Data breaches have become so common that they’ve taken on a kind of formality. First comes news of the breach – often from a web site like Krebsonsecurity.com, or via a disclosure by the company itself. Then comes the mea culpa from company executives, including promises to investigate the incident, work with law enforcement and to help protect affected customers from identity theft and so on.
One of the phrases that often accompany such incidents goes something like this: “[Company X] has no evidence that any of the stolen information has been used inappropriately.” Or you might read that “there is no evidence of fraud linked to the stolen data.”
Such assurances are generally interpreted as wishful thinking. After all: you may have no evidence that the jewelry stolen from your bedroom is being fenced on the black market or adorning a thief’s girlfriend. The fact remains: the jewelry is gone, and you might as well assume that something like that is going on – otherwise, why steal it in the first place?
But when courts are asked to weigh in on the question of damages resulting from cyber incidents in civil suits, the question of what harm resulted from the incident is very different – and very real. To put it simply: if nobody can prove harm resulting from a cyber incident, a company can’t be held liable for those damages.
That fact was underscored again late last month, when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit against arts and crafts giant Michaels Stores that was filed in the wake of that company’s widely-reported data breach. As part of her ruling, the judge, Joanna Seybert, cited a legal precedent set by the recent Supreme Court ruling in “Clapper v. Amnesty International,” concluding that the plaintiffs hadn’t proven that any harm resulted from the Michaels breach.
“Simply put, Whalen has not asserted any injuries that are ‘certainly impending’ or based on a 'substantial risk that the harm will occur,'” Seybert wrote in her decision, referring to Mary Jane Whalen, the Michaels customer in whose name the class action suit was filed. “Thus, Whalen’s claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction,” Seybert concluded.
This isn’t to say that Whalen or other Michaels stores customers were not the target of fraudsters. In fact, Whalen’s attorneys presented evidence that her stolen credit card (or a clone of it) was presented for payment fraudulently in Ecuador: at a local gym and at a venue that sold concert tickets. But regulations in the U.S. exempt consumers from paying the cost of credit card fraud, and Whalen wasn’t asked to pay any unreimbursed charges as a result of the fraudulent use, the court noted.
Whalen’s other attempts to establish “costs” associated with the breach were also disregarded. They included the cost of credit monitoring services and the cost (in time and effort) to obtain replacement cards, the intrinsic value of her credit card information and the risk of future fraud tied to the theft of her credit card data.
But those allegations were too hypothetical to satisfy the court’s definition of standing, which is rooted in Article 3 of the Constitution and requires plaintiffs to demonstrate concrete injury that can be traced back to the defendant’s conduct. With no evidence that Ms. Whalen had to pay an unreimbursed charge resulting from the fraud, in other words, the court had no basis on which to offer her redress.
The problem here for U.S. consumers and the U.S. economy is clear. Namely: laws set up to protect consumers from losses linked to credit card fraud are being used to shield merchants from the consequences of lax data security. Without documented monetary damages specifically linked to their stolen credit card information, customers have no grounds on which to sue individually or as part of a class.
That’s unfortunate for a number of reasons. First and foremost: expensive and public class action suits are a useful tool for pulling back the covers on breaches (through legal discovery) and prompting changes at the offending firms. Second: the costs of lax security ultimately gets passed on to consumers by banks, credit card companies and (increasingly) merchants. Without fear of a major financial penalty in the form of a class action lawsuit, firms will be more inclined to treat data breaches and other security lapses as isolated incidents that can be handled (and paid for) without requiring major changes. Finally: the court decided to disregard Ms. Whalen’s contention that there were as-yet-unrealized costs to her that will result from the theft of her data. But time may prove her right: that the Michaels breach left her susceptible to expensive fraud linked to identity theft later on, much like the effects of living next to toxic waste might take years to appear. The courts need to consider such eventualities in weighing the risks that follow from lax data security, also.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
