Acxiom Not Liable for Security Breach–Bell v. Acxiom
By Eric Goldman
Bell v. Acxiom Corp., 4:06CV00485-WRW (E.D. Ark. Oct. 3, 2006)
Acxiom is a major data miner/data broker. As a result, they have lots of sensitive personal data stored on their computers. Between 2001-2003, they suffered a major security breach when a bad actor (now in jail) extracted personal data and resold it to marketers. Bell brought a putative class action against Acxiom for this security breach that may have resulted in her data being resold.
Specifically, Bell alleged two injuries: (1) increased risk of receiving junk mail, and (2) increased risk of identity theft. However, she did not allege that she actually experienced either increased junk mail or identity theft. Thus, the court brushes the concerns about possible future risks aside, saying that both injuries were not sufficiently concrete to satisfy the “case or controversy” pleading standard. As a result, the court granted Acxiom’s motion to dismiss.
UPDATE: A very similar ruling rejecting a fear of increased risk of identity theft as an injury sufficient to support standing: Key v. DSW, Inc., 2:06-cv-00459-GLF-TPK (S.D. Ohio Sept. 27, 2006).