Pisciotta v. Old National Bancorp: Dismissal of Class Action Alleging Negligence, Breach of Contract in Hacking Case

The U.S. Seventh Circuit Court of Appeals ruled in August 23, 2007, in this case involving identity exposure via data breach. The plaintiffs in the class action suit sought to recover damages for the unauthorized disclosure of their personal information through a data breach at Old National Bankcorp.

Old National Bancorp (ONB) gathered customer data online, including names, addresses, Social Security numbers, driver’s license numbers, birth dates, and additional financial information for use in banking services. The institution collected the information to open accounts, take loan applications, and other banking services. The bank’s website was hacked in 2005, compromising this data and potentially putting customers at risk of identity theft, thus causing them to bear the expense of credit monitoring to protect themselves.

After the bank’s website was hacked, Luciano Pisciotta and Daniel Mills filed a class action in the U.S. District Court for the Southern District of Indiana, claiming breach of contract, negligence and implied breach of contract against the bank and its web hosting partner (NCR). The suit alleged that the bank’s failure to protect their confidential information caused the plaintiffs to suffer substantial potential economic damages and emotional distress arising from the fact that third parties could misuse this data. They did not claim that they had incurred any completed, direct financial losses as a result of the data breach, however.

The case was dismissed at the district level, finding that the plaintiffs did not allege that ONB’s actions caused them “cognizable injury.” The court noted that paying money to monitor one’s credit was not the result of ” any present injury but the anticipation of future injury that has not yet materialized.”

The appellate court agreed with the district court and held that Indiana law did not recognize credit monitoring costs for recovery by the plaintiffs as “compensable damages.” With this decision, the Seventh Circuit agreed with several federal district courts that rejected such costs as a type of injury that would support legal claims for damages.

The court rejected the argument from the plaintiffs that Indiana law governing security breach notification showed that the state legislature believed that a person suffers a completed harm as soon as his/her information is exposed. Also rejected were analogies made by plaintiffs concerning medical monitoring cases. According to the court, no state authority in Indiana allowed recovery for medical monitoring costs

Leave a Reply