Two recent cases show that although security breaches that involve personal data may be problematic, actual damages because of the security breach must be proven to sustain a cause of action based on a data security breach. A majority of states have laws that require that businesses provide notice to individuals whose personal data has been breached, and those laws provide for penalties for a failure to report. In two recent cases, one in Arkansas and the other Ohio, plaintiffs brought a lawsuit alleging injury because of the apprehension of identity theft. In both cases, the defendants moved to dismiss the actions because of the lack of actual damages. One court characterized the case as lacking "injury-in-fact" while the other noted that increased risk does not equate to harm sufficient to create a case or controversy. Thus, both courts dismissed its action. Businesses have for now been relieved of another potential area of exposure, provided that proper notice is provided in the event of a security breach. Information on security breach laws may be found in prior editions or in our June 2006 Intellectual Property Newsletter.