Supreme Court May Decide Data Breach Victims’ Rights

The U.S. Supreme Court may decide whether you can act on that “Dear valued customer, we regret to inform you that your data may have been compromised …” letter or e-mail with an individual or class action lawsuit.

Right now, courts around the country disagree whether the fact of a data breach itself is a sufficient “injury-in-fact” to get you into court or you should be required to just shrug your shoulders and wait until something bad actually happens. On Nov. 1, CareFirst petitioned the Supreme Court to review a lower court decision that permitted a data breach lawsuit to go forward. If the court grants review, it could impact how much money companies will be willing to spend to prevent or respond to breaches in the future.

The Cycle of Breaches

Chances are, at least once you’ve received notification from some bank, merchant or healthcare provider that your personal data, medical information or credit card data may have been compromised. But not to worry, they say—the breached organization has issued you a new credit card, offered you credit monitoring (or freeze) services and fixed the problem that caused the breach.

No harm. No foul. Right?

Being the litigious type, you consult counsel about your rights, either individually or as a potential class action. To get into court, however, you have to show that you have personally suffered some kind of recognizable harm or injury as a result of a breach by someone with a duty to you. It is the actual concrete harm that gives you what the law calls “standing” to sue.

So, in the wake of a data breach, what it the actual (as opposed to speculative) harm to the individual consumer or data subject?

Standing Up in Court

After the famous CareFirst data breach, a number of customers filed (or attempted to file) a class action lawsuit against the provider alleging that the breach exposed their personal data and put them at greater risk of “imminent” harm resulting from identity fraud and identity theft. Note that they didn’t allege they had actually suffered identity fraud or identity theft, just that they were at greater risk of that potential harm.

As the court itself explained:

Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury. The remaining question, then, keeping in mind the light burden of proof the plaintiffs bear at the pleading stage, is whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.

So there are actually several issues wrapped into this formulation:

  1. Is the risk of some future injury itself an injury that the court can consider?
  2. Is fear or apprehension that some future injury might occur a current injury which the court can consider?
  3. Are the precautions a consumer might reasonably take to prevent future harm and the inconveniences relating to having to take these precautions (e.g., changing all the stored credit card numbers, passwords, PINs, etc. or potential defaults from failing to do so) cognizable as “harm” that the court can consider?
  4. How “imminent” must the potential future harm be to create a present “harm” that gets you into court? If someone dumps toxic waste onto my lawn, I don’t have to wait until I get cancer from that waste to sue to get it removed, right?
  5. Is breach of privacy in and of itself the kind of harm that a court can grant a remedy for? This question is not really addressed by the court. If someone reads my medical records and now knows things about me that I would rather they not know, but isn’t my employer and doesn’t deny me insurance of a job or a home—just looks at me kinda funny … is that a “real” injury for which I can sue and be compensated? In other words, do we value—as in, put a true economic value on—privacy per se?

Courts have been struggling with both the privacy and the standing issue relating to data breaches for several years. Some courts have found that the mere increased risk of future harm or identity theft is sufficient to establish standing to sue:

  • Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 663 Fed. Appx. 384, 387-89, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016) (increased risk of future identity theft from Nationwide Mutual Insurance Company’s hack actionable because “[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals”);
  • Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694-95 (7th Cir. 2015) (increased risk of future fraudulent charges and identity theft theory established “certainly impending” after Neiman Marcus hack because “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities”);
  • Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (theft of a laptop containing the unencrypted names, addresses, and social security numbers of 97,000 Starbucks employees established actionable harm to employees); and
  • Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632-34 (7th Cir. 2007) (after “sophisticated, intentional and malicious” security breach of bank website compromised applicants’ information, applicants suffered genuine harm).

The CareFirst court was in this group, finding that the breach lead to an imminent threat of identity fraud and identity theft that gave the victims standing to sue.

Other courts have found that the mere fact that there might be harm at some point in the future as a result of a specific data breach does not give rise to “standing” to sue:

  • Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012)(brokerage account-holder’s increased risk of unauthorized access and identity theft theory insufficient to constitute “actual or impending injury” after defendant failed to properly maintain an electronic platform containing her account information, because plaintiff failed to “identify any incident in which her data has ever been accessed by an unauthorized person”);
  • Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011) (increased risk of identity theft theory too hypothetical and speculative to establish “certainly impending” injury-in-fact after unknown hacker penetrated payroll system firewall, because it was “not known whether the hacker read, copied, or understood” the system’s information and no evidence suggested past or future misuse of employee data or that the “intrusion was intentional or malicious”);
  • Beck v. McDonald, 848 F.3d 262, 275 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017) (harm was too attenuated to be actionable); and
  • Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116, at *1 (2d Cir. May 2, 2017) (concluding a customer who had her card information stolen had not suffered an injury in fact because she changed her card information so there was no threat of future harm).

What We Have Here … Is Failure to Communicate

So even on the basic issue—does being the victim of a data breach give you a sufficient injury-in-fact to permit you to even get into court—the federal courts are divided, or what lawyers call a “circuit split”; that is, the federal circuit courts are of split opinions. Is a breach a harm per se, or is it part of a chain of attenuated events that might, at some time in the future, cause some harm to someone?

Typically, the only ways to resolve a circuit split is for either Congress to clarify the issue (don’t hold your breath), or for the Supreme Court to decide to go once more into the breach (pun intended) good friends.

CareFirst appealed the decision of the United States Circuit Court for the D.C. Circuit to the U.S. Supreme Court. The narrow issue for the court is the question of injury-in-fact and attenuation. But more broadly, the case would determine the scope and extent of the ability of identity fraud victims to be able to get into court at all. This would apply, for example, to victims of the OMB hack, the Yahoo! hack or the Equifax hack. Already banks that reissue credit cards, employers that have to engage in more specific credit checks and others who suffer demonstrable economic costs from these breaches can be compensated. The issue is whether consumers or data subjects can also be compensated.

Value of Privacy

Also left unresolved by these cases is the question of whether privacy itself means anything, particularly in America. If I publish your credit card number, expiration date and CVV2, together with your name and address, until someone actually uses that data, it’s at least possible to argue that you have suffered no “harm.” Well, I could argue that, if I was paid to, right? The numbers themselves reveal little if anything about you. They are numbers.

But if underlying data is revealed—your search history, your location data, your medical records, your communications with friends or relatives, your hopes dreams and fantasies—in other words, your “privacy” information, how do we establish a “value” to that? What’s the value of keeping private things private—or, in a legal analysis, what is the harm or damage resulting from not keeping them private?

This analysis is critical because a company will not spend more to protect the privacy of data than the expected economic loss to it for failing to protect it. If a company holds records of 30,000 people and the maximum expected “harm” if the data is breached is $100 per record, and the likelihood of that “harm” is say, 5 percent, this gives the company a price point beyond which it makes little economic sense to protect the data. If courts find no economic value to privacy per se, then companies are discouraged from spending money to protect privacy, to provide security, and to prevent breaches. We don’t value what we don’t value.

If a nosy neighbor rummaged through my medicine cabinet and found that I had high cholesterol and put that up online, could I sue and what would be my damages? If my pharmacy or doctor or the drug manufacturer suffered a data breach and exposed the same fact, same issue applies. Again, we don’t value what we don’t value.

The Supreme Court is not required to take up the case of the CareFirst breach, and court watchers will be examining the tea leaves to see what happens. If the court finds that data subjects have standing merely because of the fact of a breach, we can expect both insurers and companies to expend additional resources to prevent and mitigate breaches or other legal strategies to minimize potential liability. Stay tuned.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark