Privacy Law Bulletin, October 9, 2007
Following a data security breach, businesses can frequently look forward to a consumer class action or two.
To date, these class actions have been largely unsuccessful, and several federal district courts have dismissed consumer actions following a breach for failing to state a claim upon which relief can be granted. See,
e.g.,Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007); Bell v. Acxiom Corp., 2006 WL
2850042 (E.D. Ark. Oct. 3, 2006); Key v. DSW, Inc., 454 F. Supp. 2d 684 (S.D. Ohio 2006); Guin v. Brazos
Higher Educ. Serv. Corp., Inc., 2006 WL 288483 (D. Minn. Feb. 7, 2006).
Now, for the first time, a federal court of appeals has weighed in on the issue as well. On August 23, 2007, the
U.S. Court of Appeals for the Seventh Circuit (“Seventh Circuit”) concluded that present and future identity
theft-monitoring costs are not compensable damages under Indiana’s security breach notification statute,
affirming the dismissal of a class action claim against a bank for allegedly failing to protect personal information
collected on its online marketing Web site from a hacking incident (Pisciotta v. Old Nat’l Bancorp., No. 06-3817,
2007 WL 2389770 (7th Cir. Aug. 23, 2007)).
Please see full publication below for more information.