Will the Equifax data breach finally spur lawmakers to recognize data harms – Business Intelligence Info

Thissummer143millionAmericanshadtheirmostsensitiveinformationbreached,includingtheirname,addresses,socialsecuritynumbers(SSNs),anddateofbirth。

ThebreachoccurredatEquifax,oneofthethreemajorcreditreportingagenciesthatconductsthecreditchecksreliedonbymanyindustries,includinglandlords,carlenders,phoneandcableserviceproviders,andbanksthatoffercreditscards,checkingaccountsandmortgages。

Misuseofthisinformationcanbefinanciallydevastating。

Worsestill,ifacriminalusesstoleninformationtocommitfraud,itcanleadtothearrestandevenprosecutionofaninnocentdatabreachvictim。

GiventhescopeandseriousnessoftheriskthattheEquifaxbreachposestoinnocentpeople,andtheanxietythatthesebreachescause,youmightassumethatlegalremedieswouldbereadilyavailabletocompensatethoseaffected。

You’dbewrong。

WhiletherearealreadyseverallawsuitsfiledagainstEquifax,thepathwayforthosecasestoproviderealhelptovictimsisfarfromclear。

That’sbecauseevenasthenumberandseverityofdatabreachesincreases,thelawremainstoonarrowlyfocusedonpeoplewhohavesufferedfinanciallossesdirectlytraceabletoabreach。

Thelawconsistentlyfailstorecognizeothersortsofharmstovictims。

Insomecasesthisarisesinthecontextofthreshold“standing”tosue,alegalrequirementthatrequiresproofofharm(lawyerscallit“injuryinfact”)toevengetintothedoorinfederalcourts。

Inothercasestheproblemariseswithintheclaimitself,where“harm”isalegalelementthatmustbeprovenforaplaintifftowinthecase。

Regardlessofhowtheissueof“harm”comesup,judgesaretoooftenfailingtoensurethatdatabreachvictimshavelegalremedies。

Theconsequencesofthisfailurearetwo-fold。

First,there’sthedirectproblemthatthecourthousedoorisclosedtohundredsofmillionsofpeoplewhofacerealriskandtheaccompanyingreasonablefearsaboutthemisuseoftheirinformation。

Second,butperhapsevenmoreimportant,thelackoflegalaccountabilitymeansthatthecompaniesthatholdoursensitivedatacontinuetohaveinsufficientincentivestotakethestepsnecessarytoprotectusagainstthenextbreach。

Effectivecomputersecurityishard,andnosystemwillbefreeofbugsanderrors。

ButintheEquifaxhack,asinsomanyothers,thebreachresultedfromaknownsecurityvulnerability。

Apatchtofixthevulnerabilityhadbeenavailablefortwomonths,butEquifaxfailedtoimplementiteventhoughthevulnerabilitywasbeingactivelyexploited。

Thiswasn’tthefirsttimethatEquifaxhasfailedtotakecomputersecurityseriously。

Evenifincreasingliabilityonlyaccomplishedanincreasedincentivetopatchknownsecurityproblems,thatalonewouldprotectmillionsofpeople。

TheHighBartoHarm

Whilethereareexceptions,toooftencourtsdismissdatabreachlawsuitsbasedonacrampedviewofwhatconstitutes“harm。

”Thesecourtsmistakenlyrequireactualorimminentlossofmoneyduetothemisuseofinformationthatisdirectlytraceabletoasinglesecuritybreach。

Yetoutsideofdatabreachcases,courtsroutinelyhandlecaseswheredamagesaren’tjustacurrentlossofmoneyorproperty。

Thelawhaslongrecognizedharmssuchastheinflictionofemotionaldistress,assault,damagetoreputationandfuturebusinessdealings。

1Victimsofmedicalmalpracticeandtoxicexposurescanreceivecurrentcompensationforpotentialforfuturepainandsuffering。

Astwolawprofessors,EFFAdvisoryBoardmemberDanielJ。

SoloveandDanielleKeatsCitron,notedincomparingdatabreachcasestotherecentclaimsofemotionaldistressbroughtbyTerryBollea(HulkHogan)againstGawker:“Whydoestheembarrassmentoverasexvideoamountto$115millionworthofharmbuttheanxietyoverthelossofpersonaldata(suchasaSocialSecuritynumberandfinancialinformation)amounttonoharm?

”“Whydoestheembarrassmentoverasexvideoamountto$115millionworthofharmbuttheanxietyoverthelossofpersonaldata(suchasaSocialSecuritynumberandfinancialinformation)amounttonoharm?



Forharmsthatcanbedifficulttoquantify,somespecificlaws(e。

g。

copyright,wiretapping)providefor“statutorydamages,”whichsetsanamountperinfraction。

2

Therecentdecisiondismissingthecasesarisingfromthe2014-2015OfficeofPersonnelManagement(OPM)hackisagoodexampleofthese“databreachblinders。

”Thecourtrequiredthattheplaintiffs—mostlygovernmentemployees—demonstratethattheyfacedacertain,impending,andsubstantialriskthatthestoleninformationwouldbemisusedagainstthem,andthattheybeabletotraceanyharmtheyallegedtotheactualbreach。

Thefactthatthedatasufficienttoimpersonatewasstolen,andstolenduetonegligenceofOPM,wasnotsufficient。

ThecourtthendisappointinglyfoundthatthefactthattheChinesegovernment—asopposedtoordinarycriminals—aresuspectedofhavingstolentheinformationcountedagainsttheplaintiffsindemonstratinglikelymisuse。

Therulingisespeciallytroublingbecauseweknowthatitcantakeyearsbeforetheharmsofabreacharerealized。

Criminalsoftentradeourinformationbackandforthbeforeactingonit;indeedthereareentireonlineforumsdevotedtothisexchange。

Stolencredentialscanbeusedtosetupaseparatepersonathatincursdebts,commitscrimes,andmoreforquitealongtimebeforethevictimisawareofit。

Anditcanbedifficultifnotimpossibletotraceaproblemwithcreditorcriminalactivitymisusebacktoanyparticularbreach。

HowareyoutoprovethatthebaddatathattorpedoedyourmortgageapplicationcamefromthebreachesatEquifaxasopposedtotheOPM,Target,Anthem,orYahoobreaches,justtonameafew?

WhattheFutureHolds

Whendataisbeingdeclaredthe‘oilofthedigitalera’andmillionsinventurecapitalfundingawaitthosewhocanexploitit,it’stimetoreevaluatehowtothinkofdatabreachesandmisuse,andhowwerestoreaccesstothecourtsforthoseimpactedbythem。

Whendataisbeingdeclaredthe‘oilofthedigitalera’andmillionsinventurecapitalfundingawaitthosewhocanexploitit,it’stimetoreevaluatehowtothinkofdatabreachesandmisuse,andhowwerestoreaccesstothecourtsforthoseimpactedbythem。

Simplyshruggingshoulders,astheOPMjudgedid,isnotsufficient。

Courtsneedtostartapplyingwhattheyalreadyknowinawardingemotionaldistressdamages,reputationaldamages,andprospectivebusinessadvantagedamagestodatabreachcases,alongwiththerecognitionofcurrentharmduetofuturerisks,asinmedicalmalpracticeandpollutioncases。

Ifthefearcausedbyanassaultcanbeactionable,soshouldthefearcausedbythelossofenoughpersonaldataforacriminaltotakeoutamortgageinyourname。

Theselessonscanandshouldbebroughttobeartohelpdatabreachvictimsgetintothecourthousedoorandallthewaytotheendofthecase。

Ifthepoliticalwillisthere,legislatures,bothfederalandstate,canstepupandcreateincentivesforgreatersecurityandamuchsteeperdownsideforcompaniesthatfailtotakethenecessarystepstoprotectourdata。

Thestandingproblemrequiresinnovationincraftingclaims,buteventheSupremeCourtintherecentSpokeodecisionrecognizedthatintangibleharmscanstillbeharmsundertheConstitutionandCongresscanmakethatintentionevenmoreclearwithproperlegislativelanguage。

Alternately,asincopyrightorwiretappingcaseswherethedamagesarehardtoquantify,Congresscanusetechniqueslikestatutorydamagestoensurethatthoseharmedreceivecompensation。

Makingsuchremediesclearlyavailableindatamisuseandbreachcasesisworthyofcarefulconsideration。

Sofar,thefederalbillsbeingfloatedinresponsetotheEquifaxbreachandearlierbreachesdonotremovetheseobstaclestovictimsbringinglegalclaimsandensureaprivaterightofaction。

Similarly,outsideoftheshadowoffederalstandingrequirements,statelegislaturescanconsidermodelsofspecificstatelawprotectionslikeCalifornia’sLemonLaw,formallyknownastheSong-BeverlyConsumerWarrantyAct。

TheLemonLawprovidesspecificextraremediesforthosepurchasinganewcarthatneedssignificantrepairs。

Statesshouldbeabletorecognizethatdatabreachsituationsarespecialandmaysimilarlyrequirespecialremedies。

Thingstoconsideraregivingvictimseasier(andfree)waystocleanuptheircreditratherthanjustthestandardinsufficientcreditmonitoringschemes。

Bylookingatvariousoptions,Congressandstatelegislaturescouldspuraracetothetoponcomputersecurityandcreaterealconsequencesforthosewhochoosetolingeronthebottom。

Ofcourse,shoringupourlegalremediesisn’ttheonlyavenueforincentivizingcompaniestoprotectourdatabetter。

GovernmentagenciesliketheFederalTradeCommissionandstateattorneysgeneralhavearoletoplay,asdoespublicpressureandmediaattention。

Onethingisforsure:aslongastheconsequencesforneglectingtoprotectuserdataareweak,databreachesliketheEquifaxbreachwillcontinuetooccur。

Worse,itwillbecomeincreasinglydifficultforvictimstodemonstratewhichbreachcausedtheircreditratetodrop,theirjobprospectstodim,ortheirhopesforamortgagetobedashed。

It’slongpasttimeforustorethinktheapproachtoharmindatabreachcases。