499 F.3d 629 | 7th Cir. | 2007
Luciano PISCIOTTA and Daniel Mills, on behalf of themselves and others similarly situated, Plaintiffs-Appellants,
v.
OLD NATIONAL BANCORP, Defendant-Appellee.
United States Court of Appeals, Seventh Circuit.
*630 *631 William N. Riley (argued), Price Waicukauski Riley & Debrota, Indianapolis, IN, for Plaintiffs-Appellants.
Mark J.R. Merkle (argued), Greg A. Small, Krieg Devault, Indianapolis, IN, for Defendant-Appellee.
Before RIPPLE, WOOD and EVANS, Circuit Judges.
RIPPLE, Circuit Judge.
Plaintiffs Luciano Pisciotta and Daniel Mills brought this action on behalf of a putative class of customers and potential customers of Old National Bancorp ("ONB"). They alleged that, through its website, ONB had solicited personal information from applicants for banking services, but had failed to secure it adequately. As a result, a third-party computer "hacker" was able to obtain access to the confidential information of tens of thousands of ONB site users. The plaintiffs sought damages for the harm that they claim to have suffered because of the security breach; specifically, they requested compensation for past and future credit monitoring services that they have obtained in response to the compromise of their personal data through ONB's website. ONB answered the allegations and then moved for judgment on the pleadings under Rule 12(c). The district court granted ONB's motion and dismissed the case. The plaintiffs timely appeal. For the reasons set forth in this opinion, we affirm the judgment of the district court.
I
BACKGROUND
A. Facts
ONB operates a marketing website on which individuals seeking banking services can complete online applications for accounts, loans and other ONB banking services. The applications differ depending on the service requested, but some forms require the customer or potential customer's name, address, social security number, driver's license number, date of birth, mother's maiden name and credit card or other financial account numbers. In 2002 and 2004, respectively, Mr. Pisciotta and Mr. Mills accessed this website and entered personal information in connection *632 with their applications for ONB banking services.
In 2005, NCR, a hosting facility that maintains ONB's website, notified ONB of a security breach. ONB then sent written notice to its customers. The results of the investigation that followed have been filed under seal in this court; for present purposes, it will suffice to note that the scope and manner of access suggests that the intrusion was sophisticated, intentional and malicious.
B. District Court Proceedings
Mr. Pisciotta and Mr. Mills, on behalf of a putative class of other ONB website users, brought this action in the United States District Court for the Southern District of Indiana. They named ONB and NCR as defendants and asserted negligence claims against both defendants as well as breach of implied contract claims by ONB and breach of contract by NCR. The plaintiffs alleged that:
[b]y failing to adequately protect [their] personal confidential information, [ONB and NCR] caused Plaintiffs and other similarly situated past and present customers to suffer substantial potential economic damages and emotional distress and worry that third parties will use [the plaintiffs'] confidential personal information to cause them economic harm, or sell their confidential information to others who will in turn cause them economic harm.
R.37 at 2.
In pleading their damages, the plaintiffs stated that they and others in the putative class "have incurred expenses in order to prevent their confidential personal information from being used and will continue to incur expenses in the future." Id. at 4. Significantly, the plaintiffs did not allege any completed direct financial loss to their accounts as a result of the breach. Nor did they claim that they or any other member of the putative class already had been the victim of identity theft as a result of the breach. The plaintiffs requested "[c]ompensation for all economic and emotional damages suffered as a result of the Defendants' acts which were negligent, in breach of implied contract or in breach of contract," and "[a]ny and all other legal and/or equitable relief to which Plaintiffs . . . are entitled, including establishing an economic monitoring procedure to insure [sic] prompt notice to Plaintiffs . . . of any attempt to use their confidential personal information stolen from the Defendants." Id. at 5-6.
NCR moved to dismiss for failure to state a claim; its motion was granted. This ruling has not been appealed. ONB, the remaining defendant, answered the second amended complaint. The plaintiffs moved for class certification. ONB then filed a motion for judgment on the pleadings under Federal Rule of Civil Procedure 12(c) and a memorandum in opposition to class certification.
The district court granted ONB's motion for judgment on the pleadings and denied the plaintiffs' motion for class certification as moot. Specifically, the district court concluded that the plaintiffs' claims failed as a matter of law because "they have not alleged that ONB's conduct caused them cognizable injury." R.78 at 3. In support of its conclusion, the court noted that, under Indiana law, damages must be more than speculative; therefore, the plaintiffs' allegations that they had suffered "substantial potential economic damages" did not state a claim. Id. (emphasis in original).
The district court looked to five cases from other district courts across the Country that had rejected claims for "the cost of credit monitoring as an alternative *633 award for what would otherwise be speculative and unrecoverable damages." Id. Finding their reasoning persuasive, the district court concluded that "[t]he expenditure of money to monitor one's credit is not the result of any present injury, but rather the anticipation of future injury that has not yet materialized." Id. at 4 (citing Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018, 1021 (D.Minn.2006)). The court also concluded that, although not enumerated as a separate cause of action in the complaint, the plaintiffs had made allegations that could relate to a claim for negligent infliction of emotional distress; the court dismissed this claim as well. It noted that, as a matter of Indiana law, any such action was dependent on an underlying negligence claim. Id. at 5. Finally, the court concluded that there could be no action for breach of contract under Indiana law in the absence of an allegation of cognizable damages.
The plaintiffs then timely appealed the entry of judgment for ONB on the claims for negligence and breach of implied contract[1] and further asked that this court vacate the order denying class certification as moot.
II
DISCUSSION
We review a district court's decision on a 12(c) motion de novo. Moss v. Martin, 473 F.3d 694, 698 (7th Cir.2007). We take the facts alleged in the complaint as true, drawing all reasonable inferences in favor of the plaintiff. Thomas v. Guardsmark, Inc., 381 F.3d 701, 704 (7th Cir.2004). We review the judgment for the defendants by employing the same standard that we apply when reviewing a motion to dismiss under Rule 12(b)(6). Guise v. BWM Mortgage, LLC, 377 F.3d 795, 798 (7th Cir.2004). The complaint must contain only "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed.R.Civ.P. 8(a)(2); see also Conley v. Gibson, 355 U.S. 41, 47, 78 S. Ct. 99, 2 L. Ed. 2d 80 (1957). There is no need for detailed factual allegations. Conley, 355 U.S. at 47, 78 S. Ct. 99. However, the statement must "give the defendant fair notice of what the . . . claim is and the grounds upon which it rests." Id. "Factual allegations must be enough to raise a right to relief above the speculative level." Bell Atl. Corp. v. Twombly, ___ U.S. ___, 127 S. Ct. 1955, 1965, 167 L. Ed. 2d 929 (2007); see also Jennings v. Auto Meter Prods., Inc., 495 F.3d 466, 472 (7th Cir.2007).
A. Jurisdiction
The plaintiffs filed this action in the district court under the Class Action Fairness Act of 2005, Pub.L. 109-2, § 4, 119 Stat. 4, 9 (codified at 28 U.S.C. § 1332(d)) ("CAFA"), on behalf of a putative class that includes residents of Indiana, Illinois, Kentucky, Missouri, Ohio and Tennessee. Under CAFA, the district court had jurisdiction over this action because "the matter in controversy exceeds the sum or value of $5,000,000, exclusive of interest and costs," 28 U.S.C. § 1332(d)(2), and because at least one member of the proposed class is a citizen of a State different from ONB. Id. § 1332(d)(2)(A). In short, subject to limitations not relevant here, CAFA allows for incomplete diversity. Id.; cf. Strawbridge v. Curtiss, 3 Cranch 267, 7 U.S. 267, 2 L. Ed. 435 (1806) (interpreting the language of the general federal diversity statute to require complete diversity). In calculating the requisite amount in controversy, CAFA requires that the claims of *634 all the plaintiffs be aggregated. 28 U.S.C. § 1332(d)(6); cf. In re Brand Name Prescription Drugs Antitrust Litig., 123 F.3d 599, 607 (7th Cir.1997) (noting the otherwise applicable rule that aggregation is not permitted and, therefore, at least one plaintiff in a particular class must satisfy the jurisdictional minimum).
We have, of course, an independent responsibility to examine our subject matter jurisdiction. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 95, 118 S. Ct. 1003, 140 L. Ed. 2d 210 (1998). As we have noted, in reaching the conclusion that dismissal was appropriate, the district court in this case relied on several cases from other district courts throughout the Country. Many of those cases have concluded that the federal courts lack jurisdiction because plaintiffs whose data has been compromised, but not yet misused, have not suffered an injury-in-fact sufficient to confer Article III standing.[2] We are not persuaded by the reasoning of these cases. As many of our sister circuits have noted, the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions.[3] We concur in this view.[4] Once the plaintiffs' allegations establish at least this level of injury, the fact that the plaintiffs anticipate that some greater potential harm might follow the defendant's act does not affect the standing inquiry.
B. Availability of Credit Monitoring Damages Under Indiana Law
With the issue of jurisdiction resolved, we now turn to the merits of the plaintiffs' claim for damages. This case, invoking CAFA's special rules for diversity jurisdiction, alleges causes of action under Indiana law. Our duty, therefore, as in every diversity case, is to apply state substantive law, as we believe the highest court of the state would apply it. State Farm Mut. Auto. Ins. Co. v. Pate, 275 F.3d 666, 669 (7th Cir.2001).
*635 The principal claims in this case are based on a negligence theory. The elements of a negligence claim under Indiana law are: "(1) a duty owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below the applicable standard of care, and (3) a compensable injury proximately caused by defendant's breach of duty." Bader v. Johnson, 732 N.E.2d 1212, 1216-17 (Ind.2000) (emphasis added). The plaintiffs' complaint also alleges that ONB has breached an implied contract. Compensable damages are an element of a breach of contract cause of action as well. See McCalment v. Eli Lilly & Co., 860 N.E.2d 884, 894 (Ind. Ct.App.2007).
As this case comes to us, both the negligence and the contractual issues can be resolved, and the judgment of the district court affirmed, if the district court was correct in its determination that Indiana law would not permit recovery for credit monitoring costs incurred by the plaintiffs. We review de novo the district court's determination of the content of state law. Hinc v. Lime-O-Sol Co., 382 F.3d 716, 720 (7th Cir.2004); see also Salve Regina Coll. v. Russell, 499 U.S. 225, 231-32, 111 S. Ct. 1217, 113 L. Ed. 2d 190 (1991) (rejecting a rule of deference to district court determinations of state law). We must determine whether Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing compensable injury and consequent damages required to state a claim for negligence or for breach of contract. Neither the parties' efforts nor our own have identified any Indiana precedent addressing this issue. Nor have we located the decision of any court (other than the district court in this case) that examines Indiana law in this context. We are charged with predicting, nevertheless, how we think the Supreme Court of Indiana would decide this issue. See Dumas v. Infinity Broad. Corp., 416 F.3d 671, 680 n. 11 (7th Cir.2005).
When faced with a novel question of state law, federal courts sitting in diversity have a range of tools at their disposal. First, when the intermediate appellate courts of the state have spoken to the issue, we shall give great weight to their determination about the content of state law, absent some indication that the highest court of the state is likely to deviate from those rulings. See Woidtke v. St. Clair County, Illinois, 335 F.3d 558, 562 (7th Cir.2003). We also shall consult a variety of other sources, including other "relevant state precedents, analogous decisions, considered dicta, scholarly works, and any other reliable data tending convincingly to show how the highest court in the state would decide the issue at hand." McKenna v. Ortho Pharm. Corp., 622 F.2d 657, 663 (3d Cir.1980); see generally Dolores K. Sloviter, A Federal Judge Looks at Diversity Jurisdiction, 78 Va. L.Rev. 1671 (1992) (discussing the challenges facing federal courts in applying uncharted areas of state law). In the absence of any authority from the relevant state courts, we also shall examine the reasoning of courts in other jurisdictions addressing the same issue and applying their own law for whatever guidance about the probable direction of state law they may provide. See Allstate Ins. Co. v. Tozer, 392 F.3d 950, 952 (7th Cir.2004).
In the end, however, the plaintiffs must come forward with some authority to support their view that they have a right to the relief they seek because, as we have stated, we have "limited discretion . . . with respect to untested legal theories brought under the rubric of state law." A.W. Huss Co. v. Cont'l Cas. Co., 735 F.2d 246, 253 (7th Cir.1984). Without state authority *636 to guide us, "[w]hen given a choice between an interpretation of [state] law which reasonably restricts liability, and one which greatly expands liability, we should choose the narrower and more reasonable path (at least until the [state] Supreme Court tells us differently).". Todd v. Societe Bic, S.A., 21 F.3d 1402, 1412 (7th Cir.1994) (en banc); see also Insolia v. Philip Morris Inc., 216 F.3d 596, 607 (7th Cir.2000) ("Federal courts are loathe to fiddle around with state law. Though district courts may try to determine how the state courts would rule on an unclear area of state law, district courts are encouraged to dismiss actions based on novel state law claims."); Home Valu, Inc. v. Pep Boys, 213 F.3d 960, 965 (7th Cir.2000) (adopting an interpretation of state law which, between two possible options, "take[s] the approach that is restrictive of liability").[5] With these principles in mind, we turn to our consideration of whether Indiana would recognize a cause of action for a data exposure injury. Specifically, we shall examine whether Indiana would compensate victims who undertake credit monitoring to guard against identity theft that might follow.
1.
We begin our inquiry with the Indiana authority most closely addressed to the issue before us. On March 21, 2006, the Indiana legislature enacted a statute that applies to certain database security breaches. Specifically, the statute creates certain duties when a database in which personal data, electronically stored by private entities or state agencies, potentially has been accessed by unauthorized third parties. I.C. § 24-4.9 et seq.[6] The statute took effect on July 1, 2006, see Ind. Pub.L. 125-2006, § 6 (Mar. 21, 2006), after the particular incident involved in this case; neither party contends that the statute is directly applicable to the present dispute.[7]*637 We nevertheless find this enactment by the Indiana legislature instructive in our evaluation of the probable approach of the Supreme Court of Indiana to the allegations in the present case.
The provisions of the statute applicable to private entities storing personal information require only that a database owner disclose a security breach to potentially affected consumers; they do not require the database owner to take any other affirmative act in the wake of a breach. If the database owner fails to comply with the only affirmative duty imposed by the statutethe duty to disclosethe statute provides for enforcement only by the Attorney General of Indiana. It creates no private right of action against the database owner by an affected customer. It imposes no duty to compensate affected individuals for inconvenience or potential harm to credit that may follow.[8]
The plaintiffs maintain that the statute is evidence that the Indiana legislature believes that an individual has suffered a compensable injury at the moment his personal information is exposed because of a security breach. We cannot accept this view. Had the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent. Moreover, given the novelty of the legal questions posed by information exposure and theft, it is unlikely that the legislature intended to sanction the development of common law tort remedies that would apply to the same factual circumstances addressed by the statute. The narrowness of the defined duties imposed, combined with state-enforced penalties as the exclusive remedy, strongly suggest that Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.
2.
The plaintiffs further submit that cases decided by the Indiana courts in analogous areas of the law instruct that they suffered an immediate injury when their information was accessed by unauthorized third parties. Specifically, the plaintiffs claim that Indiana law acknowledges special duties on the part of banks to prevent the disclosure of the personal information of their customers; they further claim that Indiana courts have recognized explicitly *638 the significant harm that may result from a failure to prevent such a loss. See Indiana Nat'l Bank v. Chapman, 482 N.E.2d 474 (Ind.Ct.App.1985); American Fletcher Nat'l Bank & Trust Co. v. Flick, 146 Ind.App. 122, 252 N.E.2d 839 (1969). In Indiana National Bank v. Chapman, 482 N.E.2d 474 (Ind.Ct.App.1985), the Court of Appeals of Indiana considered a claim that, in the course of an investigation into possible financial motives for an arson, the bank, intentionally and without authorization, had disclosed to law enforcement that an account of one of its customers had been marked for repossession. The court held that the bank had contracted impliedly with its customers not to reveal financial information to law enforcement, absent a public duty. Id. at 482. In American Fletcher National Bank & Trust Co. v. Flick, 146 Ind.App. 122, 252 N.E.2d 839 (1969), the Court of Appeals considered liability based on a bank's erroneous dishonor of a customer's check when a third-party attempted to cash it. The appellate court concluded that the plaintiff, whose creditors had been told that the plaintiff's business account had insufficient funds to cover the checks the plaintiff had written, had suffered a presumptive present harm to his business reputation and credit. Id. at 846.
Whatever these cases say about the relationship of banks and customers in Indiana, they are of marginal assistance to us in determining whether the present plaintiffs are entitled to the remedy they seek as a matter of Indiana law. The reputational injuries suffered by the plaintiffs in American Fletcher and Indiana National Bank were direct and immediate; the plaintiffs sought to be compensated for that harm, rather than to be reimbursed for their efforts to guard against some future, anticipated harm. We therefore do not believe that the factual circumstances of the cases relied on by the plaintiffs are sufficiently analogous to the circumstances that we confront in the present case to instruct us on the probable course that the Supreme Court of Indiana would take if faced with the present question.[9]
Although not raised by the parties, we separately note that in the somewhat analogous context of toxic tort liability,[10] the *639 Supreme Court of Indiana has suggested that compensable damage requires more than an exposure to a future potential harm. Specifically, in AlliedSignal, Inc. v. Ott, 785 N.E.2d 1068 (Ind.2003), the Supreme Court of Indiana held that no cause of action accrues, despite incremental physical changes following asbestos exposure, until a plaintiff reasonably could have been diagnosed with an actual exposure-related illness or disease. Id. at 1075. In its decision that no compensable injury occurs at the time of exposure, the court relied on precedent from both state and federal courts in general agreement with the principle that exposure alone does not give rise to a legally cognizable injury. Id. at 1075 n. 8.
Although some courts have allowed medical monitoring damages to be recovered or have created a special cause of action for medical monitoring under similar circumstances, see Badillo v. American Brands, Inc., 117 Nev. 34, 16 P.3d 435, 438-39 & nn. 1-2 (2001) (citing cases interpreting the law of seventeen states to allow medical monitoring in some form), no authority from Indiana is among them. Indeed, its recent holding in AlliedSignal indicates a contrary approach. To the extent the decision of the Supreme Court of Indiana in that matter provides us with guidance on the likely approach that court would adopt with respect to the information exposure injury in this case, we think it supports the view that no cause of action for credit monitoring is available.[11]
3.
Finally, without Indiana guidance directly on point, we next examine the reasoning of other courts applying the law of other jurisdictions to the question posed by this case. Allstate Ins. Co., 392 F.3d at 952. In this respect, several district courts, applying the laws of other jurisdictions, have rejected similar claims on their merits. In addition to those cases in which the district court held that the plaintiff lacked standing,[12] a series of cases has rejected information security claims on their merits. Most have concluded that the plaintiffs have not been injured in a manner the governing substantive law will recognize. See, e.g., Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 712-13 (S.D.Ohio 2007) (entering summary judgment for the defendant because the plaintiff had failed to demonstrate an injury); Guin v. Brazos Higher Educ. Serv. Corp., Inc., 2006 WL 288483 (D.Minn. Feb.7, 2006) (unpublished) (same); Stollenwerk v. Tri-West Healthcare Alliance, 2005 WL 2465906, at *5 (D.Ariz. Sept.6, 2005) (unpublished) (granting summary judgment for defendants because the plaintiffs had failed to provide evidence of injury); see also Hendricks v. DSW Shoe Warehouse, 444 F. Supp. 2d 775, 783 (W.D.Mich.2006) (dismissing an action where "[t]here is no existing Michigan statutory or case law authority to support plaintiff's position that the purchase of credit monitoring constitutes either actual damages or a cognizable loss").
Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy. Plaintiffs have not come forward with a single case or statute, *640 from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under Indiana law. We decline to adopt a "substantive innovation" in state law, Combs v. Int'l Ins. Co., 354 F.3d 568, 578 (6th Cir.2004), or "to invent what would be a truly novel tort claim" on behalf of the state, Insolia, 216 F.3d at 607, absent some authority to suggest that the approval of the Supreme Court of Indiana is forthcoming. See Todd, 21 F.3d at 1412 (noting that federal courts should be wary of broadening untested theories of liability under state law); see also Insolia, 216 F.3d at 607 (noting that we would neither recognize independently nor certify a question to the state regarding "every creative but unlikely state cause of action that litigants devise from a blank slate"); Birchler v. Gehl Co., 88 F.3d 518, 521 (7th Cir.1996) (favoring narrow interpretation of undecided issues of liability under state law); Ry. Express Agency, Inc. v. Super Scale Models, Ltd., 934 F.2d 135, 138 (7th Cir.1991) (noting that "recent opinions of this court have strongly encouraged district courts to dismiss actions based on novel state law claims").
In sum, all of the interpretive tools of which we routinely make use in our attempt to determine the content of state law point us to the conclusion that the Supreme Court of Indiana would not allow the plaintiffs' claim to proceed.
Conclusion
Because we conclude that the damages that the plaintiffs seek are not compensable as a matter of Indiana law, we affirm the judgment of the district court.
AFFIRMED
NOTES
[1] The plaintiffs have waived review of the district court's order on their claims for negligent infliction of emotional distress. See Appellants' Br. at 9 n. 4.
[2] See Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 10 (D.D.C.2007); Bell v. Acxiom Corp., 2006 WL 2850042, at *2 (E.D.Ark. Oct.3, 2006) (unpublished); Key v. DSW, Inc., 454 F. Supp. 2d 684, 690 (S.D.Ohio 2006); Giordano v. Wachovia Sec., LLC., 2006 WL 2177036, at *5 (D.N.J. July 31, 2006) (unpublished).
[3] See, e.g., Denney v. Deutsche Bank AG, 443 F.3d 253, 264-65 (2d Cir.2006) (stating, in dicta, that exposure to toxic substances creates a cognizable injury for standing purposes, "even though exposure alone may not provide sufficient ground for a claim under state tort law"); Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568, 574-75 (6th Cir.2005) (holding that standing was present where a defective medical implement presented an increased risk of future health problems); Cent. Delta Water Agency v. United States, 306 F.3d 938, 947-48 (9th Cir.2002) (holding that "the possibility of future injury may be sufficient to confer standing on plaintiffs" and concluding that the suit could proceed when the plaintiffs demonstrated a factual issue about "whether they suffer a substantial risk of harm"); Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000) (en banc) ("Threats or increased risk thus constitutes cognizable harm.").
[4] See Lac Du Flambeau Band of Lake Superior Chippewa Indians v. Norton, 422 F.3d 490, 498 (7th Cir.2005) ("[T]he present impact of a future though uncertain harm may establish injury in fact for standing purposes."); Johnson v. Allsteel, Inc., 259 F.3d 885, 888 (7th Cir.2001) (holding that an ERISA plan administrator's increased discretion increased risk that the participant would be denied benefits and that "[t]he increased risk the participant faces as a result is an injury-in-fact" for standing purposes); Vill. of Elk Grove Vill. v. Evans, 997 F.2d 328, 329 (7th Cir.1993) ("[E]ven a small probability of injury is sufficient to create a case or controversy to take a suit out of the category of the hypothetical provided of course that the relief sought would, if granted, reduce the probability.").
[5] We have applied this restrictive approach to a plaintiff's novel theory of liability under state law even where the plaintiff had no choice but to litigate his claim in federal court. Insolia v. Philip Morris Inc., 216 F.3d 596, 607 (7th Cir.2000) (noting that even where "state law . . . is stunted by the ability of [defendants] to remove cases under diversity jurisdiction. . . . that does not justify the federal courts imposing a new tort claim" on a state).
[6] For present purposes, it will suffice to note the relevant substantive provisions added to the Indiana Code by § 6 of Public Law 125-2006 (Mar. 21, 2006), codified at I.C. § 24-4.9 et seq.:
(a) Except as provided in section 4(c), 4(d), and 4(e) of this chapter, after discovering or being notified of a breach of the security of a system, the data base owner shall disclose the breach to an Indiana resident whose:
(1) unencrypted personal information was or may have been acquired by an unauthorized person; or
(2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key;
if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC XX-XX-X-X.5), identity theft, or fraud affecting the Indiana resident.
(b) A data base owner required to make a disclosure under subsection (a) to more than one thousand (1,000) consumers shall also disclose to each consumer reporting agency (as defined in 15 U.S.C. 1681a(p)) information necessary to assist the consumer reporting agency in preventing fraud, including personal information of an Indiana resident affected by the breach of the security of a system.
I.C. § 24-4.9-3-1 (eff. July 1, 2006).
[7] "As a general rule, the law in place at the time an action is commenced governs. Unless a contrary intention is expressed, statutes are treated as intended to operate prospectively, and not retrospectively." Indiana Dep't of Envtl. Mgmt. v. Med. Disposal Servs., Inc., 729 N.E.2d 577, 581 (Ind.2000) (internal quotation marks and citation omitted).
[8] The Act provides as the exclusive remedy an action by the Attorney General against the database owner:
A person that is required to make a disclosure or notification in accordance with IC 24-4.9-3 and that fails to comply with any provision of this article commits a deceptive act that is actionable only by the attorney general under this chapter.
I.C. § 24-4.9-4-1(a) (emphasis added).
In such an action, the statute provides that the Attorney General may obtain an injunction against future violations, a civil penalty of not more than $150,000 per deceptive act and the Attorney General's reasonable costs in investigating the act and maintaining the action. Id. § 24-4.9-4-2; see also Joanna L. Grama & Scott L. Ksander, Recent Indiana legislation hopes to stem release of personally identifying information, Res Gestae, Nov. 2006, 35 at 39 ("[B]oth new Ind.Code § 24-4.9 (private entities) and Ind.Code § 4-1-11 (state agencies) offer no remedy to those persons whose information was obtained by an unauthorized person as a result of a security breach, other than that those persons be informed of the breach." (emphasis added)); id. at 42 n. 65 ("Of course, in a subsequent criminal action against the unauthorized person who acquired the personal information, a trial court could order restitution for victims. See Ind.Code § 35-50-2-2.3(a)(5)." (emphasis added)).
[9] The plaintiffs also contend that Article I, Section 12 of the Indiana Constitution requires courts to fashion common law remedies in all circumstances, for any harm alleged. That section provides, in pertinent part, that "every person, for injury done to him in his person, property, or reputation, shall have remedy by due course of law." Indiana Const. Art. I, § 12. We are aware of no precedent from Indiana in which this provision was held to mandate a damages remedy in a suit by one citizen against another whenever the plaintiff claims that he has been "injured." Indeed, as the Supreme Court of Indiana recently has observed, "Article I, Section 12 does not specify any particular remedy for any particular wrong. Rather, it leaves the definition of wrongs and the specification of remedies to the legislature and the common law." Cantrell v. Morris, 849 N.E.2d 488, 499 (Ind.2006) (emphasis added). As we read this provision in light of Indiana precedent, it does not appear to command that the plaintiffs in this case have a present, viable right of action.
[10] See generally Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255, 305-11 (2005) (noting the propriety of the analogy between toxic torts and cybersecurity breaches). We need not endorse this analogy for present purposes. We merely note that, to the extent the analogy is apt, it does not support the view that Indiana tort law recognizes costs of monitoring as a compensable damage. Even in jurisdictions where medical monitoring has been acknowledged as a compensable damage, courts still have expressed doubt that credit monitoring also should be compensable. See Kahle v. Litton Loan Servicing, LP, 486 F. Supp. 2d 705, 712 (S.D.Ohio 2007); Key, 454 F.Supp.2d at 691.
[11] See also Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 783 (W.D.Mich.2006) (dismissing a case where no Michigan authority supported an action for credit monitoring and where Michigan had considered and rejected a cause of action for medical monitoring).
[12] See note 2, supra.