Acxiom Not Liable for Security Breach–Bell v. Acxiom

By Eric Goldman

Bell v. Acxiom Corp., 4:06CV00485-WRW (E.D. Ark. Oct. 3, 2006)

Acxiom is a major data miner/data broker. As a result, they have lots of sensitive personal data stored on their computers. Between 2001-2003, they suffered a major security breach when a bad actor (now in jail) extracted personal data and resold it to marketers. Bell brought a putative class action against Acxiom for this security breach that may have resulted in her data being resold.

Specifically, Bell alleged two injuries: (1) increased risk of receiving junk mail, and (2) increased risk of identity theft. However, she did not allege that she actually experienced either increased junk mail or identity theft. Thus, the court brushes the concerns about possible future risks aside, saying that both injuries were not sufficiently concrete to satisfy the “case or controversy” pleading standard. As a result, the court granted Acxiom’s motion to dismiss.

This case reminds me of the In re JetBlue case, where the airline provided passenger records to the government in contravention of its articulated privacy policy. That lawsuit died because the plaintiff could not show any cognizable injury from the data transfer/privacy policy breach. In the Acxiom case, the lawsuit died because the plaintiffs couldn’t plead a sufficiently tangible harm to clear the motion to dismiss standard. So it appears that some courts are demanding more from privacy plaintiffs than just their mere apprehension about privacy–a significant standard that could keep privacy lawsuits in check.

UPDATE: A very similar ruling rejecting a fear of increased risk of identity theft as an injury sufficient to support standing: Key v. DSW, Inc., 2:06-cv-00459-GLF-TPK (S.D. Ohio Sept. 27, 2006).