7th Circuit Affirms Dismissal of Data Breach Case

August 23, 2007. The U.S. Court of Appeals (7thCir) issued its opinion [21 pages in PDF] in Pisciotta v. Old National Bancorp, a case regarding civil liability of companies that suffer data breaches.

Introduction. The Court of Appeals affirmed the District Court's dismissal of class action negligence and implied breach of contract claims against a financial services company that collected confidential personal information from individuals through a web site, and that subsequently suffered a computer hacking data breach, but where the customers whose personal information may have been acquired could allege no identity theft or financial loss, other than incurring the costs of credit monitoring.

While numerous courts have dismissed lost data cases where there has been no injury to the plaintiffs other than credit monitoring costs, many courts have done so on different grounds. In the present case, the District Court and Court of Appeals held that the complaint fails to state a claim under the applicable state law of negligence and contract. The Court of Appeals rejected the reasoning applied by other courts, including the U.S. District Court for the District of Columbia, that these complaints should be dismissed for lack of jurisdiction, because of the plaintiffs' lack of Article III standing.

Federal Courts are divided as to whether or not failure to allege injury beyond credit monitoring costs warrants dismissal for lack of jurisdiction. The law of standing and jurisdiction would apply uniformly across all districts, absent a split of opinion among courts, which now exists.

The Court of Appeals held that this case must be dismissed, but upon its conclusion that the state law in the district of suit requires a compensable injury, and that credit monitoring costs does not satisfy this requirement in the applicable state. That is, the Court of Appeals took an approach that could lead to different standards, and different outcomes, in every state.

While the financial services company prevailed in this case, the present opinion should provide little comfort to companies that hold databases of personal and confidential information. This opinion provides guidance to class action lawyers not to file data breach cases in U.S. District Court in Indiana.

Background. Old National Bancorp (ONB) is a financial services holding company based in the state of Indiana. NCR is an information technology company that maintained ONB's web site.

Luciano Pisciotta, Daniel Mills, and others accessed ONB's web site and entered personal information (such as names, addresses, social security numbers, driver's license numbers, dates of birth, mother's maiden names, and credit card or other financial account numbers) in connection with their applications for ONB banking services.

NCR reported a security breach that was "sophisticated, intentional and malicious". The Court of Appeals opinion adds only that it was perpetrated by a third party computer hacker, and that the "results of the investigation that followed have been filed under seal".

District Court. Pisciotta and Mills filed a class action complaint in U.S. District Court (SDInd) against ONB and NCR alleging state law claims of negligence and breach of implied contracts in connection with their failure to protect personal information from security breaches. Jurisdiction is based upon the Class Action Fairness Act of 2005 (CAFA).

The Court of Appeals noted that they "did not allege any completed direct financial loss to their accounts as a result of the breach. Nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach." (Emphasis in original.)

The plaintiffs requested damages for the cost of credit monitoring and emotional distress.

The District Court dismissed the complaint for failure to state a claim upon which relief can be granted, pursuant to Federal Rule of Civil Procedure (FRCP) 12(b)(6). It also held that the question of class certification is therefore moot.

Court of Appeals. Piscotta and Mills brought the present appeal. (However, they only appealed the dismissal as to ONB, and not NCR.) The Court of Appeals affirmed.

Some other courts have dismissed data breach complaints, which do not allege injury in fact, for lack of standing, pursuant to FRCP 12(b)(1).

See for example, the February 20, 2007, Memorandum Opinion [17 pages in PDF] of the U.S. District Court (DC) in Randolph v. ING Life Insurance and Casualty Company, which is also reported at 486 F.Supp.2d 1. See also, stories titled "District Court Holds that Injury in Fact is a Prerequisite for Standing in Lost Data Case" in TLJ Daily E-Mail Alert No. 1,544, February 27, 2007, and "DC Superior Court Dismisses Lost Laptop Data Case for Lack of Standing" in TLJ Daily E-Mail Alert No. 1,596, June 18, 2007.

The Court of Appeals for the 7th Circuit wrote in the present opinion that "Many of those cases have concluded that the federal courts lack jurisdiction because plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact sufficient to confer Article III standing. We are not persuaded by the reasoning of these cases." (Footnote omitted.)

It continued that "As many of our sister circuits have noted, the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions. We concur in this view. Once the plaintiffs’ allegations establish at least this level of injury, the fact that the plaintiffs anticipate that some greater potential harm might follow the defendant’s act does not affect the standing inquiry." (Footnotes omitted.)

The Court of Appeals did not explain why it is "not persuaded by the reasoning" of other courts.

The Court of Appeals held that it federal courts have jurisdiction over this case. It further held that federal jurisdiction is based upon the CAFA, that the claims are based upon state law, and that the law of the state of Indiana applies to the negligence and implied contract claims.

The Court of Appeals continued that under Indiana law, one element of a negligence claim is a compensable injury proximately caused by defendant’s breach of duty, and that one element of a breach of implied contract claim is a compensable injury. As applied to the present case, the issue then is "whether Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing compensable injury and consequent damages required to state a claim for negligence or for breach of contract." (Emphasis in original.)

The Court of Appeals concluded that while there is no statute or precedent on point in Indiana, "the Supreme Court of Indiana would not allow the plaintiffs' claim to proceed." Hence, it affirmed.

This case is Luciano Pisciotta and Daniel Mills v. Old National Bancorp, U.S. Court of Appeals for the 7th Circuit, App. Ct. No. 06-3817, an appeal from the U.S. District Court for the Southern District of Indiana, Indianapolis Division, D.C. No. 05 C 668, Judge Larry McKinney presiding. Judge Ripple wrote the opinion of the Court of Appeals, in which Judges Wood and Evans joined.