Tech Law Journal Daily E-Mail Alert
August 27, 2007, Alert No. 1,628.
Home Page | Calendar | Subscribe | Back Issues | Reference
7th Circuit Affirms Dismissal of Data Breach Case

8/23. The U.S. Court of Appeals (7thCir) issued its opinion [21 pages in PDF] in Pisciotta v. Old National Bancorp, a case regarding civil liability of companies that suffer data breaches.

Introduction. The Court of Appeals affirmed the District Court's dismissal of class action negligence and implied breach of contract claims against a financial services company that collected confidential personal information from individuals through a web site, and that subsequently suffered a computer hacking data breach, but where the customers whose personal information may have been acquired could allege no identity theft or financial loss, other than incurring the costs of credit monitoring.

While numerous courts have dismissed lost data cases where there has been no injury to the plaintiffs other than credit monitoring costs, many courts have done so on different grounds. In the present case, the District Court and Court of Appeals held that the complaint fails to state a claim under the applicable state law of negligence and contract. The Court of Appeals rejected the reasoning applied by other courts, including the U.S. District Court for the District of Columbia, that these complaints should be dismissed for lack of jurisdiction, because of the plaintiffs' lack of Article III standing.

Federal Courts are divided as to whether or not failure to allege injury beyond credit monitoring costs warrants dismissal for lack of jurisdiction. The law of standing and jurisdiction would apply uniformly across all districts, absent a split of opinion among courts, which now exists.

The Court of Appeals held that this case must be dismissed, but upon its conclusion that the state law in the district of suit requires a compensable injury, and that credit monitoring costs does not satisfy this requirement in the applicable state. That is, the Court of Appeals took an approach that could lead to different standards, and different outcomes, in every state.

While the financial services company prevailed in this case, the present opinion should provide little comfort to companies that hold databases of personal and confidential information. This opinion provides guidance to class action lawyers not to file data breach cases in U.S. District Court in Indiana.

Background. Old National Bancorp (ONB) is a financial services holding company based in the state of Indiana. NCR is an information technology company that maintained ONB's web site.

Luciano Pisciotta, Daniel Mills, and others accessed ONB's web site and entered personal information (such as names, addresses, social security numbers, driver's license numbers, dates of birth, mother's maiden names, and credit card or other financial account numbers) in connection with their applications for ONB banking services.

NCR reported a security breach that was "sophisticated, intentional and malicious". The Court of Appeals opinion adds only that it was perpetrated by a third party computer hacker, and that the "results of the investigation that followed have been filed under seal".

District Court. Pisciotta and Mills filed a class action complaint in U.S. District Court (SDInd) against ONB and NCR alleging state law claims of negligence and breach of implied contracts in connection with their failure to protect personal information from security breaches. Jurisdiction is based upon the Class Action Fairness Act of 2005 (CAFA).

The Court of Appeals noted that they "did not allege any completed direct financial loss to their accounts as a result of the breach. Nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach." (Emphasis in original.)

The plaintiffs requested damages for the cost of credit monitoring and emotional distress.

The District Court dismissed the complaint for failure to state a claim upon which relief can be granted, pursuant to Federal Rule of Civil Procedure (FRCP) 12(b)(6). It also held that the question of class certification is therefore moot.

Court of Appeals. Piscotta and Mills brought the present appeal. (However, they only appealed the dismissal as to ONB, and not NCR.) The Court of Appeals affirmed.

Some other courts have dismissed data breach complaints, which do not allege injury in fact, for lack of standing, pursuant to FRCP 12(b)(1).

See for example, the February 20, 2007, Memorandum Opinion [17 pages in PDF] of the U.S. District Court (DC) in Randolph v. ING Life Insurance and Casualty Company, which is also reported at 486 F.Supp.2d 1. See also, stories titled "District Court Holds that Injury in Fact is a Prerequisite for Standing in Lost Data Case" in TLJ Daily E-Mail Alert No. 1,544, February 27, 2007, and "DC Superior Court Dismisses Lost Laptop Data Case for Lack of Standing" in TLJ Daily E-Mail Alert No. 1,596, June 18, 2007.

The Court of Appeals for the 7th Circuit wrote in the present opinion that "Many of those cases have concluded that the federal courts lack jurisdiction because plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact sufficient to confer Article III standing. We are not persuaded by the reasoning of these cases." (Footnote omitted.)

It continued that "As many of our sister circuits have noted, the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions. We concur in this view. Once the plaintiffs’ allegations establish at least this level of injury, the fact that the plaintiffs anticipate that some greater potential harm might follow the defendant’s act does not affect the standing inquiry." (Footnotes omitted.)

The Court of Appeals did not explain why it is "not persuaded by the reasoning" of other courts.

The Court of Appeals held that it federal courts have jurisdiction over this case. It further held that federal jurisdiction is based upon the CAFA, that the claims are based upon state law, and that the law of the state of Indiana applies to the negligence and implied contract claims.

The Court of Appeals continued that under Indiana law, one element of a negligence claim is a compensable injury proximately caused by defendant’s breach of duty, and that one element of a breach of implied contract claim is a compensable injury. As applied to the present case, the issue then is "whether Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing compensable injury and consequent damages required to state a claim for negligence or for breach of contract." (Emphasis in original.)

The Court of Appeals concluded that while there is no statute or precedent on point in Indiana, "the Supreme Court of Indiana would not allow the plaintiffs' claim to proceed." Hence, it affirmed.

This case is Luciano Pisciotta and Daniel Mills v. Old National Bancorp, U.S. Court of Appeals for the 7th Circuit, App. Ct. No. 06-3817, an appeal from the U.S. District Court for the Southern District of Indiana, Indianapolis Division, D.C. No. 05 C 668, Judge Larry McKinney presiding. Judge Ripple wrote the opinion of the Court of Appeals, in which Judges Wood and Evans joined.

FBI Announces Changes to Terrorist Screening Records System

8/22. The Department of Justice's (DOJ) Federal Bureau of Investigation (FBI) published a notice in the Federal Register, as required by the Privacy Act, that announces numerous proposed changes to the system of records maintained by the FBI's Terrorist Screening Center (TSC) titled Terrorist Screening Records System (TSRC).

The notice also requests public comments. The deadline to submit comments is October 1, 2007. See, Federal Register, August 22, 2007, Vol. 72, No. 162, at Pages 47073-47079.

The notice states, among other things, that the TSC plans to allow personnel from other government agencies, and non-governmental entities, to remotely query its electronic Terrorist Screening Database (TSDB).

The notice states that currently, "only TSC personnel can perform queries directly against the TSDB, EMA, and other internal TSC databases. In the future, the TSC plans to operate a query function permitting authorized individuals from screening agencies or entities to access TSC systems directly from an external location and submit search queries."

The notice adds that "not all terrorism screening is necessarily performed by a federal government agency", and may be performed by "critical infrastructure owners and operators". It elaborates that "private sector entities" that have a substantial bearing on homeland security may receive information from the TSRS.

This "is intended to better reflect the ongoing efforts by the federal government to increase sharing of intelligence, law enforcement, terrorism and threat information with State fusion centers and the private sector, such as critical infrastructure and key resource owners and operators". The FBI's notice further states that the reasons for such disclosure include a "personnel investigation or inquiry into a breach of data security".

More News

8/27. Acer announced in a release that it has entered into a definitive agreement to acquire Gateway. The deal is subject to regulatory approvals, including U.S. antitrust merger review under the Hart Scott Rodino Act, and U.S. foreign investment review under the Exon Florio provision.

8/24. The Department of Commerce's (DOC) National Telecommunications and Information Administration (NTIA) announced that it will host a series of workshops in Dallas, Denver, Newark, and Los Angeles regarding its Public Safety Interoperable Communications (PSIC) Grant Program. See, NTIA notice, and stories titled "NTIA Clarifies Deadlines for PSIC Grant Applications" in TLJ Daily E-Mail Alert No. 1,625, August 21, 2007, and "Public Safety Interoperable Communications Grant Applications Due in 30 Days" in TLJ Daily E-Mail Alert No. 1,612, July 19, 2007. The NTIA will hold the following workshops:
 • September 24, Dallas, Texas.
 • September 26, Denver, Colorado
 • September 28, Newark, New Jersey
 • October 1, Los Angeles, California.

8/24. The Federal Communications Commission (FCC) published a notice in the Federal Register that announces, summarizes, and sets the effective date (October 23, 2007 for most provisions) for its 700 MHz Band order. See, Federal Register, August 24, 2007, Vol. 72, No. 164, at Pages 48813-48868. See also, story titled "FCC Adopts 700 MHz Band Order" in TLJ Daily E-Mail Alert No. 1,619, July 31, 2007, and story titled "FCC Sets Date for 700 MHz Auction" in TLJ Daily E-Mail Alert No. 1,624, August, 20, 2007.

8/24. The U.S. Court of Appeals (7thCir) issued its opinion in Airborne Beepers v. AT&T Mobility, affirming the District Court's dismissal with prejudice of the third amended complaint. Back in 1997 Airborne entered into an Authorized Dealer Agreement with Southwestern Bell Mobile Systems, Inc., which then did business under the name Cellular One-Chicago. Southwestern Bell became part of Cingular Wireless, which was later acquired by AT&T. The agreement has long since expired. This case is Airborne Beepers & Video, Inc. v. AT&T Mobility LLC, U.S. Court of Appeals for the 7th Circuit, App. Ct. No. 06-2949.

8/23. The U.S. Court of Appeals (6thCir) issued its opinion [PDF] in Compuware v. Moody's Investors Services, affirming the summary judgment of the District Court for Moody's Investors Services. Moody's analyzes the financial conditions of, and publishes credit ratings for, companies. It rated Compuware, which then filed a complaint in U.S. District Court (EDMich) alleging defamation and breach of contract. The District Court held that actual malice is an element of both claims, and that Compuware failed to make the requisite showing. The Court of Appeals affirmed. This case is Compuware Corporation v. Moody's Investor Services, Inc., U.S. Court of Appeals for the 6th Circuit, App. Ct. No. 05-1851, an appeal from the U.S. District Court for the Eastern District of Michigan, D.C. No. 03-70247, Judge John Feikens presiding.

AG Gonzales to Resign

Alberto Gonzales8/27. Attorney General Alberto Gonzales (at right) will resign effective September 17, 2007.

Sen. Patrick Leahy (D-VT), the Chairman of the Senate Judiciary Committee (SJC), and a frequent critic of Gonzales, stated in a release that "Under this Attorney General and this President, the Department of Justice suffered a severe crisis of leadership that allowed our justice system to be corrupted by political influence. It is a shame, and it is the Justice Department, the American people and the dedicated professionals of our law enforcement community who have suffered most from it."

Sen. Orrin Hatch (R-UT), the ranking Republican on the SJC, stated in a release that "Alberto Gonzales has been the President’s strong right arm in fighting terrorists using the tools of law enforcement, and he helped successfully protect the American homeland during his tenure. Beyond that, he has overseen the Department of Justice’s efforts to protect children from Internet predators, to combat human trafficking, and to prevent the spread of meth in our communities."

Sen. Hatch added that "I hope that history will remember Attorney General Gonzales for his honorable service to his country, rather than for the absurd political theater to which some critics have subjected him."

Solicitor General Paul Clement will become the acting Attorney General in the event that the Senate has not confirmed a replacement. The position of Deputy Attorney General (DAG) is vacant; Craig Moford is acting DAG.

More People and Appointments

8/21. James Bidzos was elected Chairman of VeriSign. He replaces Edward Mueller who resigned to become Ch/CEO of Qwest Communications International. See, VeriSign release.

Washington Tech Calendar
New items are highlighted in red.
Monday, August 27

The House will not meet due to the August District Work Period. See, House 2007 calendar. The House will next meet at 2:00 PM on September 4, 2007.

The Senate will not meet due to the August District Work Period. The Senate will next meet at 1:00 PM on September 4. See, Senate 2007 calendar.

10:00 AM. Deadline to submit comments to the Office of the U.S. Trade Representative (USTR) regarding its Special 301 Out-of-Cycle Review of the Russian Federation. This is a review of countries that deny adequate and effective protection of intellectual property rights or deny fair and equitable market access to U.S. persons who rely on intellectual property protection. See, notice in the Federal Register, July 9, 2007, Vol. 72, No. 130, at Pages 37272-37273.

Deadline to register to attend the meeting of the Architectural and Transportation Barriers Compliance Board's (ATBCB) Telecommunications and Electronic and Information Technology Advisory Committee (TEITAC) on September 4-6, 2007. See, notice in the Federal Register, August 23, 2007, Vol. 72, No. 163, at Pages 48252-48253. See also, 29 U.S.C. § 794d. For more information, contact Timothy Creagan at 202-272-0016 or creagan at access dash board dot gov.

Deadline to submit reply comments to the Federal Communications Commission (FCC) in response to its Notice of Proposed Rulemaking (NPRM) in its XM Sirius merger review proceeding that seeks comment on whether the language in an earlier order barring the merger constitutes a binding FCC rule, and if so, whether the FCC should waive, modify, or repeal the prohibition if the FCC determines that the proposed merger would serve the public interest. See, notice in the Federal Register, July 12, 2007, Vol. 72, Number 133, at Pages 38055-38056.

Tuesday, August 28

1:00 - 3:00 PM. The Architectural and Transportation Barriers Compliance Board's (ATBCB) Telecommunications and Electronic and Information Technology Advisory Committee (TEITAC) will hold the second of two meetings by teleconference regarding "revising and updating accessibility guidelines for telecommunications products and accessibility standards for electronic and information technology". The deadline to register is August 22, 2007. See, notice in the Federal Register, August 3, 2007, Vol. 72, No. 149, at Pages 43211-43212. The dial in number is 888-790-5019. The passcode is 5944761. Location: Suite 1000, 1331 F St., NW.

Day one of a three day conference hosted by the National Institute of Standards and Technology's (NIST) titled "Performance Metrics for Intelligent Systems (PerMIS) Workshop". See, notice. August 21 is the deadline to register. The price to attend is $375. Location: Courtyard Gaithersburg Washingtonian Center, 204 Boardwalk Place, Gaithersburg, MD.

6:00 - 8:15 PM. The DC Bar Association will host a continuing legal education (CLE) program titled "What You Need to Know About Spam Cases: Litigation and Anti-Spam Regulations". The speakers will be Jason Levine (McDermott Will & Emery) and Yaron Dori (Hogan & Hartson). The price to attend ranges from $80 to $115. For more information, call 202-626-3488. See, notice. Location: DC Bar Conference Center, B-1 Level, 1250 H St., NW.

Deadline to submit reply comments to the Federal Communications Commission (FCC) in response to its request to refresh the record of its 2001 Further Notice of Proposed Rulemaking (FNPRM) regarding "the status of the market for the provision of telecommunications services in Multiple Tenant Environments (MTEs), and on whether the prohibition on exclusive access contracts in commercial MTEs should be extended to residential MTEs". See, notice in the Federal Register, May 30, 2007, Vol. 72, No. 103, at Pages 29928-29929. This item is DA 07-1485 WT Docket No. 99-217 and CC Docket No. 96-98.

Wednesday, August 29

Day two of a three day conference hosted by the National Institute of Standards and Technology's (NIST) titled "Performance Metrics for Intelligent Systems (PerMIS) Workshop". See, notice. Location: Courtyard Gaithersburg Washingtonian Center, 204 Boardwalk Place, Gaithersburg, MD.

Thursday, August 30

Day two of a three day conference hosted by the National Institute of Standards and Technology's (NIST) titled "Performance Metrics for Intelligent Systems (PerMIS) Workshop". See, notice. Location: Courtyard Gaithersburg Washingtonian Center, 204 Boardwalk Place, Gaithersburg, MD.

Extended deadline to submit reply comments to the Federal Communications Commission (FCC) in response to its Notice of Proposed Rulemaking (NPRM) regarding rule changes related to the DTV transition. The FCC adopted this NPRM on April 25, 2007, and released the text [93 pages in PDF] on May 18, 2007. It is FCC 07-70 in MB Docket No. 07-91. See, notice in the Federal Register, July 9, 2007, Vol. 72, No. 130, at Pages 37309-37344, and Public Notice [PDF] (DA 07-3518) extending deadlines.

Friday, August 31

Deadline to submit initial comments to the Federal Communications Commission (FCC) in response its Public Notice [32 pages in PDF] regarding the competitive bidding procedures for the 700 MHz band auction. The FCC released the Public Notice on August 17, 2007. It is DA 07-3415 in AU Docket No. 07-157. This auction is Auction No. 73. It is scheduled to commence on January 16, 2008. See, notice in the Federal Register, August 23, 2007, Vol. 72, No. 163, at Pages 48272-48285. See also, story titled "FCC Adopts 700 MHz Band Order" in TLJ Daily E-Mail Alert No. 1,619, July 31, 2007, and story titled "FCC Sets Date for 700 MHz Auction" in TLJ Daily E-Mail Alert No. 1,624, August, 20, 2007.

Saturday, September 1

Deadline to submit nominations to the U.S. Patent and Trademark Office (USPTO) for membership on the Patent Public Advisory Committee (PPAC) or Trademark Public Advisory Committee (TPAC). See, notice in the Federal Register, June 20, 2007, Vol. 72, No. 118, at Pages 33981-33982.

Monday, September 3

Labor Day.

The Federal Communications Commission (FCC) and other federal offices will be closed. See, Office of Personnel Management's (OPM) list of federal holidays and 5 U.S.C. § 6103.

The National Press Club will be closed.

5:00 PM. Deadline to submit prepared testimony to the Department of Commerce's (DOC) Bureau of Industry and Security's (BIS) Deemed Export Advisory Committee (DEAC) for the DEAC's meeting of September 10, 2007. See, notice in the Federal Register, August 16, 2007, Vol. 72, No. 158, at Page 46035.

About Tech Law Journal

Tech Law Journal publishes a free access web site and subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year. However, there are discounts for subscribers with multiple recipients. Free one month trial subscriptions are available. Also, free subscriptions are available for journalists, federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until one month after writing. See, subscription information page.

Contact: 202-364-8882.
P.O. Box 4851, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2007 David Carney, dba Tech Law Journal. All rights reserved.