Are data breach lawsuits just tilting at windmills?
Personal data stolen? Go ahead, sue -- see what it gets you
Computerworld - For all the concern expressed about companies' exposure to lawsuits in the wake of of data breaches, a decision earlier this week by a federal appeals court shows yet again what a challenge it can be for consumers to actually win redress when one occurs.
The United States Court of Appeals for the Seventh Circuit on Thursday rejected a proposed class-action lawsuit against Evansville, Ind.-based Old National Bancorp (ONB) over a 2005 data-breach incident.
In dismissing the proposed suit, the judges argued that damages were unavailable to the plaintiffs in this case because they had failed to show how they had been monetarily affected by the breach at the bank.
The lawsuit was filed on behalf of tens of thousands of customers of Old National Bancorp whose personal and financial data had been exposed by an intrusion that in the court's ruling was described as "sophisticated, intentional and malicious."
The complaint charged ONB with failing to properly secure personal data that it had solicited from customers through its Web site. The plaintiffs in the case sought compensation from ONB for past and future credit monitoring services that they said they needed to obtain in response to the compromise.
The three judges of the United States Court of Appeals for the Seventh Circuit who heard the case ruled that mere "allegations of increased risk of future identity theft" were insufficient grounds for claiming damages from ONB. "The plaintiffs have not suffered a harm that the law is prepared to remedy," the judges wrote in their decision.
The judges pointed to Indiana's existing data breach disclosure law and said that that statute only required companies to inform individuals of compromises involving personal data. The law does not require "the database owner to take any other affirmative act in the wake of a breach," the judges noted. Its only in situations where a breached entity fails to notify affected individuals that the law can be enforced, and that too only by Indiana's Attorney General, the judges noted.
The law does not provide for private right of action by consumers and neither does it allow them to ask for compensation in breach situations, they noted.
"Had the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent," the judges said.
Things are non-compensated all over
The appeals court's decision echoed similar decisions made by other courts in the past.
Just this June, a U.S. District judge in Ohio dismissed a class action claims against Litton Loan Servicing LP over a data breach involving personal data. In that case, the individuals filing the law suit sought compensation for credit monitoring costs from Litton. But the judge threw out the claims arguing that in the absence of actual identity theft resulting from the breach, the plaintiffs suffered only anticipated injury and therefore did not need to be compensated.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts