No Identity Theft, No Foul: Court Dismisses Lawsuit Against Data Giant

Those whose personal information was illegally stolen from data broker Acxiom by a spam operator who got a hold of the files in the process of selling email addresses to the company cannot sue the data giant for its pathetic security practices because they can't prove the data was ever misused, according to a CNET report.

Even though a spammer had downloaded more than one billion records from the company, U.S. District Judge William Wilson ruled that there was no evidence that Acxiom's purloined database had been used to send junk e-mail or postal mail.

Because the class action attorneys could not prove that anyone's information had actually been misused, Wilson dismissed the case and the request for damages on the grounds that any harm would be entirely speculative. "Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement," he wrote.

The spammers acquired 1.6 billion records from Acxiom's servers when Snipermail employee Scott Levine was uploading email addresses it was selling to Acxiom. Levine discovered that the upload password was the same as the download password and that he could access files put on the FTP server by other companies. Levine was sentenced to
8 years in jail for his downloading.

The CNET story says the ruling might set a precedent for other cases against companies with lax data regimes, but it is in keeping with a recent Supreme Court ruling that the federal government is not liable for damages for improperly publishing and sharing Social Security numbers unless one can prove actual harm.

There may be hope yet. Chris Hoofnagle, one of the smartest guys who follows the data industry and data breaches, who says that in California at least, companies are on the hook by state law to maintain reasonable security practices, according to CNET.

Photo: D.L.