This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.
Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.
While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear. That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.
The law consistently fails to recognize other sorts of harms to victims. In some cases this arises in the context of threshold “standing” to sue, a legal requirement that requires proof of harm (lawyers call it “injury in fact”) to even get into the door in federal courts. In other cases the problem arises within the claim itself, where “harm” is a legal element that must be proven for a plaintiff to win the case. Regardless of how the issue of “harm” comes up, judges are too often failing to ensure that data breach victims have legal remedies.
The consequences of this failure are two-fold. First, there’s the direct problem that the courthouse door is closed to hundreds of millions of people who face real risk and the accompanying reasonable fears about the misuse of their information. Second, but perhaps even more important, the lack of legal accountability means that the companies that hold our sensitive data continue to have insufficient incentives to take the steps necessary to protect us against the next breach.
Effective computer security is hard, and no system will be free of bugs and errors.
But in the Equifax hack, as in so many others, the breach resulted from a known security vulnerability. A patch to fix the vulnerability had been available for two months, but Equifax failed to implement it even though the vulnerability was being actively exploited. This wasn’t the first time that Equifax has failed to take computer security seriously.
Even if increasing liability only accomplished an increased incentive to patch known security problems, that alone would protect millions of people.
The High Bar to Harm
While there are exceptions, too often courts dismiss data breach lawsuits based on a cramped view of what constitutes “harm.” These courts mistakenly require actual or imminent loss of money due to the misuse of information that is directly traceable to a single security breach.
Yet outside of data breach cases, courts routinely handle cases where damages aren’t just a current loss of money or property. The law has long recognized harms such as the infliction of emotional distress, assault, damage to reputation and future business dealings.1Victims of medical malpractice and toxic exposures can receive current compensation for potential for future pain and suffering. As two law professors, EFF Advisory Board member Daniel J. Solove and Danielle Keats Citron, noted in comparing data breach cases to the recent claims of emotional distress brought by Terry Bollea (Hulk Hogan) against Gawker: “Why does the embarrassment over a sex video amount to $115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?”
For harms that can be difficult to quantify, some specific laws (e.g. copyright, wiretapping) provide for “statutory damages,” which sets an amount per infraction.2
The recent decision dismissing the cases arising from the 2014-2015 Office of Personnel Management (OPM) hack is a good example of these “data breach blinders.” The court required that the plaintiffs—mostly government employees—demonstrate that they faced a certain, impending, and substantial risk that the stolen information would be misused against them, and that they be able to trace any harm they alleged to the actual breach. The fact that the data sufficient to impersonate was stolen, and stolen due to negligence of OPM, was not sufficient. The court then disappointingly found that the fact that the Chinese government—as opposed to ordinary criminals—are suspected of having stolen the information counted against the plaintiffs in demonstrating likely misuse.
The ruling is especially troubling because we know that it can take years before the harms of a breach are realized. Criminals often trade our information back and forth before acting on it; indeed there are entire online forums devoted to this exchange. Stolen credentials can be used to set up a separate persona that incurs debts, commits crimes, and more for quite a long time before the victim is aware of it. And it can be difficult if not impossible to trace a problem with credit or criminal activity misuse back to any particular breach.
How are you to prove that the bad data that torpedoed your mortgage application came from the breaches at Equifax as opposed to the OPM, Target, Anthem, or Yahoo breaches, just to name a few?
What the Future Holds
When data is being declared the ‘oil of the digital era’ and millions in venture capital funding await those who can exploit it, it’s time to reevaluate how to think of data breaches and misuse, and how we restore access to the courts for those impacted by them.
Simply shrugging shoulders, as the OPM judge did, is not sufficient. Courts need to start applying what they already know in awarding emotional distress damages, reputational damages, and prospective business advantage damages to data breach cases, along with the recognition of current harm due to future risks, as in medical malpractice and pollution cases. If the fear caused by an assault can be actionable, so should the fear caused by the loss of enough personal data for a criminal to take out a mortgage in your name. These lessons can and should be brought to bear to help data breach victims get into the courthouse door and all the way to the end of the case.
If the political will is there, legislatures, both federal and state, can step up and create incentives for greater security and a much steeper downside for companies that fail to take the necessary steps to protect our data.
The standing problem requires innovation in crafting claims, but even the Supreme Court in the recent Spokeo decision recognized that intangible harms can still be harms under the Constitution and Congress can make that intention even more clear with proper legislative language. Alternately, as in copyright or wiretapping cases where the damages are hard to quantify, Congress can use techniques like statutory damages to ensure that those harmed receive compensation. Making such remedies clearly available in data misuse and breach cases is worthy of careful consideration. So far, the federal bills being floated in response to the Equifax breach and earlier breaches do not remove these obstacles to victims bringing legal claims and ensure a private right of action.
Similarly, outside of the shadow of federal standing requirements, state legislatures can consider models of specific state law protections like California’s Lemon Law, formally known as the Song-Beverly Consumer Warranty Act. The Lemon Law provides specific extra remedies for those purchasing a new car that needs significant repairs. States should be able to recognize that data breach situations are special and may similarly require special remedies. Things to consider are giving victims easier (and free) ways to clean up their credit rather than just the standard insufficient credit monitoring schemes.
By looking at various options, Congress and state legislatures could spur a race to the top on computer security and create real consequences for those who choose to linger on the bottom.
Of course, shoring up our legal remedies isn’t the only avenue for incentivizing companies to protect our data better. Government agencies like the Federal Trade Commission and state attorneys general have a role to play, as does public pressure and media attention.
One thing is for sure: as long as the consequences for neglecting to protect user data are weak, data breaches like the Equifax breach will continue to occur. Worse, it will become increasingly difficult for victims to demonstrate which breach caused their credit rate to drop, their job prospects to dim, or their hopes for a mortgage to be dashed. It’s long past time for us to rethink the approach to harm in data breach cases.
- 1.Most of the ideas here come from a terrific forthcoming law review article: Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms, 96 TEx. L. REV. (forthcoming 2017) (manuscript at 12), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2885638.
- 2.While we have been sharply critical of the mismatch between statutory damages and harm in copyright law, the idea itself is worthwhile in situations where harm is difficult to prove.
