<b>Online Exclusive:</b> Security Breach Class Action Thrown Out of U.S. District Court

A decision by a U.S. district court during the week of Oct. 9, 2006 potentially limits the scope of class action complaints that can be filed in the wake of electronic security breaches of personally identifying information. Judge William Wilson of the U.S. District Court for the Eastern District of Arkansas threw out a class action lawsuit filed against database operator Acxiom on the grounds that the plaintiff could not show actual harm from the breach.

The case, April Bell v. Acxiom Corporation, arose from the 2003 hacking of a database operated by Acxiom and the theft of approximately 1 billion computer records. These records were stolen by Scott Levine, who then sold them to marketing firms that allegedly sent spam e-mails to the e-mail addresses. Levine was convicted in August 2005 of 120 counts of unauthorized access to a computer connected to the Internet ' but, in an admission that was critical in the class action litigation, the government did not prove that Levine actually used the information for identity fraud.

In his ruling, Wilson cited opinions, including a 2004 U.S. Supreme Court decision, John Doe v. US Department of Labor, in which the Court ruled that the Department of Labor was not liable for damages for a consumer whose Social Security Number was disclosed because he did not experience actual ID theft or harm. 'Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement,' Wilson wrote.

The plaintiff, represented by class action litigation firm Emerson Poynter (Houston and Little Rock), has not yet decided whether to appeal, according to a statement that Emerson Poynter gave to Cnet.com.

The opinion can be read at www.politechbot.com/docs/acxiom.order.class.action.101106.pdf.

A decision by a U.S. district court during the week of Oct. 9, 2006 potentially limits the scope of class action complaints that can be filed in the wake of electronic security breaches of personally identifying information. Judge William Wilson of the U.S. District Court for the Eastern District of Arkansas threw out a class action lawsuit filed against database operator Acxiom on the grounds that the plaintiff could not show actual harm from the breach.

The case, April Bell v. Acxiom Corporation, arose from the 2003 hacking of a database operated by Acxiom and the theft of approximately 1 billion computer records. These records were stolen by Scott Levine, who then sold them to marketing firms that allegedly sent spam e-mails to the e-mail addresses. Levine was convicted in August 2005 of 120 counts of unauthorized access to a computer connected to the Internet ' but, in an admission that was critical in the class action litigation, the government did not prove that Levine actually used the information for identity fraud.

In his ruling, Wilson cited opinions, including a 2004 U.S. Supreme Court decision, John Doe v. US Department of Labor, in which the Court ruled that the Department of Labor was not liable for damages for a consumer whose Social Security Number was disclosed because he did not experience actual ID theft or harm. 'Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement,' Wilson wrote.

The plaintiff, represented by class action litigation firm Emerson Poynter (Houston and Little Rock), has not yet decided whether to appeal, according to a statement that Emerson Poynter gave to Cnet.com.

The opinion can be read at www.politechbot.com/docs/acxiom.order.class.action.101106.pdf.