Want CNET to notify you of price drops and the latest stories?

Class action suit over ID theft tossed out

Acxiom, a data warehouser, had its databases looted at least twice. But judge throws out an ID-theft class action suit.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
A federal judge in Arkansas has thrown out a class action lawsuit against Acxiom, which exposed massive amounts of Americans' personal information in a high-profile Internet security snafu three years ago.

Even though a spammer had downloaded more than one billion records from the company, U.S. District Judge William Wilson ruled that there was no evidence that Acxiom's purloined database had been used to send junk e-mail or postal mail.

Because the class action attorneys could not prove that anyone's information had actually been misused, Wilson dismissed the case and the request for damages on the grounds that any harm would be entirely speculative. "Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement," he wrote.

The decision (PDF), published on Oct. 3, could prove influential in other identity fraud cases where breaches have exposed personal information such as home addresses and Social Security numbers, but there's no proof that the information has been misused.

"If this case is not the first, it's certainly one of the first to deal with these issues," said David Kramer, a partner at the law firm of Wilson Sonsini Goodrich & Rosati, who represents Acxiom.

It's not entirely clear what information was downloaded from Acxiom, except that it was information owned by one of its customers rather than information Acxiom collected itself. Acxiom's business includes providing databases for direct marketers, including InfoBase, described by the company as "the largest collection of U.S. consumer and telephone data in one source," and Personicx, which features the "specific consumer and demographic characteristics" of tens of millions of American households. Acxiom also provides information to law enforcement agencies, and once counted former presidential candidate Wesley Clark as a board member.

In a related case dealing only with the rules governing federal agencies, the U.S. Supreme Court ruled in 2004 that someone who had his Social Security number disclosed by the Department of Labor--but experienced no actual harm such as identity fraud--was not entitled to damages (PDF).

The class action lawsuit arose out of a security breach at Acxiom in 2003 in which the company allegedly did not adequately protect a server used for file transfers (FTP). Earlier this year, Scott Levine was sentenced to eight years in prison after a federal jury convicted him of 120 counts of unauthorized access to Acxiom's computers.

Levine is a native of Boca Raton, Fla. and former chief executive of a bulk e-mail company called Snipermail.com, which had been dubbed a spammer by the Spamhaus Project. But federal prosecutors said there was no evidence that Levine used the downloaded data for identity fraud.

According to court documents, Levine and others broke into an Acxiom server used for file transfers and downloaded an encrypted password file called "ftpsam.txt" in early 2003. Then they ran a cracking utility on the ftpsam.txt file, prosecutors said, discovered 40 percent of the passwords, and used those accounts to download even more sensitive information.

The revelations raised eyebrows, in part because Acxiom Chairman Charles Morgan had offered public assurances about the company's security, including in testimony (click here for PDF) to the Federal Trade Commission. Morgan said that his company takes "exceptional security measures to protect the information we maintain for our own information products...to ensure that information will not be made available to any unauthorized person."

No decision about an appeal
An attorney who is co-counsel on the lawsuit against Acxiom said on Wednesday that the plaintiffs have not yet decided whether to appeal. "We're going to consider what our potential avenues are over the coming week or so, and then make a decision," said Scott Poynter of the firm Emerson Poynter in Little Rock, Ark.

Emerson Poynter describes itself as a firm that has "specialized in class action litigation for over 15 years" and says all of those cases are handled on a contingency-fee basis. It has filed class-action lawsuits against companies including AOL Time Warner, Nortel Networks and Coca-Cola, typically alleging securities fraud. It has indicated it will target companies that are accused of stock option backdating as well.

"Our client tried to find out from Acxiom if her information was compromised, and they wouldn't tell her," Poynter said. "We think the consumers that have their private information stored by a company should have that right...But maybe the law needs to catch up with the Internet and the way people's privacy is being invaded today."

In the lawsuit that Emerson Poynter and a second law firm filed against Acxiom in April, they raised two vague arguments: That the data-broker was negligent, and that its actions "caused an unreasonable intrusion on the privacy" of people whose records were exposed. Those legal claims require someone to have suffered actual harm beyond a possibly increased risk of identity theft, Judge Wilson concluded. (The lawyers asked for "compensatory and punitive damages" and attorneys' fees of an unspecified amount.)

"This may lead attorneys looking to bring these sorts of claims to ensure their clients have suffered actual harm rather than speculative injury before filing suit," said Kramer, Acxiom's attorney.

But Chris Hoofnagle, a senior fellow at the University of California at Berkeley's law school who has been critical of Acxiom, thinks that the outcome might have been different if the attorneys had filed the suit in California. State law (AB1950) requires businesses that own or license personal information about Californians to "implement and maintain reasonable security procedures," Hoofnagle noted, though that law was not in place at the time of the Acxiom incident.

"I would hope that one could think of more causes of action other than identity theft and negligence," Hoofnagle said.

Levine's was not the first prosecution to stem from the security practices on Acxiom's FTP server. An Ohio man named Daniel Baas previously pleaded guilty to illegally entering Acxiom's FTP site. That investigation led federal police--including the FBI and Secret Service--to Levine, according to the Justice Department.