944 A.2d 1098, 1104 (2008) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (internal quotation *706 marks and ellipses omitted)).[4] Injury-in-fact involves the "invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical." Miller v. Bd. of Zoning Adjustment, 948 A.2d 571, 574 (D.C.2008) (citations omitted).
Judge Weisberg reasoned that appellants' complaint failed to allege the type of concrete injury that was necessary for them to have standing to pursue their common-law claims. He summarized the deficiencies in the amended complaint as follows:
Plaintiffs allege, in the light most favorable to them, that they are more vulnerable to identity theft now that their personal data [have] fallen into the hands of the thief of the computer or one who receives it from the thief, and the Plaintiffs who are police officers allege that their home addresses may be compromised, subjecting them to possible threats or violence. No Plaintiff alleges that his or her identity has in fact been stolen or used, and no police officer Plaintiff alleges that his or her residence has been revealed or threatened in any way. The most Plaintiffs can claim is that they are worried that these harmful events may occur and that they have "incurred or will incur actual damages" to protect their credit or to repair any damage if it occurs.
June 13, 2007 Order at 6 (footnote omitted). Judge Weisberg continued:
[F]or all anyone knows at this time, there has not been any exposure of Plaintiffs' personal information. Even if the information was not password protected, as Plaintiffs allege, it is at least possible that the thief kept the computer or passed it to someone who erased it of its hard drive and memory to make it more pristine for resale. Unless and until any of the stored information is actually used, it is impossible to know whether Plaintiffs will ever suffer any real, as opposed to imagined, injury.
Id. at 6 n. 4 (emphasis in the original). Judge Weisberg concluded that "[f]ear of future harm, even if reasonable, is simply not the kind of concrete and particularized injury, or imminent future injury" that "suffice[s] to confer standing." Id. at 6.
As Judge Weisberg noted, in addition to the District Court for the District of Columbia (in its ruling on appellants' original complaint), a number of courts presented with risk-of-identity-theft claims have similarly ruled that plaintiffs lacked the requisite injury to establish standing to sue where they could not allege that any unauthorized use of their personal information had already occurred.[5] In light of the *707 Supreme Court's reasoning in Doe v. Chao, 540 U.S. 614, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004), we question the approach that these courts have taken.[6] Although citing the "traditional understanding that tort recovery requires ... proof of some harm for which damages can reasonably be assessed," the Doe court acknowledged that "[t]raditionally, the common law has provided [privacy tort] victims with a claim for `general damages,' which for privacy torts ... are presumed damages: a monetary award calculated without reference to specific harm." Doe, 540 U.S. at 621, 124 S.Ct. 1204 (citing 3 Restatement of Torts § 621 (1938); 4 id., § 867 (1939)). Against that background, the Doe court recognized that a plaintiff alleging a breach of privacy in violation of the federal Privacy Act has Article III standing to sue where the harm he alleges is no more than that he is "`greatly concerned and worried' because of the disclosure of his Social Security number and its potentially `devastating' consequences."[7]Doe, 540 U.S. at 641, 124 S.Ct. 1204 (Ginsburg, J., dissenting) (explaining that the reasoning of the Doe majority was that plaintiff Doe had "standing to sue," but simply could not succeed on his Privacy Act claim unless he had incurred an out-of-pocket expense (because, in the majority's words, 540 U.S. at 622, 124 S.Ct. 1204, "Congress cut out the very language in the bill that would have authorized any presumed damages" for a statutory violation)).
As the Supreme Court has observed elsewhere, standing "often turns on the nature and source of the claim asserted." Warth v. Seldin, 422 U.S. 490, 500, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975) (explaining also that "[t]he actual or threatened injury required by Art. III may exist solely by virtue of `statutes creating legal rights, the invasion of which creates standing...'"). Here, the amended complaint presents a mixture of theories of liability. For example, appellants allege that "as a result of ING's breach of fiduciary duty[,] their right to privacy was violated." Given the overlapping tort causes of action and the mixed common-law and statutory grounds for action that appellants asserted in their amended complaint, we think thatrather than an analysis of standing (the test for which, the opinion in Doe suggests, is fairly easily satisfied)the better approach toward resolving ING's motion to dismiss is to analyze whether the amended complaint succeeded in stating a claim as to any or all of appellants' various theories of liability. See District of Columbia v. Acme Reporting Co., 530 A.2d 708, 712 (D.C.1987) (this Court is "free to sustain the trial court judgments on grounds different from those on which the *708 trial court relied"). We proceed to such an analysis.
IV.
Negligence and gross negligence. To maintain an action for negligence, a plaintiff must allege more than speculative harm from defendant's allegedly negligent conduct. "[S]peculative harm, or the threat of future harmnot yet realized does not suffice to create a cause of action for negligence." In re Estate of Curseen v. Buchanan Ingersoll, P.C., 890 A.2d 191, 194 (D.C.2006) (emphasis in the original) (citation omitted). Here, as Judge Weisberg found, no "Plaintiff alleges that his or her identity has in fact been stolen or used, and no police officer Plaintiff alleges that his or her residence has been revealed or threatened in any way." June 13, 2007 Order at 6. Rather, appellants allege that "these harmful events may occur."[8]Id. We also agree with Judge Weisberg that, to the extent that appellants allege actual harm from expenses they have incurred to undertake credit monitoring or other security measures to guard against possible misuse of their data, they have alleged an injury that is "not the result of any present injury, but rather the [result of] the anticipation of future injury that has not materialized." Id. at 7 (quoting Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d at 8; see also Shafran v. Harley-Davidson, 07 Civ. 01365(GBD), 2008 WL 763177, *3, 2008 U.S. Dist. LEXIS 22494, *8-9 (S.D.N.Y. Mar. 24, 2008)) (explaining that "[c]ourts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law [of negligence] is prepared to remedy"). Accordingly, with respect to appellants' negligence and gross negligence counts, we conclude that the amended complaint failed to state a claim.[9]
*709 Common-law breach of fiduciary duty. For much the same reason, appellants' common-law breach-of-fiduciary-duty count also fails to state a claim. "[B]reach of fiduciary duty is not actionable unless injury accrues to the beneficiary or the fiduciary profits thereby." Beckman v. Farmer, 579 A.2d 618, 651 (D.C.1990) (quoting Day v. Avery, 548 F.2d 1018, 1029 n. 56 (D.C.Cir.1976), for the proposition that "since neither injury to appellant nor profit to any appellee can be shown to flow from any nondisclosure complained of, appellant's allegation of breach of a fiduciary duty by nondisclosure must also fail").[10] Assuming without deciding that ING had a fiduciary duty to appellants, we conclude that appellants' allegations about the risk of identity theft, and about danger from the possible disclosure of police officers' addresses to those who may harbor ill-will toward police, do not state the type of injury required to maintain a suit for common-law breach of fiduciary duty.[11]
*710 Invasion of privacy. Count II of the amended complaint alleges a "willful and intentional failure [by ING] to establish appropriate safeguards to ensure the privacy and security of District of Columbia employee records ... in violation of [appellants'] clearly established right of privacy." At least arguably, this Count alleges common-law invasion of privacy, a tort that the District of Columbia "has long recognized." Vassiliades, supra n. 11, 492 A.2d at 587. Among the invasions that may constitute this tort are "public disclosure of private facts" and "intrusion upon one's solitude or seclusion." Danai v. Canal Square Assocs., 862 A.2d 395, 400 n. 3 (D.C.2004) (citing Wolf v. Regardie, 553 A.2d 1213, 1216-17 (D.C.1989)); Vassiliades, 492 A.2d at 587 (citing Peay v. Curtis Pub. Co., 78 F.Supp. 305, 309 (D.D.C.1948)) ("[a] person who unreasonably and seriously interferes with another's interest in not having his affairs known to others ... is liable to the other"); Restatement 2d of Torts § 652B (1977) ("One who intentionally intrudes... upon the ... seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person").
Section 652D of the Restatement explains, in comment c, that "[t]he protection afforded to the plaintiff's interest in his privacy must be relative to the customs of the time and place...." Because "[m]odern life ... has created novel situations, that in turn gave rise to the problem of protecting the individual who desires ... freedom from intrusion into his private life as well as from undue and undesirable publicity," Peay, 78 F.Supp. at 309, the common law must be "constantly molded and adjusted to meet changing conditions." Id. In this age of identity theft and other wrongful conduct through the unauthorized use of electronically-stored data, we have little difficulty agreeing that conduct giving rise to unauthorized viewing of personal information such as a plaintiff's Social Security number and other identifying information can constitute an intrusion that is highly offensive to any reasonable person, and may support an action for invasion of privacy (irrespective of whether the plaintiff alleges that economic or other resultant injuries have already come to pass).[12]Cf. Danai, supra, 862 A.2d at 400 *711 n. 4 (explaining that "examining a plaintiff's private bank account" or "other invasions of that nature" are among the types of invasion that may constitute tortious invasion of privacy) (citing Wolf, supra, 553 A.2d at 1217-18); Restatement 2d of Torts § 652B, comment b ("The intrusion itself makes the defendant subject to liability, even though there is no publication or other use of any kind of the ... information"); Vassiliades, supra, 492 A.2d at 587 ("a cause of action for the invasion of privacy `represents a vindication of the right of private personality and emotional security'" (emphasis added)) (quoting Afro-American Pub. Co. v. Jaffe, 366 F.2d 649, 653 (D.C.Cir.1966)).
We nonetheless affirm the dismissal of appellants' invasion-of-privacy count, because the amended complaint fails to allege all of the elements of the tort of invasion of privacy. First, in this jurisdiction, invasion of privacy is an intentional tort. See Heard v. Johnson, 810 A.2d 871, 881 n. 5 (D.C.2002); see also Bailer v. Erie Ins. Exch., 344 Md. 515, 687 A.2d 1375, 1381 (1997) ("The tort [of invasion of privacy] cannot be committed by unintended conduct amounting merely to lack of due care").[13] Notwithstanding appellants' claim that ING's "willful and intentional" conduct violated their right of privacy, the allegations of the complaint (e.g., the failure to establish safeguards to protect employee records) do not appear to allege intentional conduct.[14]
But even if the amended complaint sufficiently alleges intentional conduct, there is an additional reason why appellants' allegations fail to state a claim for common-law invasion of privacy. An essential element of the tort (whether the focus is on "intrusion upon ... seclusion" or "public disclosure of private facts") is that private facts must be accessed or publicly disclosed. See Vassiliades, supra, 492 A.2d at 588 (observing that, in that case, "[t]he nature of the publicity ensured that it would reach the public"). Here, as the Superior Court recognized, appellants' amended complaint makes no allegations about what happened to the data on the stolen laptop computer. As Judge Weisberg suggested, it is possible that the thief unloaded the computer without ever accessing appellants' data or that the thief or whoever later took possession of the computer deleted the data from the hard drive without ever scrolling through it.[15] Without an allegation that the data involved here were disclosed to and viewed by someone unauthorized to do so, appellants *712 have failed to state a claim for invasion of privacy.[16]
Statutory counts. The remaining counts of the amended complaint allege that ING's failure to safeguard appellants' "457 Deferred Compensation" personal information gives appellants a cause of action arising under D.C.Code §§ 1-626.13 and 1-741. Section 1-626.13 describes the duty of fiduciaries "with respect to the Trust" to discharge their duties "[w]ith the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent individual acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims." Id., § 1-626.13(a)(2). Section 1-741 describes the same duty of fiduciaries "with respect to the Fund." Id., § 1-741(a)(2)(B).
As Judge Weisberg recognized, the "Trust" to which section 1-626.13 refers is "the Section 401(a) Trust established by [D.C.Code] § 1-626.11," the entity into which the District places funds of the defined contribution plan described in D.C.Code § 1-626.05(3). See D.C.Code §§ 1-626.04(7) and -626.11(a) (2001). The term "Fund" to which section 1-741 refers holds the retirement funds described in D.C.Code §§ 1-712, -713, and -714. See D.C.Code § 1-702(10) (2001). We agree with Judge Weisberg that neither the "Trust" nor the "Fund" appears to be the § 457 Deferred Compensation fund as to which (according to the amended complaint) ING held appellants' personal data. D.C.Code § 1-626.05(2) describes "an employee deferred compensation plan pursuant to § 457 of the Internal Revenue Code" that appears to be distinct from both the section 401(a) "Trust" and from the retirement funds that constitute the "Fund," whose fiduciaries have the duties described in D.C.Code §§ 1-626.13 and 1-741. It follows that, although D.C.Code § 1-626.14 permits a "participant or beneficiary of the Trust" to bring a civil action for "appropriate legal and equitable relief" with respect to an act or practice that violates any provision of this chapter (D.C.Code §§ 1-601.01 et seq.), section 1-626.14 does not create a right of action relating to the "457 Deferred Compensation Plan."[17] Furthermore, as we held in Thomas v. District of Columbia, 942 A.2d *713 1154 (D.C.2008), section 1-624.14 does not authorize a civil action to recover damages for personal injury or other consequential damages. 942 A.2d at 1159.
A similar analysis applies with respect to D.C.Code § 1-747. Section 1-747 permits a "beneficiary" or "participant" to bring a civil action to obtain redress and appropriate relief with respect to "any act or practice that violates any provision of this chapter [D.C.Code §§ 1-701 et seq.]" (emphasis added). Thus, section 1-747 does not appear to create a right of action relating to the "457 Deferred Compensation Plan" described in D.C.Code § 1-626.05(2). Appellants' argument is that section 1-747 does not limit a plan participant's right of action to "enforce the terms of a retirement program," D.C.Code § 1-747(a)(3)(B)(ii), to programs described in section 1-701 through 1-753. Even if we assume that this interpretation is correct and that section 1-747 applies to claims arising out of the 457 Deferred Compensation Plan, we still would conclude that the provision does not give appellants a cause of action for redress of their concerns about identity theft. Section 1-747 is virtually identical to a counterpart civil enforcement provision contained in section 502(a) of the Employee Retirement Income Security Act of 1974 ("ERISA"), 29 U.S.C. § 1132 (2009). In Massachusetts Mutual Life Ins. Co. v. Russell, 473 U.S. 134, 105 S.Ct. 3085, 87 L.Ed.2d 96 (1985), the Supreme Court rejected the view that 502(a) gives plan beneficiaries a private right of action for compensatory or punitive relief or other "extracontractual damages" (such as damages for mental distress occasioned by a delay in payment) that go beyond recovery of plan benefits wrongfully withheld or denied. See 473 U.S. at 144, 105 S.Ct. 3085. Appellants have suggested no reason why we should adopt a more expansive interpretation of the authority that D.C.Code § 1-747 confers on plan participants and beneficiaries to obtain relief with respect to the "terms of a retirement program." D.C.Code §§ 1-747(a)(1)(B), (a)(3)(A), and (a)(3)(B)(ii). We decline to construe section 1-747 to establish a statutory private right of action to sue for damages for conduct creating a risk of identity theft.
For the foregoing reasons, we affirm the judgment of the Superior Court dismissing the amended complaint.
So ordered.
NOTES
[*] Judge Farrell was an Associate Judge, Retired, at the time of the argument. His status changed to Senior Judge on January 23, 2009.
[1] The appellants are Regina Randolph, Tony Giles, Tonia Robinson, Darlene Fields, Marthine Bartee, Don Pope, and Tamonica Heard. Appellants purport to represent a class of approximately 13,000 similarly situated employees. Some of the appellants are police officers, who allege that their "private personnel information could be used to find out where police personnel live."
[2] Originally this cause was filed in the U.S. District Court for the District of Columbia, which dismissed it for lack of standing. See the discussion infra. [see: infra] The federal District Court for the District of Columbia found, and the parties appear to agree, that there is no evidence that the burglary was undertaken for the specific purpose of obtaining the information on the laptop.
[3] Judge Weisberg did not treat Judge Kotelly's ruling as the law of the case, but instead conducted his own analysis of standing, because "Judge Kotelly did not decide whether Plaintiffs have standing to sue in the Article I courts of the District of Columbia," June 13, 2007 Order at 3 n. 1, and because Judge Kotelly had not ruled with respect to the amended complaint.
[4] Although the standing requirements of Article III of the U.S. Constitution do not govern the jurisdiction of our courts, we generally "look to federal jurisprudence to define the limits of `cases and controversies' that our enabling statute empowers us to hear." Community Credit Union Servs., Inc. v. Federal Express Servs. Corp., 534 A.2d 331, 333 (D.C. 1987).
[5] See Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C.2007) (holding that plaintiffs lacked standing because their allegations "amount to mere speculation that at some unspecified point in the indefinite future they will be the victims of identity theft" and "therefore fail to allege an injury in fact"); Bell v. Acxiom Corp., No. 4:06CV00485-WRW, 2006 WL 2850042, *2-3, 2006 U.S. Dist. LEXIS 72477, *8-11 (E.D.Ark. Oct.3, 2006) (dismissing for lack of standing because, through her allegations of increased risk of identity theft from a security breach affecting customer marketing data, plaintiff sought protection against "harm that is speculative" and "potential future injury"); Key v. DSW, Inc., 454 F.Supp.2d 684, 688-90 (S.D.Ohio 2006) (dismissing plaintiff's action for lack of standing because the facts alleged, that a security breach allowed unauthorized individuals to obtain plaintiff's personal financial information, created "only the possibility of harm at a future date"); Giordano v. Wachovia Sec., LLC, No. 06-476(JBS), 2006 WL 2177036, *4, 2006 U.S. Dist. LEXIS 52266, *12 (D.N.J. July 31, 2006) (dismissing for lack of standing where plaintiff, whose individual retirement account information was included on a printout that was lost during transit, claimed at best "hypothetical future injuries").
[6] In Doe, plaintiff, a claimant who had sought black lung benefits from the Department of Labor Office of Workers' Compensation Programs, alleged that the agency had violated the federal Privacy Act by issuing, and sending to multiple claimants, multi-captioned hearing notices that contained the Social Security number of each claimant.
[7] See also Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir.2007) (disagreeing with courts that have held that "plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact sufficient to confer Article III standing," and holding that "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would otherwise have faced").
[8] As Judge Weisberg correctly noted, appellants' putative class-representative status does not save their amended complaint: "before one may sue for damages on behalf of others whether the `others' are members of an organization or a class of consumershe must show injury to himself." June 13, 2007 Order at 5 (quoting Consumer Fed'n of America v. Upjohn Co., 346 A.2d 725, 729 n. 11 (D.C.1975)).
[9] Our conclusion is in accord with the reasoning of other courts that have dismissed similar negligence actions for failure to state a claim, or have entered summary judgment for defendants, in the absence of allegations of present injury to plaintiffs. See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., No. 2:08-MD-1954, 2009 WL 1325056, *12, 2009 U.S. Dist. LEXIS 41300, *59 (D.Me. May 12, 2009) (concluding, in a case in which a third party stole electronic data from a merchant, that consumers who did not have a fraudulent charge actually posted to their account and had only "the emotional distress that their accounts might be in peril" could not proceed against merchant for negligence); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 941162, 2009 U.S. Dist. LEXIS 28894 (N.D.Cal. Apr. 6, 2009) (entering summary judgment on negligence claim where plaintiff had experienced no instance of identity theft from theft of merchant's laptop computers containing job applicant data); Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., No. 08-1568, 2009 WL 799760, *3, 2009 U.S. Dist. LEXIS 25084, *8 (E.D.La. Mar. 24, 2009) (noting that state law did not recognize "a negligence cause of action based on identity theft that does not yield actual harm"); Shafran, supra, 2008 WL 763177, *3, 2008 U.S. Dist. LEXIS 22494,* 8-9 (concluding that plaintiff's negligence and breach of fiduciary duty claims based on loss of computer containing plaintiff's personal data failed as a matter of law because plaintiff's alleged injuries "are solely the result of a perceived and speculative risk of future injury that may never occur"); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y.2008) (granting summary judgment on negligence and breach of fiduciary duty claims in case where laptop with plaintiff's personal information was stolen from the office of defendant pension consultant, because there was no evidence that plaintiff's data had been accessed or used by anyone as a result of the theft, nor was there any evidence that the data of any similarly situated person had been accessed or used); Melancon v. Louisiana Office of Student Fin. Assistance, 567 F.Supp.2d 873 (E.D.La.2008) (mere possibility that personal student financial aid information may have been at increased risk did not constitute actual injury sufficient to maintain a claim for negligence); Stollenwerk v. Tri-West Health Care Alliance, 254 Fed.Appx. 664 (9th Cir.2007) (upholding grant of summary judgment for defendant where plaintiffs, whose personal information was on defendant's stolen computer hard drives, "produced evidence of neither significant exposure of their information nor a significantly increased risk that they will be harmed by its misuse"); Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 712 (S.D.Ohio 2007) (reasoning that standing was "not the question," but granting summary judgment against plaintiff, whose personal information in connection with a mortgage loan was on a stolen hard drive, because, with her merely speculative claims, plaintiff could not establish injury, an essential element of a negligence claim); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1021 (D.Minn. 2006) (granting summary judgment for defendants in negligence case premised on theft of bank's unencrypted customer information, because plaintiffs had shown "no present injury or reasonably certain future injury"); and Guin v. Brazos Higher Educ. Serv. Corp., No. 05-668 (RHK/JSM), 2006 WL 288483, *5-6, 2006 U.S. Dist. LEXIS 4846, *15-16 (D.Minn. Feb. 7, 2006) (holding that plaintiff could not sustain a claim for negligence where he failed to present evidence that his personal data was targeted or accessed by the burglars and where he had experienced no instance of identity theft or any other type of fraud involving his personal information).
[10] Wagman v. Lee, 457 A.2d 401 (D.C.1983), on which appellants rely, is not to the contrary. There, we affirmed a judgment for plaintiff on a claim of breach of fiduciary duty where seller, who acted as escrow agent, misused plaintiff buyer's deposit to facilitate sale to a substitute purchaser.
[11] The amended complaint does not include a count alleging breach of a confidential relationship, but, as Judge Weisberg noted, appellants have argued that this tort is a form of breach of fiduciary duty and that they should be permitted to proceed under that cause of action, as described in cases such as Vassiliades v. Garfinckel's, Brooks Bros., 492 A.2d 580, 591 (D.C.1985); Suesbury v. Caceres, 840 A.2d 1285, 1287 (D.C.2004); and Doe v. Medlantic Health Care Group, Inc., 814 A.2d 939, 950-51 (D.C.2003) (explaining that a claim for breach of a confidential relationship requires the "unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship"). Even if, arguendo, appellants' relationship with ING is the type of "special," confidential relationship, Vassiliades, supra, 492 A.2d at 591, covered by the holdings in these cases (all of which involved the disclosure of medical patient information), appellants do not allege that any third person not privileged to view their personal data actually did so. We agree with the trial court that "[s]haring of [appellants'] data ... between ING employees is a necessary part of the services ING provided," June 13, 2007 Order at 9 n. 5, and therefore that any viewing of appellants' data by the ING employee whose laptop computer was stolen is not the type of disclosure that would support an action for breach of a confidential relationship.
[12] ING notes that, in March 2007, the Mayor signed into law the District of Columbia "Consumer Personal Information Security Breach Notification Act of 2006," which requires any person conducting business in the District "who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system ... [to] promptly notify any District of Columbia resident whose personal information was included in the breach." D.C.Code § 28-3852 (2009). A provision of the same law states that "[a]ny District of Columbia resident injured by a violation of this subchapter may institute a civil action to recover actual damages, the costs of the action, and reasonable attorney's fees," but that "[a]ctual damages shall not include dignitary damages, including pain and suffering." Id., § 28-3853(a). ING points to these provisions as creating "incongru[ity]" if, by contrast, common law or other D.C.Code provisions were to be construed to permit a suit to recover damages such as appellants seek here. We note, however, D.C.Code § 28-3853(c) provides that "[t]he rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law." Id. (emphasis added). Accordingly, we do not read section 28-3853(c) as evidence that the public policy of the District of Columbia is to preclude a cause of action for invasion of privacy arising out of a security breach involving a plaintiff's personal information.
[13] But see Bailer, supra, 687 A.2d at 1389 (Chasanow, J., dissenting) (noting that "a number of jurisdictions recognize negligent invasion of privacy ... as a valid cause of action," and citing cases).
[14] Moreover, liability for invasion of privacy cannot be found where a plaintiff's injury resulted from the intervening actions of a third-party wrong-doer that were not foreseeable to the defendant. Cf. Black v. United States, 389 F.Supp. 529, 537 (D.D.C.1975) (reasoning that because intervening causes of injury were foreseeable, they would not preclude holding defendant liable for invasion of privacy); Guin, 2006 WL 288483, *6, 2006 U.S. Dist. LEXIS 4846 at * 17-18 (citing authority that the criminal act of a third party is an "intervening efficient cause sufficient to break the chain of [proximate] causation" and reasoning that burglary of defendant's employee's laptop broke the causal link, needed for negligence liability, between the downloading of unencrypted "nonpublic customer data" onto the employee's laptop and any injury from disclosure of the data) (citations omitted).
[15] For the reason discussed in note 11 supra, any viewing of appellants' data by the ING employee whose laptop computer was stolen is not the type of disclosure that will support an action for invasion of privacy.
[16] Cf. Stollenwerk, supra, 254 Fed.Appx. at 666 (upholding grant of summary judgment for defendant where "the only proof of exposure [plaintiffs] have offered is the burglary itself"); Taylor v. Swartwout, 445 F.Supp.2d 98, 104 (D.Mass.2006) (a "claim for invasion of privacy is based on the disclosure of sensitive, private information, not the tortious or illegal acquisition thereof"); Pinero v. Jackson Hewitt Tax Serv., Inc., 594 F.Supp.2d 710, 721-22 (E.D.La.2009) (holding that where plaintiff alleged that her personal information was intentionally dumped in a public dumpster, with free access to any citizen, and defendants did not dispute that plaintiff's personal information was found in a dumpster and disclosed to a local news outlet, plaintiff had made sufficient allegations to state a claim for public disclosure of private facts); but cf. Parks v. Rainbow Rentals, Inc., 3:07-CV-648-H, 2008 WL 2325154, *3, 2008 U.S. Dist. LEXIS 43921, *7-8 (W.D. Ky. June 3, 2008) (holding, although it was "a close question," that where plaintiff alleged that furniture rental company posted on the outside of plaintiff's home copies of an account worksheet containing plaintiff's name, address, telephone number, and Social Security number and the words "Past Due," plaintiff stated a claim for invasion of privacy as described in Restatement § 652A, even though there was no evidence that anyone actually passed by plaintiff's home or saw the account worksheets, because the worksheets would have been visible to anyone passing by).
[17] We reject appellants' proffered interpretation that section 1-626.14 distinguishes between a "participant" on the one hand, and a "beneficiary of the Trust," on the other (such that a "participant" in any program, but only "beneficiaries" who are beneficiaries "of the Trust," are authorized to sue).