Tax season is quickly becoming peak season for cyber and data incidents. As seen during every recent tax season, last January the IRS issued warnings about fraudulent inducement scams where a corporate officer’s name is used to fraudulently request employee information from a company’s human resources department. While there are a number of examples of the data perils to avoid during tax season, a recent case illustrates that not every incident involving data or personal information constitutes a data breach incident. On February 20, 2018, the United States District for the Central District of California, found the claims in Lomelli v. Jackson Hewitt, Inc., 2:17-CV-02899-ODW (2018), did not constitute a data breach.
In Lomelli, the plaintiff claimed he was defrauded by the Jackson Hewitt, or more particularly, Jackson Hewitt’s agent, when his tax returns were first filed correctly with his approval and then again with additional expenses included without his approval which resulted in a fraudulent tax return being issued. The plaintiff also claimed that he was enrolled in an “Assisted Refund” program that charged him additional fees without his approval. Plaintiff was unaware of the fraudulent tax refunds until he received a cashier’s check for an amount different than he was expecting his tax refund to be and he learned that a bank account had been opened in his name which Jackson Hewitt was withdrawing fees without his consent.
Plaintiff filed a complaint based on allegations of fraud and that Jackson Hewitt’s agent’s filing of a fraudulent tax and violations of the California Customer Records Act (“CRA”), Cal. Civ. Code § 1798.80. The CRA provides a private right of action where a business fails to “disclose a breach of the security of the system following discovery or notification of the breach…in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82.
Jackson Hewitt argued plaintiff’s CRA claims should be dismissed since plaintiff failed to allege a data breach by an unauthorized person that would have required notice under the statute. Rather, Jackson Hewitt took the position that the plaintiff authorized Jackson Hewitt and its agent to have access to his personal information in order to prepare his tax returns. Here, the District Court makes the distinction that the allegations are “not that the information was disclosed to an unauthorized person, but, rather, that the information included in his tax returns was unauthorized.” Based on this distinction, the District Court found these allegations do not constitute a violation under CRA and, therefore, Jackson Hewitt was entitled to judgment in its favor.
The District Court further held that plaintiff lacked standing to bring a viable claim under the CRA because his allegations were limited to harm that “may” occur in the future. In finding in favor of Jackson Hewitt on this point, the District Court rejected plaintiff’s position that he would not have returned to have his later tax returns prepared by Jackson Hewitt if he was notified of the disclosure of fraudulent information on the early returns.
This case demonstrates that while data breaches are becoming more frequent, not every disclosure constitutes a data breach. The District Court finds a distinction in the fact that plaintiff can only allege the misuse of his information rather than the disclosure of that information. Even though we may feel bad for the plaintiff in this case as he will need to unravel all the damage done by having fraudulent tax returns filed in his name, his allegations did not amount to a data breach.