Pisciotta V. Old National Bancorp Case Analysis

907 Words4 Pages

In Pisciotta v. Old National Bancorp, the Seventh Circuit analogized the harm stemming from a data breach to the “increased risk” theory of harm that some courts utilize in the toxic tort context. In Pisciotta, a hacker improperly accessed the computer system of a financial services provider, exposing the plaintiffs ' personal information but resulting in no realized financial loss or identity theft. In analyzing whether there had been an injury-in-fact, the court analogized the case at hand to environmental exposure tort cases, which granted plaintiffs standing upon demonstration that the act “increase[d] the risk of future harm that the plaintiff would have otherwise faced, absent the defendant 's actions.” The court granted standing …show more content…

For example, one theory seems to suggest that harm arises not only from misuse of the data but also from the breach itself. In both Pisciotta and Reilly, customers chose to share information with a trusted institution for a particular purpose; when malicious third parties hacked the defendants ' computer systems, customers lost control over who had access to their personal information. It is not necessary for the probability to be as high as the court in Reilly would require for the breach to cause feelings of powerlessness and anxiety. The Court’s “increased risk” analysis in Pisciotta overlaps with this control theory, but it is not coextensive. Harm under this theory would not necessarily require an increased risk of exposure, as general anxiety and stress stems from the perception of loss of control over personal information, regardless of whether an increased risk of harm can be statistically …show more content…

However, this line of analysis would lead to justiciability problems, because the loss of faith argument could also extend to those who have not even been victim to the data breach. For example, when online shopping technologies first entered the marketplace, many users feared that their transactions would not be secure and therefore refrained from making purchases online. This results in self-censorship or feelings of anxiety over control of information can arise from the fear of new technologies or from observation of others ' compromised personal information. But, even if courts were to consider such an open-ended definition of harm, the underlying cause of action could curtail lawsuits from parties whose data was not actually breached.
Thus, while some definitions of harm are more applicable or feasible than others in the privacy breach context, the availability of multiple definitions of harm indicates that the courts in question did make a choice to select some types of harm over others for the purpose of evaluating standing, with little explanation. Regardless of whether one views the outcome of such decisions as correct, the reasoning behind selecting the chosen definition is incredibly