In an important case for businesses concerned about potential liability for data security breaches, the United States Court of Appeals for the Seventh Circuit has held that plaintiffs who only sought damages for future credit monitoring and emotional distress did not suffer a “compensable damage” under Indiana law for negligence and breach of contract actions. While the decision in Pisciotta v. Old Nat. Bancorp, 2007 WL 2389770 (7th Cir. 2007), only applies directly to claims based on Indiana law, the court’s reasoning may be helpful in responding to similar claims in other states.
The case arose out of a data security breach involving a banking website. Defendant Old National Bancorp (“ONB”) operates a marketing website on which “individuals seeking banking services can complete online applications for accounts, loans and other ONB banking services.” Depending on the service requested, applications required submission of the customer or potential customer’s personal information, such as their name, address, social security number, driver’s license, date of birth, mother’s maiden name, and credit card or other financial account numbers. The web hosting facility notified ONB that there had been a security breach, and ONB in turn notified its customers and potential customers.
Plaintiffs filed a class action against ONB alleging that “by failing to protect [their] personal confidential information [ONB] caused Plaintiffs and other similarly situated past and present customers to suffer substantial potential economic damages and emotional distress and worry that third parties will use [the plaintiffs’] confidential personal information to cause them economic harm, or sell their confidential information to others who will in turn cause them economic harm.”
The plaintiffs asserted that they had been damaged because they “have incurred expenses in order to prevent their confidential personal information from being used and will continue to incur expenses in the future.” Further, the plaintiffs requested compensation “for all economic and emotional damages suffered as a result of [ONB’s] acts which were negligent in breach of implied contract or in breach of contract,” and “any and all other legal and/or equitable relief to which Plaintiffs . . . are entitled including establishing an economic monitoring procedure . . ..”
The Seventh Circuit, applying Indiana law, affirmed a trial court’s entry of judgment on the pleadings pursuant to Rule 12(c), holding that as a matter of law, the plaintiffs failed to assert any compensable damages. The appellate court acknowledged that many other courts have found that federal courts lack jurisdiction because a plaintiff whose data has been compromised, but not yet misused, has not suffered an injury-in-fact sufficient to confer Article III standing. The court, however, agreed with the notion that the injury-in-fact requirement can be satisfied by only a threat of future harm or by an act which harms the plaintiff by only increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.
The court was presented with the question of whether Indiana would compensate victims for potential future damage in the form of credit monitoring to guard against identity theft that might occur as a result of a data security breach. The Seventh Circuit found no Indiana precedent with respect to the issue. Because Indiana did not yet have any data privacy statutes, the court was forced to predict how the Indiana Supreme Court may have ruled.
In its analysis, the court compared the plaintiff’s situation to that of a toxic tort plaintiff seeking damages for fear of future injury. Noting that Indiana courts had not recognized a claim for the cost of future medical monitoring, the court also considered other state cases regarding the issues raised in this case.
The court recognized that the Indiana legislature did enact a statue applicable to database security breaches sometime after the plaintiffs’ causes of action arose. Although this statute could not be applied to this case, the Seventh Circuit considered it as indicative of Indiana public policy on the question of data breaches. The new Indiana privacy statute only imposes a duty to disclose a breach and did not create a private right of action to enforce it. According to the court, the statute does not create a duty to compensate affected individuals for inconvenience or potential harm to credit that might follow a breach. The court concluded that the narrowness of the statute, combined with other Indiana authority regarding future harm, suggested that Indiana law would not recognize the costs of credit monitoring as “compensable damages.” Ultimately, the court declined to adopt a “substantive innovation . . . to invent what would be a truly novel tort claim,” and affirmed the trial court’s dismissal of claims against ONB. The Seventh Circuit’s struggle with the issues raised in Pisciotta is likely to be repeated in the future as other courts deal with the novel issues raised by data security breaches.
See the full opinion here: http://www.ca7.uscourts.gov/tmp/680M5MZZ.pdf