October 18, 2006
Acxiom Not Liable for Security Breach--Bell v. Acxiom
By Eric Goldman
Bell v. Acxiom Corp., 4:06CV00485-WRW (E.D. Ark. Oct. 3, 2006)
Acxiom is a major data miner/data broker. As a result, they have lots of sensitive personal data stored on their computers. Between 2001-2003, they suffered a major security breach when a bad actor (now in jail) extracted personal data and resold it to marketers. Bell brought a putative class action against Acxiom for this security breach that may have resulted in her data being resold.
Specifically, Bell alleged two injuries: (1) increased risk of receiving junk mail, and (2) increased risk of identity theft. However, she did not allege that she actually experienced either increased junk mail or identity theft. Thus, the court brushes the concerns about possible future risks aside, saying that both injuries were not sufficiently concrete to satisfy the "case or controversy" pleading standard. As a result, the court granted Acxiom's motion to dismiss.
UPDATE: A very similar ruling rejecting a fear of increased risk of identity theft as an injury sufficient to support standing: Key v. DSW, Inc., 2:06-cv-00459-GLF-TPK (S.D. Ohio Sept. 27, 2006).
Posted by Eric at October 18, 2006 07:12 PM | Privacy/Security
TrackBack URL for this entry:
FWIW, this case could have been more effectively designed. They didn't even bring an unfair/deceptive trade practices claim. (Acxiom mischaracterized their security practices, characterizing them as "exceptional," but they were not. This behavior could support a unfair/deceptive practices claim under the FTC's decision in Microsoft Passport.)
But is it good to keep privacy lawsuits in check? WHat other remedy does one have against Acxiom for its practices?
Posted by: Chris Hoofnagle at October 19, 2006 09:55 AM
Thanks, Chris. Your questions make an assumption that deserves examination. Why should plaintiffs need a remedy against Acxiom if they didn't suffer any injury? I recognize that the definition of "injury" is a little tautological; for example, one might take the position that the mere disclosure, without any further consequence, is injurious, but I don't agree. See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=685241 . Otherwise, I don't think plaintiffs should have a cause of action for disclosures they don't like (especially in situations like this, where the disclosure was caused by a criminal actor). Eric.
Posted by: Eric Goldman at October 19, 2006 10:02 AM
The criminal actor was one of Acxiom's clients...
And with all due respect, the law recognizes and protects consumer *dignity*, not just injury. After all, how are you injured by your video, cable, or doctor selling your records? Driving the debate towards having to show an injury is almost irrelevant--privacy law provides default damages because these injuries are frequently impossible to show.
Acxiom scoops up personal information on others without notice or consent, uses that information for unknown purposes, and in this case, didn't secure the informtion.
I don't think the plaintiffs should have hit the jackpot in this case, but absent lawsuits, there are no market forces to curb Acxiom's behavior, and many people find the company's actions objectionable.
For instance, just try to opt out from Acxiom's information disclosure--they put unreasonable burdens in the way (requiring you to call to request an information packet, etc). Beth Givens and 10 other people attempted to use Acxiom's self-regulatory access to records system several years ago, and many in their small sample never got a reply!
Posted by: Chris Hoofnagle at October 19, 2006 10:16 AM