Cnet reports that an Arkansas federal judge threw out a class action claim against Acxiom Corp. (Acxiom) alleging negligence and invasion of privacy claims arising out of breaches of data housed by Acxiom. [Bell v. Acxiom Corp., 2006 U.S. Dist. LEXIS 72477 (Oct. 3, 2006)] The court ruled Plaintiff (whose data was allegedly compromised) failed to satisfy the standing requirement:
Plaintiff alleged that she suffered an increased risk of both receiving unsolicited mailing advertisements and of identity theft. In response, Defendant argues that both Plaintiff's alleged injuries are speculative -- Plaintiff has not plead that she has received a single marketing mailer or had her identity stolen. Moreover, several courts have held that the receipt of unsolicited and unwanted mail does not constitute actual harm. . . . Additionally, while there have been several lawsuits alleging an increased risk of identity theft, no court has considered the risk itself to be damage. . . .  Only where the plaintiff has actually suffered identity theft has the court found that there were damages.
The Court implicitly rejected the argument that the harm was in the disclosure itself.  (Isn't there a famous law review article that says this?)  It was unclear as to what information was exactly compromised, but the Complaint did not exactly plead Defendant’s failure to disclose this information as a separate claim.  In its opposition, Plaintiff cited to the recently enacted Arkansas Personal Information Protection Act (A.C.A. § 4-110-101).  The Court did not discuss this statute in its Order – perhaps understandably so, because it was not cited in the Complaint and because it was unclear as to whether it applied retroactively (the breaches occurred in 2001 and the statute was enacted in 2005).  Also, the statute only applies where a person’s name and either the social security number, driver’s license number, account or credit card information or medical information was compromised.  There was no allegation in the case that any of this type of information was involved.  Nevertheless, some bare bones treatment of the statute would have been nice.

I’m not sure what to think of this ruling.  On the one hand, the harm is arguably in the disclosure.  And doesn’t the Plaintiff suffer increased stress by having to worry about exactly what information was compromised and what identity theft issues may lurk in the future?  Shouldn’t Acxiom at least be forced to disclose to Plaintiff what information was compromised?  On the other hand . . . there is no other hand.  Why else would someone have gone through the trouble to obtain the information if they were not attempting to exploit it in some way?  

A tangential question is, why should Acxiom be allowed to allege it was damaged in one case (albeit a criminal matter involving the same hacker) but then turn around and deny that the Plaintiff whose data is compromised was harmed?  An Acxiom employee provided testimony in the related criminal matter that numerous expenditures (including $603,117.86 for the “client services team”) “were necessary ‘to give [its] clients every assurance that it wasn't simply Acxiom who was determining that [it] had responded wholly and completely, [it] needed a third party to help develop confidence in [its] clients that [it] had done so . . . .” [United States v. Levine, 2006 U.S. Dist. LEXIS 19337 (April 12, 2006)].  The “clients” of Acxiom are not Plaintiff (but rather companies such as State Farm Insurance).  Still, it’s tough to see how Acxiom is harmed and the Plaintiff is not.  

There are some procedural issues that potentially complicate, but an appeal is certainly possible in this case.  [via Overlawyered]
  • No trackbacks exist for this post.
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)


Your comment is 0 characters limited to 3000 characters.