ST. LOUIS (12/7/09)--A federal judge in Missouri has dismissed a consumer class-action lawsuit against a benefits company over a 2008 data breach, citing a position that other judges have taken in similar cases: Without actual harm, consumers can seek no damages. Magistrate Judge Frederick Buckles said the plaintiff in the case, John Amburgy, failed to show how the data breach at St. Louis-based pharmacy benefits company Express Scripts had caused him any direct injury or put him in imminent danger of any injury (Computerworld Dec. 3). The judge said abstract injury is not enough to demonstrate injury in fact. "The injury or threat must be concrete and particularized, actual and imminent; not conjectural or hypothetical." The case is of interest to credit unions because they and their members have been impacted by a number of data breaches the past two years involving TJX Cos., Hannaford Brothers and Heartland Payment Systems. The Maine Supreme Court has been asked in a trial against Hannaford Bros. whether time and effort spent in mitigating the impact of a breach constitutes a cognizable injury under Maine law (News Now Dec. 2). As in data breaches involving credit union members, the suit against Express Scripts claims financial accounts were affected during the company's breach. Amburgy claimed that as a result of the company's failures to maintain adequate security measures, he and others whose records were compromised by the breach were at increased risk of identity theft and extortion. He and others similarly impacted had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts, the suit claimed.