The Harm from Data Breaches

When private information is exposed in a corporate data breach, consumers are understandably upset. Some will want redress and turn to the court system, but the courts are there to remedy injuries. Exactly what are the injuries from the exposure of private data? Sure, if a fraudster uses the data to create a fake identity, the consumer has an injury. But, is someone’s unauthorized possession of your private data an injury by itself?

In 2017, hackers broke into the databases of Equifax, a large credit reporting agency. The personal information of over 150 million Americans was compromised. The hackers stole names, Social Security numbers, birth dates, addresses, driver’s license numbers, and other information. In the lawsuits that followed, Equifax has argued that the consumers did not suffer any injury or at least not the kind of injury that a court can fix.

That position did not sit right with Congresswoman Katie Porter who, when questioning the CEO of Equifax at a congressional hearing, asked if he would mind sharing his social security, birth date, and home address. Quite understandably, Equifax’s CEO declined to disclose this information, noting he had been the victim of identity fraud himself and “like all Americans” was “concerned about his sensitive information.” Porter ably pointed out the inconsistency between the CEO’s concerns his own private information and what his lawyers were arguing in court about what Equifax had done to other’s private information.

The judge in the case has ruled against Equifax, allowing the lawsuit to move forward in the trial court. The case is still at an early stage, and it could be quite a while before there is any resolution.The issues in the Equifax case are hardly unique as demonstrated by a recent decision of our own state supreme court. In Rosenbach v. Six Flags, the Six Flags Amusement Park had been using thumbprints to identify holders of season passes. When someone purchased a season pass, Six Flags took a scan of the person’s thumbprint. A card and the thumbprint were then literally the ticket to admission for the rest of the season.

 Under the Illinois Biometric Privacy Information Act, anyone who collects biometric identifiers like a thumbprint must inform the person in writing that a biometric identifier is being collected, the purpose of collecting it, and the length of time it will be stored. The person providing the biometric identifier also must sign a release. Six Flags did none of this and was sued in a class action by the mother of a 14-year old boy whose thumbprint it had collected. Six Flags’ defense was similar to Equifax – the boy had not suffered any injury. The Illinois Supreme Court, however, said the statute allows anyone who is “aggrieved” to sue and anyone whose information was taken in violation of the statute was aggrieved. The plaintiff did not have to show any injury beyond the violation of the statute.

 The Illinois case might seem to point a way forward – an injury occurs when a data breach violates a statute. The problem is that argument won’t wash in federal court where an injury is a constitutional requirement to bring a lawsuit. In a case called Spokeo v. Robins, the U.S. Supreme Court ruled that the injury had to be something more than just a violation of a statute. The plaintiff must have suffered a concrete harm. Although the trial judge in the Equifax case found a concrete harm, that decision may be appealed, and the law is still developing. The Six Flags case turned out differently because it was a lawsuit in state court over a state statute. The state of Illinois can adopt whatever rules it wants to determine who can bring a lawsuit in its courts. To provide remedies for data breaches, the most effective solutions in the future may come from the state courts.