Limited Relief for Individuals Affected by a Breach of Personal Information

Even though a private sector entity’s unlawful disclosure of customer’s personal information can subject that entity to liability, that liability does not always mean damages for the affected individuals. The two primary ways private sector entities incur liability as a result of a cyber attack are through either having ineffective personal information protection systems or by failing to properly disclose a breach to affected parties.  Digital personal information protection is a fledgling legal concept with the majority of legislation and precedent arising out of the past decade.  Additionally, the general regulations governing the protection and breach disclosure protocols of personal information exist primarily at the state level. Federal personal information protection regulations apply only to specific entities such as health care providers and financial institutions.

In an effort to prevent the disclosure of personal information stored by private sector entities, a number of states have enacted legislation that requires entities that own or license personal information about a resident of their state to use reasonable care to protect the information.[i]  A handful of states have gone beyond the reasonable care standard to enact legislation with more specific and stringent standards. For example, Massachusetts requires that entities who own or license personal information about a resident of Massachusetts maintain a “comprehensive information security program.”[ii] The regulations set minimum standards for data protection which include; designating staff to maintain an information security program, identifying and assessing reasonably foreseeable internal and external risks, regular monitoring, and contracting with third parties to maintain security protocols.[iii] Additionally, Massachusetts and Nevada require entities to encrypt personal information electrically transmitted outside of a secure network.[iv]

In addition to laws requiring that entities protect personal information there are also laws requiring that entities inform affected individuals when a breach occurs.  In the past decade a majority of states have enacted data security breach notification laws (“SBNLs”). These laws require businesses that maintain computerized personal information to notify within a reasonable amount of time any individuals whose personal information has been compromised. In 2002, California became the first state to enact a SBNL with the passage of the California Security Breach Notification Act.[v] Since, 2002 a total of forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws. [vi]

A majority of the SBNLs that have been subsequently adopted are modeled after California’s original legislation and in general regulate the form and content of notifications.[vii] For instance, in California statutory minimal standards require specific information, written in plain language, to be included in every notice.[viii]

An entity’s liability following a failure to timely disclose a breach of personal information does not necessarily equate to an award of damages because Plaintiffs are substantially limited by the inability to prove actual damages. This is true even in states that specifically allow civil actions. [ix] For example, take the case of Ponder v. Pfizer, Inc., Pfizer was sued by an employee representing a class of approximately 17,000 current and former employees who alleged that Pfizer violated Louisiana’s Security Breach Notification law by waiting nine weeks to notify affected individuals of the breach[x]  The Court avoided the issue of whether the delayed notification violated Louisiana’s SBNL and dismissed the complaint for failure to state a claim for actual damages.[xi] The court found that the cost of “monitoring their credit” and “scrutinizing account statements” were not actual recoverable damages.[xii]

In a majority of states, claims for negligent protection of personal information fail for lack of cognizable damages just the same as similar claims brought under SBNL’s.  For example, in Ruiz v. Gap, Inc., Plaintiffs allege that as a result of Defendants’ negligence Plaintiffs’ personal information was compromised placing them at an increased risk of identity theft.[xiii] As to damages Plaintiffs allege that the breach will cost them time and money to protect and monitor their identities.[xiv] Plaintiffs compared this type of long term monitoring costs to medical monitoring cases where individuals were exposed to toxic substances which increased the probability of developing serious medical conditions and required preventative testing. [xv] . The Court struck this argument down for two reasons; first, Plaintiffs have not adequately proved that lost-data cases should be treated as analogous to medical monitoring cases.[xvi] Second, the test for medical monitoring cases is extensive and Plaintiffs would not be able to pass a version modified to fit data-loss cases.[xvii] In the end, the Court held that, “[a] breach of a duty causing only speculative harm or the threat of future harm does not normally suffice to create a cause of action for negligence.”[xviii]

As long as Courts refuse to recognize the increased risk of harm that results from a breach of personal information, as actual damages, the affected individuals will be forced to bear the burden of personal information breaches.


[i] See Md. Code Ann., Com. Law § 14-3503 or Ark. Code Ann. § 4-110-104 for a sample reasonable care statute.

[ii] 201 Mass. Code Regs. 17.03

[iii] See 201 Mass. Code Regs. 17.03 for a complete list of the minimal requirements of the comprehensive information security program.

[iv] 201 Mass. Code Regs. 17.04 and Nev. Rev. Stat. Ann. § 603A.215

[vi] See http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx for a complete list of states with security breach notification laws.

[vii] California’s current security breach notification law states in part that,  “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Cal. Civ. Code § 1798.82 (2012)

[viii] The security breach notification shall include, at a minimum, the following information:

(A) The name and contact information of the reporting person or business subject to this section.

(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.

(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.

(D) Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.

(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.

(F) The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.

Cal. Civ. Code § 1798.82 (2012)

[ix] La. Rev. Stat. Ann. § 51:3075

[x] Ponder v. Pfizer, Inc., 522 F. Supp. 2d 793, 795 (M.D. La. 2007)

[xi] Id. at 798.

[xii]Id. at 798

[xiii] Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 913 (N.D. Cal. 2009) aff’d, 380 F. App’x 689 (9th Cir. 2010)

[xiv] Id.

[xv] Id. at 913-914  See In re Mattel, Inc., 588 F.Supp.2d 1111, 1116-17 (C.D.Cal.2008) and  Potter v. Firestone Tire & Rubber Co., 6 Cal.4th 965, 1009, 25 Cal.Rptr.2d 550, 863 P.2d 795 (1993). for medical monitoring cases.

[xvi] Ruiz at 914.

[xvii] Id.

[xviii] Id. at 913.

 

~ by rsparksj on October 28, 2012.

11 Responses to “Limited Relief for Individuals Affected by a Breach of Personal Information”

  1. This sounds like the type of situation where statutory damages are ideal. In the consumer context, you don’t have to prove actual damages in order to sue for violations of the Fair Debt Collections Practices Act or Truth in Lending Act. Instead, a statutory penalty ($1000 in the former and $2000-$4000 in the latter). Actual damages come in as additional damages in the suit, not an either/or like the Copyright Act.

    If a legislature decides to impose statutory damages for the cost data breaches, it should be calculated to include the cost of ID theft prevention services, credit monitoring, contacting credit bureaus and other entities who have the information, and a sort of punitive aspect in order to encourage companies to comply.

  2. This is an example of a recent breach involving Facebook in which it is very unlikely that SBNL’s will require disclosure to affected individuals.

    http://arstechnica.com/security/2012/10/facebook-tries-cloaking-probe-into-data-leak-involving-1-million-accounts/

  3. Like Zack, my first instinct was that we should enact laws that include damages of a certain amount. At the very least the legislature should instruct courts to recognize the cost of protecting personal information. There must be enough information out at this point to have some statistical data on the cost increases of having your personal information stolen when an unlawful disclosure has been made by a private entity. And there also should be enough information to come up with some sort of average cost to fix the situation. Between money spent using a credit card and time spent dealing with paperwork and phone calls, the cost can and should be qualified in terms of damages. I know people who have had their identity stolen and years later they are steal dealing with the ramifications. It can be very costly and stressful to people and there should be an adequate remedy or else businesses will continue to not do enough to protect our information.

  4. Another recent example is the $5 million class-action lawsuit filed by a user of LinkedIn against the company after the breach of its website revealed 8 million passwords (June 20, 2012). Interestingly, that lawsuit has gone the breach of contract route (along with violation of the California Consumer Legal Remedies Act) asserting that the company did not live up to its privacy policy promises that “all information provided will be protected with industry standard protocols and technology.”

    Technically, the lawsuit has some basis for its contention that security practices were sub-par. LinkedIn was hacked by a SQL Injection attack, a type of database exploit where rogue commands are sent to the database. This type of attack has been known at least since 2001. Security-oriented programming practices and properly constricting the data retrieval rights of remote users are the simple, state of the art steps usually taken.

    Further, the data which was stolen was a list of the “hashed” passwords of all users. Hashing keeps the password from being human-readable, but it is susceptible to a type of attack called a dictionary attack. This technique involves pre-computing the hash values of large numbers of password combinations, which can then compared in reverse to the stolen hash value to determine the originating plain text password. Good password storage practice involves “salting” the hash with an unknown extra value before the hash is computed, which makes using a dictionary attack difficult to impossible. The salting of hashed passwords is a technique which has been used since the early days of password hashing and has been routine practice for web databases for at least 10 years.

    One other interesting side note: In 2011, Sony was sued under similar circumstances for a data breach involving the passwords of 77 million users of the PlayStation Network. Its response? To alter its terms of service agreement to prohibit users from filing class-action lawsuits!

  5. I would echo the previous posters sentiment that legislation setting specific damages does seem to be the best solution to ensuring that customers are provided with some form of relief when their information is hacked. Kevin’s mention of the Sony case also suggests that legislation should come sooner rather than later so that companies don’t attempt to foreclose redress by other means. In addition to Sony’s change of its service agreement, I think that the LinkedIn lawsuit may lead some companies to alter their pledge to keep information private. While I’m sure that few of us would want to share our sensitive information without such a promise, as we have discussed in class most of us ignore the terms of service when signing up for a service. Subtly wording changes may be all that is necessary to relieve companies of the burden of keeping our information secure.
    I would also add that this topic highlights an important point that even when we aren’t posting our thoughts on Facebook or sending out a tweet, our personal information is vulnerable to being publicly disseminated. Our schools, employers, hospitals and banks all keep detailed accounts of valuable information, a fact that should even more pressure on our representatives to pass legislation to afford people remedies when security measures fail.

  6. If it is essentially impossible for a Plaintiff to recover damages, is there anything that actually deters the behavior it is trying to prevent?

    Statutory damages seem like a decent idea. Viscerally, I wanted large punitive damages, but upon reflection it seems illadvised. Such damages would make business online a serious liability because just about every company is at a serious risk, if not inevitable, of a security breach. IEEE is the “largest technical industry association worldwide, managing, maintaining and approving standards such as the current Ethernet and Wi-Fi specifications,” and they exposed 100k passwords. (http://www.h-online.com/security/news/item/IEEE-data-breach-exposes-100-000-plain-text-passwords-1717358.html) Maybe punitive damages could be drafted into the statutes as a remedy for gross negligence, like the breaches at IEEE and Linkedin above most likely were.

    This is a serious problem and the biggest take away as a consumer is to consistently change all your passwords on a regular basis, watch out for any news regarding a security breach, use many different passwords, and don’t use common passwords. Like that is really a feasible plan, but we should do it anyway.

  7. I agree with Zack and Nicole that this seems like an area where statutory damages would be helpful. One potential problem with statutory damages, however, is that although they can be reasonably calculated to cover the average costs of a stolen identity, it can often make it difficult for those with above average actual damages to receive total reimbursement. One of the reasons for this is because the statutory amount is often seen as all that is necessary to make someone whole again and the burden of proving that a particular individual’s damage exceeds that amount is heightened. This heightened burden can prevail in the minds of judges and juries even when there is language in the statute that provides for additional damages when actual harm is shown.

    Another consideration is whether or not having a statutory damage amount for all victims would give incentive for organizations not to disclose of security breaches. If the cost for an individual to obtain representation and determine if his information was breached was greater than the statutorily outlined amount, people may not make the effort to determine if their information was breached until it was to late (i.e. the statute of limitations had run or irreversible damage had already occurred).

  8. As the previous comments have stated here, statutory damages seem like the best option at this point when dealing with private information breaches. However, I do agree with Juan that statutory damages might just be a temporary solution. Damages might help victims deal with the costs of stolen identity, but it will not help bring back peace of mind or any other severe implications of identity theft. Although the failure of awarded damages to make a victim whole again is not unique within the legal system, it does pose a specific problem in regards to identity theft because of the long-term implications and problems that arise. I also know a few people that have been the victims of identity theft, and I know one in particular that is still trying to fix their situation and pick up the pieces after they lost their financial credit. To be quite honest, I believe courts are wrong in placing identity theft in a different category than medical monitoring cases.

    To me both medical monitoring cases and identity theft cases are so personal that the legal system must, or should, acknowledge the importance of protecting the public against either and compensating those who fall victim to either. After all, is there anything more important to a human being than his health or personal finances?

  9. It does seem if a statutory penalty is not provided, the courts must do a better job of analyzing the costs associated with monitoring credit after a breach. It is much easier when the customer is actually hacked after a breach. You can identify missing money, over draft charges, etc., but even that does not account for the literally hundreds of hours it takes the customer to get everything straightened out. Juan also makes a good point about customers whose costs go beyond the statutory amount.

    We talked extensively about the fact that the ToS basically only protects the company providing the software and leaves little real protection for the user. Sony’s move to insulate itself from liability demonstrates the weakness in relying on protections provided by the ToS or EULA agreements. Did any of you receive notice when the parent company for TJ Maxx was hacked?

  10. I agree with Amy, statutory damages seem like the best way to go, but the true extent of the damages incurred by someone who is a victim of such a breach is nearly impossible to measure. Giving out information online has become somewhat commonplace and most people don’t think twice about entering their name, address, and credit card numbers on websites that they think are secure. Especially when providing their information to well respected retailers, most people assume that their information is in good hands. The repercussions of having one’s information stolen undoubtedly goes beyond the monetary implications of the breach. It seems that a system needs to be developed that better calculates the damages incurred by victims of personal information theft. Additionally the repercussions for not properly informing victims after a breach has occurred should be high enough to motivate retailers to notify victims as quickly as possible. Then the victims could potentially try to minimize damages by canceling cards and protecting information.

  11. The flipside of Juan’s concern that statutory damages would discourage companies from notifying customers of a breach of security is that companies would view these damages as an incentive to prevent them in the first place. There could also be increased statutory damages if a company fails to notify customers in a reasonable time.

    In line with Kelly’s point that prompt notification could also help mitigate the damages for consumers, there could be a decreased statutory damage amount if companies promptly notify and provide services to help ease the burden of an affected customer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: