Seventh Circuit Affirms Rejection of Data Breach Claims

In what is becoming a disappointing cycle for consumers and plaintiff’s lawyers, the Seventh Circuit last week affirmed dismissal of a class action seeking damages arising out of a data breach.  (Access a pdf version of the opinion here.)  (Previous discussion of the Acxiom case, Bell v. Acxiom Corp., 2006 U.S. Dist. LEXIS 72477 (Oct. 3, 2006) - where the plaintiffs lost due to lack of standing - here.)  The action was brought by customers of Old National Bancorp. 

Plaintiffs alleged that ONB had set up a website to “solicit . . . personal information from applicants for banking services, but had failed to secure [the site] adequately.”  A breach occurred – NCR, the hosting facility, notified ONB of the breach in 2005.  Plaintiffs filed suit in federal court under the Class Action Fairness Act, and alleged injuries and expenses owing to monitoring required to prevent future exploitation of the compromised information.  Plaintiffs did not allege any accrued direct financial losses – only the possibility of future losses, and of course, losses in the form of their personal data being compromised.  

The court looked to Indiana law and found that Indiana law did not support the theories advanced by plaintiffs.  (In a display of how CAFA may limit otherwise viable state law lawsuits, the court rejected the claims on the basis that they were not "clearly supported" by Indiana law.)  Among other things, the court noted the Indiana legislature enacted a data breach statute (effective July 1, 2006 – after the date of the underlying events).  This statute only required that private entities disclose any data breaches; it did not require any affirmative action, such as credit/data monitoring.  It also did not create a cause of action and impose damages.  Additionally, only the Attorney General was authorized to bring a suit under the statute. 

Plaintiffs made numerous arguments – by analogy to other Indiana cases – but to no avail.  The court found that the sought after damages are not compensable under Indiana law.  

I’ll say it before and I’ll say it again.  It’s time for a federal data breach statute…..

[via Wired's Threat Level]

  • No trackbacks exist for this post.
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)


Your comment is 0 characters limited to 3000 characters.