Like many issues in Technology Law, the issue of standing of victims of data breaches to bring lawsuits is far from settled. In Clapper v. Amnesty International, the U.S. Supreme Court ruled that "respondents lack Article III standing because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” In short: having your information compromised in a data breach is not a sufficient indication that you will incur some kind of harm. But is that the case? As clear as the Court’s ruling in Clapper may seem, several Federal Court judges have ruled that the mere breach of data may cause sufficient damage in order to confer standing.
A recent set of rulings by U.S. District Judge Paul Magnuson of St. Paul, Minnesota in the Target Corporation Customer Data Security Breach Litigation has helped muddy the waters. The Target litigation has been bifurcated by Plaintiff type with Financial Institutions in one group and Consumers in the other. The Plaintiffs in the first ruling issued were not the parties whose data had been stolen, instead they were the banks and credit unions responsible for issuing the credit and debit cards that were compromised. Responding to Target’s motion to dismiss for lack of standing, Judge Magnuson held that “Plaintiffs have plausibly alleged that Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to Plaintiffs.” In other words, Target should have known that these financial institutions would need to replace cards en masse as result of its alleged negligence.
In his ruling on the motion to dismiss the Consumer side of the Target case, a mere two weeks later, Judge Magnuson again held that the Plaintiffs had standing to bring suit. Specifically he noted that “Plaintiffs have alleged injury. Indeed, paragraphs 1.a through 1.g and 8 through 94 of the Complaint are a recitation of many of the individual named Plaintiffs’ injuries, including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” With the stroke of his pen, the Judge breathed new life into Consumer Data Breach litigation. He freely noted, however, that “should discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.” Unfortunately, with the settlement of the Consumer portion of the case, we will be robbed of the opportunity to see how deep the rabbit hole of standing goes with regards to Target.
The rulings in the Target cases appear to lower the threshold for standing in these data breach cases. At the very least it will allow these suits to become more robust before immediately ousting a case. Unfortunately for consumers, the breaches and compromises of personal information carry on.
In an article titled “Are Data Breaches A Victimless Crime?”, Paul Roberts noted that “Home Depot is asking a federal court in Atlanta to dismiss that suit, claiming that the consumers behind it cannot prove they were damaged by the breach.” The rulings in Target’s and other cases gives life to Roberts’ hope that “…the courts see through Home Depot’s porous reasoning and allow consumers to pursue their case!” Much like the Target cases, the Home Depot cases have been split between the Financial Institutions and Consumers harmed by the breach. The Home Depot cases sit on the precipice. On one side, Consumer Protection and on the other, protection of Corporations. If the judge in this case decides to ignore Judge Magnuson’s precedent, it may very well strike a death blow to the standing of the consumer plaintiff. The fate of the Financial Institution Plaintiff appears a bit more predictable in that they can show the very real costs associated with the mass replacing of credit and debit cards without reimbursement.
If the courts fail to allow Consumers through the initial gate of standing then the duty should fall to the legislature to provide these protections. Unfortunately, as Roberts notes in his piece “Bill in U.S. House would Open Doors to Threat Intel Sharing,” the focus of any legislation has been on the potential for abuse by the nation’s intelligence community. While it is important for Congress to be forward-looking, they should not forget about the victims after the fact. As they did in the Anticybersquatting Consumer Protection Act, the legislature, at a federal level, should codify the rights of Consumers with regard to the processing and treatment of their personal data. The argument that the states are equipped to handle such legislation is spurious at best – these attacks generally affect parties across multiple national (and international) borders. A uniform set of protections and rights is the key to ensuring that businesses responsible for processing sensitive personal information take the steps necessary to prevent breaches.
Darren Greaney is general counsel at Digital Guardian.
Advanced Threat Protection - Building a Kill Chain Defense
Detect and stop targeted attacks with a data-centric approach that protects sensitive data regardless of the source of attack.
Related ArticlesFriday Five: 6/14 Edition
A food bank hit by ransomware, advice on cybersecurity training, and a university data breach - catch up on the week's news with this recap!Data Theft and DDT: Courts Increasingly Back ‘Future Risk’ from Data Breaches
Courts in the U.S. are increasingly accepting the risk of imminent and future injuries to consumers resulting from data theft as enough to give them standing in court cases and class action suits.South Carolina School District Does the Ransomware Two Step
A South Carolina school district is the latest to do the ransomware two step: assuring parents that data encrypted and held hostage by the criminals wasn’t “accessed” by them. Nice try.