Perhaps reflecting an emerging trend, a proposed class action against Acxiom Corporation was dismissed on October 3, 2006 because the named plaintiff failed to allege "injury in fact." Consequently, her "claims must be dismissed for lack of standing." Bell v. Acxiom Corp. , No. 4: 06-CV-00485-WRW, U.S. District Court for the Eastern District of Arkansas.
Acxiom Corporation, headquartered in Little Rock, AR, creates and delivers customer and information management "solutions." In 2003, its business included maintaining computer banks in which it stored personal, financial and other company data for its corporate clients. Clients could access their data through a username and password. One client representative "exploited a hole in Acxiom's security system," accessed and downloaded other clients' databases and then sold names and addresses to a marketing company that used them for direct-mail advertising. The wrongdoer subsequently was apprehended and convicted. Thereafter, the subject class action was filed.
The complaint sought "relief on behalf of all residents of the United States whose personal information was unlawfully taken" from Acxiom's Internet-accessible computers subsequent to January 1, 2001. It charged that such thefts were "due to Acxiom's complete lack of due care." Specifically, "the only security the Defendant installed was a username and password," where the "password was often times the same name as the customer's name," and "these usernames and passwords were not changed for sometimes years." These practices allegedly afforded "both present as well as former employees of Acxiom and its clients access to millions of consumers' personal information" and made it so that "this username and password information could be sold to the highest bidder." Such weaknesses enabled anyone with "a little computer savvy to steal the private information in Acxiom's databases, thereby harming the millions upon millions of people whose personal information was located on" those databases. The "Class and Plaintiff have all had their private information taken and exploited."
The complaint also faulted Acxiom for not taking "adequate measures to prevent such breaches of security from happening again" after the 2003 breach, for having "actively refused to notify the people (which make up the Class) that their personal information was stolen and remains a security risk," and because "Acxiom has refused individuals who contact Defendant in an effort to determine whether their personal information was stolen."
In that context, the complaint requested a declaration that Acxiom's "security measures" were "inadequate," notice to all class members of "the times their private information was breached, how it was breached, by whom" and what remedial action Acxiom has taken. Even more threatening, it sought an injunction requiring Acxiom to "remove the private information" from its computer system and preventing Acxiom from "obtaining any such private information" in the future, thus requiring Acxiom to severely narrow the scope of its business. It also sought compensatory and punitive damages.
Acxiom promptly moved to dismiss the complaint for lack of standing and failure to state a claim upon which relief can be granted. Relying on the U.S. Supreme Court's criteria for constitutional standing specified in Lujan v. Defenders of Wildlife , 504 U.S. 555 (1992), Acxiom argued that plaintiffs must allege and demonstrate (1) injury in fact, (2) a causal connection between that injury and the challenged conduct and (3) the likelihood that a favorable decision by the court will redress the alleged injury. Here, Acxiom contended, there was no alleged injury in fact; mere allegations of possible future injuries are not sufficient. Thus, "the possibility of receiving unwanted marketing solicitations" or a "risk of identity theft" are not enough.
In response, the plaintiff argued that "victims of lost private information are damaged and must act quickly to minimize their damage and exposure to identity theft." She contended that damage, even though potential, can be the basis for relief. The "laundry list of relief sought by Plaintiff is sufficient on its own to meet the damage pleading requirement irrespective of other damage issues raised by Plaintiff."
Judge Wilson's Decision
U.S. District Judge William R. Wilson, Jr., a 1993 Clinton appointee, dismissed the complaint for lack of standing and entered judgment in favor of Acxiom. His starting point was that "strict compliance with this jurisdictional standing requirement is mandated." Assertions of "potential future injury" do not satisfy the injury in fact test, and a threatened injury "must be certainly impending" to constitute injury in fact.
Risk of Junk Mail
In that context, Judge Wilson read the complaint to allege that plaintiff "suffered an increased risk of both receiving unsolicited mailing advertisements and of identity theft." He rejected the former as insufficient, on the ground that "several courts have held that the receipt of unsolicited and unwanted mail does not constitute actual harm," citing Smith v. Chase Manhattan Bank , 293 A.D. 2d 598 (N.Y. App. 2002) (the receipt of unwanted marketing solicitations was not an actual harm), Shibley v. Time, Inc . 341 N.E. 2d 337 (Ohio App. 1975) (the "right of privacy does not extend to the mailbox") and Lamont v. Commissioner of Motor Vehicles , 269 F. Supp. 880 (S.D.N.Y. 1967) ("the short, though regular, journey from mailbox to trash can... is an acceptable burden, at least so far as the Constitution is concerned").
Risk Of Identity Theft
Similarly, Judge Wilson found that "while there have been several lawsuits alleging an increased risk of identity theft, no court has considered the risk itself to be damage," citing Walters v. DHL Express , 2006 WL 1314132 (C.D. Ill. 2006) (dismissing claim for damages of increased risk of identity theft), Guin v. Brazos Higher Education Service Corp., Inc ., 2006 WL 288483 (D. Minn. 2006) (rejecting claim that an increased risk of identity theft constituted legally cognizable injury) and Stollenwerk v. Tri-West Healthcare Alliance , 2005 WL 2465906 (D. Ariz. 2005) (dismissing case where plaintiff failed to establish " 1) significant exposure of sensitive personal information, 2) a significant increased risk of identity fraud as a result of that exposure and 3) the necessity and effectiveness of credit monitoring in detecting, treating and/or preventing identity fraud.")
In the present case, Judge Wilson found the claim was particularly weak, because "more than three years after the theft, Plaintiff has not alleged that she has suffered anything greater than an increased risk of identity theft," whereas the Federal Trade Commission has found that "76% of all identity theft is discovered before 24 months after the theft." Thus, if theft was going to occur, it likely would have occurred prior to the complaint's being filed.
Based on those rulings, Judge Wilson concluded that "Plaintiff's claims must be dismissed for lack of standing." Implicit in this ruling and the cited precedent is the conclusion that a plaintiff is not injured by the mere theft of information about the plaintiff or by a database manager's mere failure to take steps of a given type to decrease the risk of theft of that information.
Bruce L. McDonald is a Partner at Wiley Rein & Fielding. He focuses his practice on privacy issues and has particular experience in federal and state regulation of food, drugs, medical devices and environmental hazards, including product liability issues as well as the Commerce Clause and First Amendment implications of product marketing. He also has had extensive experience in legislative drafting, rulemaking proceedings and litigation before federal regulatory agencies and has coordinated the defense of asbestos and other mass tort litigation, including class action defense. His litigation experience also includes the representation of clients in complex product liability litigation, interstate commerce and taxation, First Amendment litigation and privacy matters. He can be reached at (202) 719-7014.
Wiley Rein & Fielding's Privacy Practice
With the explosion in information technology, privacy and information security issues have risen to the forefront of legal developments affecting every business. New and emerging privacy and security laws produce challenges for any business that collects, utilizes or distributes information. Wide media attention, tort litigation brought by private parties (often as class actions) and governmental enforcement actions have made privacy a major risk area for businesses. Wiley Rein & Fielding's goal is to provide companies with a thorough understanding of the current - and potential - rules on privacy and security and to provide legal solutions that harmonize businesses' needs with emerging information access restrictions.
Wiley Rein & Fielding's Privacy Practice includes more than 20 attorneys from more than a dozen substantive practice areas. The firm represents domestic and international businesses, as well as major trade associations, in many industries, including communications, Internet, healthcare and insurance, financial services, online advertising, biometrics, information security, manufacturing, retailing, franchising and distribution. The group was recently named one of the "best privacy consultancies" by Computerworld magazine.
Wiley Rein & Fielding helps businesses ensure that: (1) privacy policies and confidentiality agreements reflect legal obligations and disclosure authorizations; (2) procedures are in place to respond to court orders within the scope of any liability protections; and (3) disclosures or surveillance can be accomplished without business disruptions. The firm also assists companies in all industries meeting new security requirements, whether imposed by law or industry best practices.