Limited Relief for Individuals Affected by a Breach of Personal Information
Even though a private sector entity’s unlawful disclosure of customer’s personal information can subject that entity to liability, that liability does not always mean damages for the affected individuals. The two primary ways private sector entities incur liability as a result of a cyber attack are through either having ineffective personal information protection systems or by failing to properly disclose a breach to affected parties. Digital personal information protection is a fledgling legal concept with the majority of legislation and precedent arising out of the past decade. Additionally, the general regulations governing the protection and breach disclosure protocols of personal information exist primarily at the state level. Federal personal information protection regulations apply only to specific entities such as health care providers and financial institutions.
In an effort to prevent the disclosure of personal information stored by private sector entities, a number of states have enacted legislation that requires entities that own or license personal information about a resident of their state to use reasonable care to protect the information.[i] A handful of states have gone beyond the reasonable care standard to enact legislation with more specific and stringent standards. For example, Massachusetts requires that entities who own or license personal information about a resident of Massachusetts maintain a “comprehensive information security program.”[ii] The regulations set minimum standards for data protection which include; designating staff to maintain an information security program, identifying and assessing reasonably foreseeable internal and external risks, regular monitoring, and contracting with third parties to maintain security protocols.[iii] Additionally, Massachusetts and Nevada require entities to encrypt personal information electrically transmitted outside of a secure network.[iv]
In addition to laws requiring that entities protect personal information there are also laws requiring that entities inform affected individuals when a breach occurs. In the past decade a majority of states have enacted data security breach notification laws (“SBNLs”). These laws require businesses that maintain computerized personal information to notify within a reasonable amount of time any individuals whose personal information has been compromised. In 2002, California became the first state to enact a SBNL with the passage of the California Security Breach Notification Act.[v] Since, 2002 a total of forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws. [vi]
A majority of the SBNLs that have been subsequently adopted are modeled after California’s original legislation and in general regulate the form and content of notifications.[vii] For instance, in California statutory minimal standards require specific information, written in plain language, to be included in every notice.[viii]
An entity’s liability following a failure to timely disclose a breach of personal information does not necessarily equate to an award of damages because Plaintiffs are substantially limited by the inability to prove actual damages. This is true even in states that specifically allow civil actions. [ix] For example, take the case of Ponder v. Pfizer, Inc., Pfizer was sued by an employee representing a class of approximately 17,000 current and former employees who alleged that Pfizer violated Louisiana’s Security Breach Notification law by waiting nine weeks to notify affected individuals of the breach[x] The Court avoided the issue of whether the delayed notification violated Louisiana’s SBNL and dismissed the complaint for failure to state a claim for actual damages.[xi] The court found that the cost of “monitoring their credit” and “scrutinizing account statements” were not actual recoverable damages.[xii]
In a majority of states, claims for negligent protection of personal information fail for lack of cognizable damages just the same as similar claims brought under SBNL’s. For example, in Ruiz v. Gap, Inc., Plaintiffs allege that as a result of Defendants’ negligence Plaintiffs’ personal information was compromised placing them at an increased risk of identity theft.[xiii] As to damages Plaintiffs allege that the breach will cost them time and money to protect and monitor their identities.[xiv] Plaintiffs compared this type of long term monitoring costs to medical monitoring cases where individuals were exposed to toxic substances which increased the probability of developing serious medical conditions and required preventative testing. [xv] . The Court struck this argument down for two reasons; first, Plaintiffs have not adequately proved that lost-data cases should be treated as analogous to medical monitoring cases.[xvi] Second, the test for medical monitoring cases is extensive and Plaintiffs would not be able to pass a version modified to fit data-loss cases.[xvii] In the end, the Court held that, “[a] breach of a duty causing only speculative harm or the threat of future harm does not normally suffice to create a cause of action for negligence.”[xviii]
As long as Courts refuse to recognize the increased risk of harm that results from a breach of personal information, as actual damages, the affected individuals will be forced to bear the burden of personal information breaches.
[i] See Md. Code Ann., Com. Law § 14-3503 or Ark. Code Ann. § 4-110-104 for a sample reasonable care statute.
[ii] 201 Mass. Code Regs. 17.03
[iii] See 201 Mass. Code Regs. 17.03 for a complete list of the minimal requirements of the comprehensive information security program.
[iv] 201 Mass. Code Regs. 17.04 and Nev. Rev. Stat. Ann. § 603A.215
[vi] See http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx for a complete list of states with security breach notification laws.
[vii] California’s current security breach notification law states in part that, “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Cal. Civ. Code § 1798.82 (2012)
[viii] The security breach notification shall include, at a minimum, the following information:
(A) The name and contact information of the reporting person or business subject to this section.
(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.
(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.
(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.
(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.
Cal. Civ. Code § 1798.82 (2012)
[ix] La. Rev. Stat. Ann. § 51:3075
[x] Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793, 795 (M.D. La. 2007)
[xi] Id. at 798.
[xii]Id. at 798
[xiii] Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 913 (N.D. Cal. 2009) aff’d, 380 F. App’x 689 (9th Cir. 2010)
[xv] Id. at 913-914 See In re Mattel, Inc., 588 F.Supp.2d 1111, 1116-17 (C.D.Cal.2008) and Potter v. Firestone Tire & Rubber Co., 6 Cal.4th 965, 1009, 25 Cal.Rptr.2d 550, 863 P.2d 795 (1993). for medical monitoring cases.
[xvi] Ruiz at 914.
[xviii] Id. at 913.