Saturday, August 25, 2007
Ind. Decisions - Still more on 7th Circuit decision re identity theft
The plaintiffs did not allege direct financial loss and did not claim they had been the victim of identity theft. They alleged they suffered "substantial potential economic damages" and demanded compensation for emotional harm out of fear they would suffer economic damages by those who stole their information.The ILB posted on March 11, 2006 a lengthy entry criticizing HEA 1101 (now PL 125), the identity theft law. Expressing "some thoughts", the ILB wrote near the end of the entry:
The bank's customers also demanded a "monitoring procedure to insure prompt notice to plaintiffs of any attempt to use their confidential personal information stolen from the defendants."
The appeals court also ruled that the law in Indiana, where the bank is located, did not protect the customers either.
"Had the Indiana Legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent," the court wrote.
The court added that the plaintiffs "have not come forward with a single case or statute, from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under Indiana law."
HEA 1101's new IC 24-4.9 offers no remedies to those consumers whose security has been breached, other than requiring that they be notified of the breach. What of the remedies that would pause or help repair the damage the breach has caused -- the remedies of security freezes, credit monitoring and credit repair. ...See also this entry from July 27, 2006.
Short of that, the biggest question here is: Is the new IC 24-4.9 now to be the exclusive remedy available to Indiana residents for these security breaches resulting in disclosure of their information? Or can consumers whose records have been released bring suit for negligence and ask for damages, costs, security freezes, and credit monitoring or credit repair? Will the companies whose negligence resulted in the disclosure be able to claim compliance with the minimal notification requirements of the new law as a defense?
During this year's 2007 session, one of the deficiencies was addressed, the freezing of credit reports. See this April 22, 2007 ILB entry. For background on this issue, see this Feb. 10, 2007 ILB entry.
Now for more on Thursday's 7th Circuit opinion. Computerworld has a story today headlined "Are data breach lawsuits just tilting at windmills? Personal data stolen? Go ahead, sue -- see what it gets you." Read the whole story. Here are some quotes:
For all the concern expressed about companies' exposure to lawsuits in the wake of of data breaches, a decision earlier this week by a federal appeals court shows yet again what a challenge it can be for consumers to actually win redress when one occurs.The story goes on to look at the status of other states. It concludes:
The United States Court of Appeals for the Seventh Circuit on Thursday rejected a proposed class-action lawsuit against Evansville, Ind.-based Old National Bancorp (ONB) over a 2005 data-breach incident.
In dismissing the proposed suit, the judges argued that damages were unavailable to the plaintiffs in this case because they had failed to show how they had been monetarily affected by the breach at the bank. * * *
The complaint charged ONB with failing to properly secure personal data that it had solicited from customers through its Web site. The plaintiffs in the case sought compensation from ONB for past and future credit monitoring services that they said they needed to obtain in response to the compromise.
The three judges of the United States Court of Appeals for the Seventh Circuit who heard the case ruled that mere "allegations of increased risk of future identity theft" were insufficient grounds for claiming damages from ONB. "The plaintiffs have not suffered a harm that the law is prepared to remedy," the judges wrote in their decision.
The judges pointed to Indiana's existing data breach disclosure law and said that that statute only required companies to inform individuals of compromises involving personal data. The law does not require "the database owner to take any other affirmative act in the wake of a breach," the judges noted. Its only in situations where a breached entity fails to notify affected individuals that the law can be enforced, and that too only by Indiana's Attorney General, the judges noted.
The law does not provide for private right of action by consumers and neither does it allow them to ask for compensation in breach situations, they noted.
"Had the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent," the judges said.
Legal experts have said such cases highlight the need for an overhaul of state data breach laws. Indeed, some states have already done just that or are working towards that goal. Minnesota, for instance, recently passed a new Plastic Card Security Act that holds breached entities responsible for reimbursing banks and credit unions the costs associated with notifying and reissuing cards after a breach.
The law also allows private citizens to bring lawsuits against breached companies. California passed a similar law recently, though it does not provide for private right of action.
"The current case is in line with recent and past decisions regarding potential future economic harm" resulting from data breaches, said Christopher Pierson, partner at Lewis and Roca LLP a Phoenix-based law firm. "The courts have pretty much decided that if you don't have a cognizable case of current harm you are not going to be able to receive damages," Pierson noted.
"Lawsuits brought under traditional negligence norms will not be successful. Courts are just not going to award damages and let these cause of action go forward unless there is actual harm," from a data breach.
Even in those cases, actually proving that the harm resulted from a specific data breach can be incredibly hard especially given the high number of data breaches being disclosed these days, Pierson said. "It's going to be difficult for an individual to prove that it was actually company A's breach as opposed to company B's breach that caused them harm."
Posted by Marcia Oddi on August 25, 2007 11:41 AM
Posted to Ind. (7th Cir.) Decisions