Anita Ramasastry has a commentary on a recent federal court decision in a lawsuit against Express Scripts. She writes, in part:
Readers may wonder, Why didn’t the extortion letter make a difference in the Amburgy v. Express Scripts case? After all, didn’t the letter substantially strengthen the risk that a breach would occur?
Perhaps – but there are some caveats. First, it is unclear whether the extortionist was really in possession of huge volumes of data – or just had the information of the 75 people he mentioned. If he had more data, why didn’t he prove that somehow in the letter? Second, recall that the named plaintiff was not among those 75 people, making it unclear whether his risk was as high as theirs.
Ramasastry does not seem to be aware that in 2009, the extortionist contacted a lawyer and provided proof of possession of about 700,000 individuals’ data, requiring the company to send more notification letters. But even if that is the case, it’s not clear that the plaintiff, Amburgy, had his data obtained, which puts his claims in the realm of the hypothetical. It would have been interesting to see what the court would have done with a plaintiff who could demonstrate that their data was in the hands of an extortionist.