With data security risk now ranked as their top legal concern (see “Top of the List”), general counsel are closely watching class action suits in which plaintiffs are claiming damages from the loss or theft of personal information.

Several cases have failed to survive the class certification phase because plaintiffs whose personally identifiable information (PII) had been compromised couldn't prove damages or directly tie the theft of their identity to a data breach. But an 11th Circuit ruling in September appears to have lowered the threshold. A divided panel in Resnick v. AvMed, Inc. reversed in part a district court's ruling denying class certification and dismissing the plaintiffs' claims.

Resnick grew out of the theft of two laptops from an AvMed office containing unencrypted PII of 1.2 million health care plan members, including protected health information, Social Security numbers and other contact information. The two named plaintiffs allege that they became victims of identity theft 10 and 14 months, respectively, after the laptop larceny. Although some of the PII used in the identity theft was the type of information contained on the laptops, the plaintiffs did not allege that the identity thieves directly obtained it from the laptops. They could not specify how the identity theft occurred, other than showing that someone had opened fraudulent accounts in their names.