Cost of credit monitoring following data security breach not a cognizable injury in fact.
In a negligence and breach of contract action alleging unauthorized access to personal information as the result of a data security breach, the cost of credit monitoring is not a cognizable injury in fact under Indiana law. Pisciotta v. Old National Bancorp, No. 05-668, 2007 U.S. App. LEXIS 20068 (7th Cir. Aug. 23, 2007). The appeals court affirmed the lower court's dismissal of the putative class action against a financial services provider, ruling that in the absence of any specific evidence of identity theft resulting from the security breach, the plaintiffs suffered merely the anticipation of future injury. The court followed the general rule that an alleged increase of future injury is not a cognizable injury that can form the basis of a successful negligence claim. The court also commented that Indiana's data notification law, which outlines narrow disclosure duties and provides only for state enforcement actions, strongly suggests that Indiana law would not recognize the costs of credit monitoring as compensable damages.