Can Breach Victims Sue Now for Future Harm?
I have often written about the Kubler Ross stages of a data breach: denial, investigation, anger, blame, acceptance and litigation. Or something like that.
A recent case in the federal appeals court in Georgia points out a problem with post-breach class-action litigation. Who is actually “harmed” by a data breach, and is that harm the kind that the courts are willing to compensate?
When the online credit card payment system of fast-casual restaurant chain PDQ was breached, they did what various state laws require — they notified customers about the breach, and offered affected customers free credit monitoring services.
Pinellas, Florida, resident Tan Tsao made two credit card purchases at a local PDQ restaurant, and when he heard about the data breach, he thought he should sue the company for damages. Now, there was no evidence that the hackers had actually used Tan Tsao’s purloined credit card or number, that they had made unauthorized charges on his account or that they had actually assumed, or attempted to assume, Tsao’s identity. Nor was there evidence that, using the stolen information, hackers could have assumed his identity.
Tsao’s bank reissued him a new credit card, and he suffered the inconvenience (not a minor inconvenience, granted) of having to update all of his accounts with the new number and to monitor his purchases and credit reports for potential fraud. Indeed, the problem of data breaches is so pervasive that companies have made it relatively easy to update a stolen credit card number on multiple accounts.
So, did Tsao suffer any legally cognizable damages as a result of the PDQ breach, and does he have legal standing to sue in federal court to obtain compensation for such damages?
Tsao filed a lawsuit less than two weeks after learning of the data breach, in which he alleged that he, and others similarly situated, “… have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.” The complaint also includes some general information from the Federal Trade Commission (FTC) and Government Accountability Office (GAO) about the risks associated with cyberattacks, and lists a few noteworthy data breaches involving the restaurant industry. He alleged that his damages consisted of “lost cash-back or reward points, lost time spent addressing the problems caused by the cyberattack, and restricted card access resulting from his credit card cancellations.”
This is not the first time that federal courts have addressed the issue of whether the risk of future harm resulting from a data breach is sufficiently imminent “harm” as to constitute legally cognizable damages, and federal courts are split on the issue.
Federal appellate courts for the 6th, 7th, 9th and District of Columbia Circuits have all recognized—at least at the pleading stage—that a plaintiff can establish injury-in-fact based on the increased risk of identity theft. On the other hand, the 2nd, 3rd, 4th and 8th Circuits have declined to find standing on that theory.
The United States Court of Appeals for the 11th Circuit ruled Feb. 5 that the speculative possible future harm that might (or might not) occur as a result of possible ID theft resulting from the PDQ hack was not the kind of concrete damages which would give rise to a right to sue in court. On its face, the decision is limited to cases of data breaches involving credit card information, where the information itself is not used for fraudulent charges, and where the possibility of future damages is speculative.
The court noted that real risk from stolen credit cards is the risk of unauthorized charges on those cards, and that, at least according to the U.S. GAO (in a report that is 10 years old) most data breaches “have not resulted in detected incidents of fraud on existing accounts.” The fact that Tsao and his bank canceled and replaced the credit cards, that there has been no discernible activity with respect to his credit report and credit activity and that the now-useless credit card numbers are not particularly useful for facilitating actual identity theft were all factors in the court decision.
What This Means For Companies and Breach Victims
Right now, federal courts are split on the extent to which potential future harm resulting from a data breach is sufficient to give a victim standing to sue. Much of this is going to be specific to the data breach itself. What was compromised during the breach? What were the consequences of the compromise? What were the actual injuries that resulted from the breach? How immediate is the likely harm resulting from the breach? To the extent that a company that suffered a data breach can establish that the hackers have not, and could not, do much with the data, they will be in better shape to fend off a class action lawsuit.
Adding things like threat intelligence and open source monitoring (to show that the purloined data has not migrated to the dark web, or that there is no indication of “secondary fraud” resulting from the breach) is probably a good idea. On the other hand, if the stolen data is of the character that makes it particularly susceptible to identity theft (not just fraud) — data like social security numbers, dates of birth, credit reporting data, identity information, etc., then a Court might – might – find the potential harm more plausible or imminent.
Even then, a court might not find an injury in fact. Indeed, many courts have been hesitant to consider as “damages” issues related to simple loss of privacy. For example, if your medical information is hacked from your doctor’s office, and the hackers have now learned that your blood pressure is elevated (you think it was elevated before?) and that your latest colonoscopy came out clean, what legally cognizable “damages” have you suffered? Sure, if you could show that someone refused to hire you because they found out about your blood pressure, or that they charged you a higher rate for antihistamines, you could show some “harm,” but courts have difficulty establishing the economic value of a loss of privacy – at least in the United States. As a result, potential future harm, and actual current loss of privacy, both have a hard time in the court system. It’s hard to put a value on these things, so courts punt.
Because the federal circuit courts are split on this issue, the ultimate way for it to be resolved is for the U.S. Supreme Court to provide clearer guidance. But even so, the question is not whether a data breach which results in potential future identity theft can be the basis for a lawsuit, but whether a specific data breach, which results in a specific kind of harm, gives the individual standing to sue. For now, each case will stand or fall on its own merit.
