This recent court decision adds to an increasing body of law that makes it harder for data breach victims to win against the companies from whom their data was stolen. According to the U.S. District Court for the District of Columbia, victims must show not only that there was a breach and that their private information was stolen but also must be able to prove their stolen information already has been or will be misused. Two victims in the case, Attias v. CareFirst, alleged they already had been victims of tax fraud following a breach of over a million patients’ data. The court, however, found the victims did not adequately trace the fraud back to the data breach.
A popular reaction to the decision seems to be that companies who come into contact with and store consumer data should be relieved as courts raise the bar for victim relief higher and higher. Now that companies can show that a data breach, even of more than a million people’s information, may not be a legally recognizable injury, they can breathe a little easier.
But should they?
The “breach plus” standard is not the settled and universal law of the land. There is active debate about what kinds of injuries can be actionable and under what circumstances.
This past May, for example, the United States Supreme Court issued a ruling in the case of Spokeo, Inc. v. Robins. In that case, the plaintiff, Thomas Robins, sued Spokeo, a data broker, over an online profile the site generated with inaccurate information about Robins. The Supreme Court ultimately found Mr. Robins failed to show that the inaccurate profile information was a “concrete harm” required for Mr. Robins to have standing to sue Spokeo. Even though the decision appears to restrict consumer privacy remedies, there is considerable room for data-breach-related harms to be actionable. Certain privacy harms like harm to reputation may be actionable because of their “close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016). Or, Congress could choose to “elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Id. citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–561 (1992)
As data breaches continue to happen on bigger scales and more consumers become aware of them, it seems inevitable that more individuals will be able to trace harms like actual identity theft and misuse of credit back to a particular incident. It also seems likely if consumers are repeatedly denied remedies for the breaches, Congress indeed may be compelled to act.
Perhaps companies would be better served if they used whatever breathing room they now have to reassess their data and cyber-security practices. Companies who believe they now are less likely to face costly judgments could invest more heavily in their privacy programs and dedicate resources and attention to building world-class security systems. They can seek guidance from the Federal Trade Commission’s Consumer Protection Bureau for ideas on best practices and the Department of Justice’s Computer Crime and Intellectual Property Section. Such ideas are also evolving rapidly throughout the private sector as more start-ups and established security companies improve data security tools and protocols. Rather than hope it becomes less likely consumers can hold them accountable, companies could work to make data breaches of the information they safeguard less likely and establish themselves as leaders in consumer data protection.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2016. All rights reserved.