Plаintiffs Luciano Pisciotta and Daniel Mills brought this action on behalf of a putative class of customers and potential customers of Old National Bancorp (“ONB”). They alleged that, through its website, ONB had solicited personal information from applicants for banking services, but had failed to secure it adequately. As a result, a third-party computer “hacker” was able to obtain access to the confidential information of tens of thousands of ONB site users. The plaintiffs sought damages for the harm that they claim to have suffered because of the security breach; specifically, they requested compensation for past and future credit monitoring services that they have obtained in response to the compromise of their personal data through ONB’s website. ONB answered the allegations and then moved for judgment on the pleadings under Rule 12(c). The district court granted ONB’s motion and dismissed the case. The plaintiffs timely appeal. For the reasons set forth in this opinion, we affirm the judgment of the district court.
I
BACKGROUND
A. Facts
ONB operates a marketing website on which individuals seeking banking services can complete online applications for accоunts, loans and other ONB banking services. The applications differ depending on the service requested, but some forms require the customer or potential customer’s name, address, social security number, driver’s license number, date of birth, mother’s maiden name and credit card or other financial account numbers. In 2002 and 2004, respectively, Mr. Pisciotta and Mr. Mills accessed this website and entered personal information in connection *632 with their applications for ONB banking services.
In 2005, NCR, a hosting facility that maintains ONB’s website, notified ONB of a security breach. ONB then sent written notice to its customers. The results of the investigation that followed have been filed under seal in this court; for present purposes, it will suffice to note that the scope and manner of access suggests that the intrusion was sophisticated, intentional and malicious.
B. District Court Proceedings
Mr. Pisciotta and Mr. Mills, on behalf of a putative class of other ONB website users, brought this action in the United States District Court for the Southern District of Indiana. They named ONB and NCR as defendants and asserted negligence claims against both defendants as well as breach of implied contract claims by ONB and breach of contract by NCR. The plaintiffs alleged that:
[b]y failing to adequately protect [their] personal confidential information, [ONB and NCR] caused Plaintiffs and other similarly situated past and present customers to suffer substantial potential economic damages and emotional distress and worry that third parties will use [the plaintiffs’] confidential personal information to cause them economic harm, or sell their confidential information to others who will in turn cause them economic harm.
R.37 at 2.
In pleading their damages, the plaintiffs stated that they and others in the putative class “have incurred expenses in order to prevent their confidential personal information from being used and will continue to incur expenses in the future.” Id. at 4. Significantly, the plaintiffs did not allege any completed direct financial loss to their accounts as a result of the breach. Nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach. The plaintiffs requested “[c]ompensation for all economic and emotional damages suffered as a result of the Defendants’ acts which were negligent, in breach of implied contract or in breach of contract,” and “[a]ny and all other legal and/or equitable relief to which Plaintiffs ... are entitled, inсluding establishing an economic monitoring procedure to insure [sic] prompt notice to Plaintiffs ... of any attempt to use their confidential personal information stolen from the Defendants.” Id. at 5-6.
NCR moved to dismiss for failure to state a claim; its motion was granted. This ruling has not been appealed. ONB, the remaining defendant, answered the second amended complaint. The plaintiffs moved for class certification. ONB then filed a motion for judgment on the pleadings under Federal Rule of Civil Procedure 12(c) and a memorandum in opposition to class certification.
The district court granted ONB’s motion for judgment on the pleadings and denied the plaintiffs’ motion for class certification as moot. Specifically, the district court concluded that the plaintiffs’ claims failed as a matter of law because “they have not alleged that ONB’s conduct caused them cognizable injury.” R.78 at 3. In support of its conclusion, the court noted that, under Indiana law, damages must be more than speculative; therefore, the plaintiffs’ allegations that they had suffered “substantial potential economic damages” did not state a claim. Id. (emphasis in original).
The district court looked to five cases from other district courts across the Country that had rеjected claims for “the cost of credit monitoring as an alternative
*633
award for what would otherwise be speculative and unrecoverable damages.”
Id.
Finding their reasoning persuasive, the district court concluded that “[t]he expenditure of money to monitor one’s credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized.”
Id.
at 4 (citing
Forbes v. Wells Fargo Bank, N.A.,
The plaintiffs then timely appealed the entry of judgment for ONB on the claims for negligence and breach of implied contract 1 and further asked that this court vacate the order denying class сertification as moot.
II
DISCUSSION
We review a district court’s decision on a 12(c) motion de novo.
Moss v. Martin,
A. Jurisdiction
The plaintiffs filed this action in the district court under the Class Action Fairness Act of 2005, Pub.L. 109-2, § 4, 119 Stat. 4, 9 (codified at 28 U.S.C. § 1332(d)) (“CAFA”), on behalf of a putative class that includes residents of Indiana, Illinois, Kentucky, Missouri, Ohio and Tennessee. Under CAFA, the district court had jurisdiction over this action because “the matter in controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs,” 28 U.S.C. § 1332(d)(2), and because at least one member of the proposed class is a citizen of a State different from ONB.
Id.
§ 1332(d)(2)(A). In short, subject to limitations not relevant here, CAFA allows for incomplete diversity.
Id:, cf. Strawbridge v. Curtiss,
We have, of course, an independent responsibility to examine our subject matter jurisdiction.
See Steel Co. v. Citizens for a Better Env’t,
B. Availability of Credit Monitoring Damages Under Indiana Law
With the issue of jurisdiction resolved, we now turn to the merits of the plaintiffs’ claim for damages. This case, invoking CAFA’s special rules for diversity jurisdiction, alleges causes of action under Indiana law. Our duty, therefore, as in every diversity case, is to apply state substantive lаw, as we believe the highest court of the state would apply it.
State Farm Mut. Auto. Ins. Co. v. Pate,
*635
The principal claims in this case are based on a negligence theory. The elements of a negligence claim under Indiana law are: “(1) a duty owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below the applicable standard of care, and (3) a
compensa-ble injwy
proximately caused by defendant’s breach of duty.”
Bader v. Johnson,
As this case comes to us, both the negligence and the contractual issues can be resolved, and the judgment of the district court affirmed,
if
the district court was correct in its determination that Indiana law would not permit recovery for credit monitoring costs incurred by the plaintiffs. We review de novo the district court’s determination of the content of state law.
Hinc v. Lime-O-Sol Co.,
When faced with a novel question of state law, federal courts sitting in diversity have a range of tools at their dispоsal. First, when the intermediate appellate courts of the state have spoken to the issue, we shall give great weight to their determination about the content of state law, absent some indication that the highest court of the state is likely to deviate from those rulings.
See Woidtke v. St. Clair County, Illinois,
In the end, however, the plaintiffs must come forward with
some
authority to support their view that they have a right to the relief they seek because, as we have stated, we have “limited discretion ... with respect to untested legal theories brought under the rubric of state law.” A.W.
Huss Co. v. Cont’l Cas. Co.,
1.
We begin our inquiry with the Indiana authority most closely addressed to the issue before us. On March 21, 2006, the Indiana legislature enacted a statute that applies to certain database security breaches. Specifically, the statute creates certain duties when a database in which personal data, electronically stored by private entities or state agencies, potentially has been accessed by unauthorized third parties. I.C. § 24-4.9 et seq. 6 The statute took effect on July 1, 2006, see Ind. Pub.L. 125-2006, § 6 (Mar. 21, 2006), after the particular incident involved in this case; neither party contends that the statute is directly applicable to the present dispute. 7 *637 We nevertheless find this enactment by the Indiana legislature instructive in our evaluation of the probable approach of the Supreme Court of Indiana to the allegations in the present case.
The provisions of the statute applicable to private entities storing personal information require only that a database owner disclose a security breach to potentially affected consumers; they do not require the database owner to take any other affirmative act in the wake of a breach. If the database owner fails to comply with the only affirmative duty imposed by the statute — the duty to disclose — the statute provides for enforcement only by the Attorney General of Indiana. It creates no private right оf action against the database owner by an affected customer. It imposes no duty to compensate affected individuals for inconvenience or potential harm to credit that may follow. 8
The plaintiffs maintain that the statute is evidence that the Indiana legislature believes that an individual has suffered a compensable injury at the moment his personal information is exposed because of a security breach. We cannot accept this view. Had the Indiana legislature intended that a cause of action should be available against a dаtabase owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent. Moreover, given the novelty of the legal questions posed by information exposure and theft, it is unlikely that the legislature intended to sanction the development of common law tort remedies that would apply to the same factual circumstances addressed by the statute. The narrowness of the defined duties imposed, combined with state-enforced penalties as the exclusive remedy, strongly suggest that Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as com-pensable damages.
2.
The plaintiffs further submit that cases decided by the Indiana courts in analogous areas of the law instruct that they suffered an immediate injury when their information was accessed by unauthorized third parties. Specifically, the plaintiffs claim that Indiana law acknowledges special duties on the part of banks to prevent the disclosure of the personal information of their customers; they further claim that Indiana courts have recognized explicitly
*638
the significant harm that may result from a failure to prevent such a loss.
See Indiana Nat’l Bank v. Chapman,
Whatever these cases say about the relationship of banks and customers in Indiana, they are of marginal assistance to us in determining whether the present plaintiffs are entitled to the remedy they seek as a matter of Indiana law. The reputational injuries suffered by the plaintiffs in American Fletcher and Indiana National Bank were direct and immediate; the plaintiffs sought to be compensated for that harm, rather than to be reimbursed for their efforts to guard against some future, anticipated harm. We therefore do not believe that the factual circumstances of the cases relied on by the plaintiffs are sufficiently analogous to the circumstances that we confront in the present case to instruct us on the probable course that the Supreme Court of Indiаna would take if faced with the present question. 9
Although not raised by the parties, we separately note that in the somewhat analogous context of toxic tort liability,
10
the
*639
Supreme Court of Indiana has suggested that compensable damage requires more than ,an exposure to a future potential harm. Specifically, in
AlliedSignal, Inc. v. Ott,
Although some courts have allowed medical monitoring damages to be recovered or have created a special cause of action for medical monitoring under similar circumstances,
see Badillo v. American Brands, Inc.,
3.
Finally, without Indiana guidance directly on point, we next examine the reasoning of other courts applying the law of other jurisdictions to the question posed by this case.
Allstate Ins. Co.,
Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy. Plaintiffs have not come forward with a single case or statute,
*640
from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under Indiana law. We decline to adopt a “substantive innovation” in state law,
Combs v. Int’l Ins. Co.,
In sum, all of the interpretive tools of which we routinely make use in our attempt to determine the content of state law point us to the conclusion that the Supreme Court of Indiana would not allow the plaintiffs’ claim to proceed.
Conclusion
Because we conclude that the damages that the plaintiffs seek are not compensa-ble as a matter of Indiana law, we affirm the judgment of the district court.
Affirmed
Notes
. The plaintiffs have waived review of the district court’s order on their claims for negligent infliction of emotional distress. See Appellants’ Br. at 9 n. 4.
.
See Randolph v. ING Life Ins. & Annuity Co..
. See,
e.g., Denney v. Deutsche Bank AG,
.See Lac Du Flambeau Band of Lake Superior Chippewa Indians v. Norton,
. We have applied this restrictive approach to a plaintiff's novel theory of liability under state law even where thе plaintiff had no choice but to litigate his claim in federal court.
Insolia v. Philip Morris Inc.,
. For present purposes, it will suffice to note the relevant substantive provisions added to the Indiana Code by § 6 of Public Law 125-2006 (Mar. 21, 2006), codified at I.C. § 24-4.9 et seq.:
(a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of a system, the data base owner shall disclose the breach to an Indiana resident whose:
(1) unencrypted personal information was or may have been acquired by an unauthorized person; or
(2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.
(b) A data base owner required to make a disclosure under subsection (а) to more than one thousand (1,000) consumers shall also disclose to each consumer reporting agency (as defined in 15 U.S.C. 1681a(p)) information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of the security of a system.
I.C. § 24-4.9-3-1 (eff. July 1, 2006).
."As a general rule, the law in place at the time an action is commenced governs. Unless a contrary intention is expressed, statutes are treated as intended to operate prospectively, and not retrospectively.”
Indiana Dep’t of Envtl. Mgmt. v. Med. Disposal Servs.,
*637
Inc.,
. The Act provides as the exclusive remedy an action by the Attorney General against the database owner:
A person that is required to make a disclosure or notification in accordance with IC 24-4.9-3 and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general under this chapter.
I.C. § 24-4.9-4-1 (a) (emphasis added).
In such an action, the statute provides that the Attorney General may obtain an injunction against future violations, a civil penalty of not more than $150,000 per deceptive act and the Attorney General’s reasonable costs in investigating the act and maintaining the action. Id. § 24-4.9-4-2; see also Joanna L. Grama & Scott L. Ksander, Recent Indiana legislation hopes to stem release of personally identifying information, Res Gestae, Nov. 2006, 35 at 39 ("[B]oth new Ind.Code § 24-4.9 (private entities) and Ind.Code § 4-1-11 (state agencies) offer no remedy to those persons whose information was obtained by an unauthorized person as a result of a security breach, other than that those persons be informed of the breach.” (emphasis added)); id. at 42 n. 65 ("Of course, in a subsequent criminal action against the unauthorized person who acquired the personal infоrmation, a trial court could order restitution for victims. See Ind.Code § 35-50-2-2.3(a)(5).” (emphasis added)).
. The plaintiffs also contend that Article I, Section 12 of the Indiana Constitution requires courts to fashion common law remedies in all circumstances, for any harm alleged. That section provides, in pertinent part, that "every person, for injury done to him in his person, property, or reputation, shall have remedy by due course of law.” Indiana Const. Art. I, § 12. We are aware of no precedent from Indiana in which this provision was held to
mandate
a damages remedy in a suit by one citizen against another whenever the plaintiff claims that he has been "injured.” Indeed, as the Supreme Court of Indiana recently has observed, "Article I, Section 12 does not specify any particular remedy for any particular wrong. Rather, it leaves the
definition of wrongs
and the specification of remedies to the legislature and the common law.”
Cantrell v. Morris,
.
See generally
Vincent R. Johnson,
Cyberse-curity, Identity Theft, and the Limits of Tort Liability,
57 S.C. L.Rev. 255, 305-11 (2005) (noting the propriety of the analogy between toxic torts and cybersecurity breaches). We need not endorse this analogy for present purposes. We merely note that, to the extent the analogy is apt, it does not support the view that Indiana tort law recognizes costs of monitoring as a compensable damage. Even in jurisdictions where medical monitoring has been acknowledged as a compensable damage, courts still have expressed doubt that credit monitoring also should be compensa-ble.
See Kahle v. Litton Loan Servicing, LP,
.
See also Hendricks v. DSW Shoe Warehouse, Inc.,
. See note 2, supra.