Court Finds Data Breach not an Imminent Risk to Victim
A federal court ruled last week that a massive data breach at a Texas hospital didn’t put patients at imminent risk of identity theft.
Beverly Peters wasn’t alone in having her personal information — including medical data — laid bare for hackers. Just the opposite. Peters was just one of more than 400,000 patients of St. Joseph Hospital whose information was stolen by hackers in an attack that took place between December 16 and 18, 2013. In that incident, hackers gained access to information on current and former patients of the facility as well as employees.
In notifying current and former patients and employees, St. Joseph said that it wasn’t aware of any of the information being misused. Still, after Peters found that her Discover credit card information had been stolen some months later, and that hackers had tried to infiltrate her Amazon.com account — posing as her son — she was pretty sure what the source of her woes was. And she was determined to act.
Peters filed a 13-count complaint against St. Joseph, alleging violations of the federal “Fair Credit Reporting Act” (FCRA). She alleged that her personal information had been exposed in the breach and then disseminated in the public domain, where it was being “misused by unauthorized and unknown third parties.” Hackers' attempts to use her son’s name to compromise her Amazon.com account was particularly damning, Peters claimed: that information could only have been obtained from names and next-of-kin information she provided to St. Joseph before the data breach.
Peters also asserted that telemarketers were using the stolen information – that she had been besieged with calls and solicitations for medical products and services companies, with telemarketers asking to speak to her and with specific family members, whose contact information was part of the record stolen from St. Joseph.
Despite that, a Federal court in Texas decided last week that Peters could not prove harm from the breach and, therefore, did not have standing to bring the case against St. Joseph.
Peters argued that she faced an “imminent injury” due to “increased risk” of future identity theft and fraud because of the breach at St. Joseph.
But the court found otherwise, ruling that she lacked standing in federal court under Article III of the Constitution, because she hadn’t been able to prove any direct damages from the attempted identity theft, and the threat she faced in the future was not “imminent.”
“Peters’ alleged future injuries are speculative — even hypothetical — but certainly not imminent,” the court ruled in an opinion on February 11. Peters, the court concluded, “cannot describe how [she] will be injured without beginning the explanation with the word ‘if.’” “The misuse of her information could take any number of forms, at any point in time,” the opinion reads. “The risk of future harm is, no doubt, indefinite. It may even be impossible to determine whether the misused information was obtained from exposure caused by the data breach or from some other source. Ultimately, Peters’ theory of standing “relies on a highly attenuated chain of possibilities.”
Interestingly, the ruling turns on a high profile case involving government surveillance dating back to the Carter administration, as this reading notes. In 1978, The U.S. Supreme Court ruled in Clapper v. Amnesty International USA, striking down a suit filed by reporters, attorneys and the human rights group to challenge part of the Foreign Intelligence Surveillance Act (FISA). The plaintiffs said they feared that their sources, colleagues and clients would be targets of U.S. government surveillance, and the threat would force them to take expensive security measures to keep their communications private. But the Supreme Court ruled otherwise, saying the threat of government surveillance was hypothetical, but not “certainly impending.”
In his 15 page ruling, U.S. District Judge Kenneth Hoyt said the same logic applied to Peters’ suit as well. “Under Clapper, Peters must at least plausibly establish a “certainly impending” or “substantial” risk that she will be victimized,” Hoyt wrote. “The allegation that risk has been increased does not transform that assertion into a cognizable injury.”
The case could have important implications for tens or hundreds of millions of U.S. residents who have had financial and personal data exposed in data breaches in recent years. The ruling implies such victims would have to show harm as a direct consequence of a specific breach in order to successfully sue for relief – a high bar to meet for any cyber forensic investigation.
More from the Digital Guardian Data Security Knowledge Base: