Juana Curry and William Moore, customers of AvMed Insurance, took care to protect their private information. They destroyed mail that contained sensitive data and avoided uploading any such information online. Despite their care, they both became victims of identity theft. Unknown identity thieves opened bank accounts in Curry’s name and changed her home address with the U.S. Postal Service. Someone opened an E*Trade account in Moore’s name.

Curry and Moore blamed AvMed. About a year earlier, two unencrypted laptops containing the health information, Social Security numbers, names, addresses, and phone numbers of 1.2 million AvMed customers had been stolen from the company’s offices.

The plaintiffs sued AvMed for negligence, claiming the company breached it duty to keep customer information secure and this breach caused their identity theft. Curry and Moore argued that if it had not been for AvMed’s carelessness, they would not have been victims of identity theft. AvMed filed a motion to dismiss, arguing that the plaintiffs could not prove that the breach caused their injuries a year later.

Questions:

1. Was Avmed’s data breach the proximate cause of the identity theft?

2. Does this ruling mean that all hacked businesses will be held potentially liable for identity theft?

3. What are some of the ways you can protect yourself from identity theft?