Some Good News for Data Breach Victims, For A Change

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/daniellecitron/2015/07/21/some-good-news-for-data-breach-victims-for-a-change/

Hackers breach a company’s database, stealing consumers’ confidential
financial information, real names, and home addresses. If consumers spend
considerable time and money to minimize their risk of fraud, have they
suffered harm? Does the increased risk of identity theft count as harm?

Most of the time, the answer is no. Most federal courts refuse to open
their doors to data breach victims. This is true even when companies have
been careless about data security. Data insecurity is a serious national
crisis. In a letter to Congress, 47 of the state Attorneys General warned
that companies continue to fall down on the job of securing their systems.
They “fail to comply with their own security policies, ignore security
warnings, neglect to apply critical software patches, and fail to take
other measures to safeguard consumers’ information.” No matter how
egregious a company’s practices and no matter how determined hackers seem
to be, most federal courts have refused to hear plaintiffs’ cases on the
grounds that they lack standing under Article III of the Constitution. Why?
Plaintiffs have failed to satisfy Article III’s injury requirement, lower
federal courts have explained.

Yesterday heralded some encouraging news for plaintiffs. In a case handed
down yesterday, the Seventh Circuit ruled that a class of plaintiffs has
standing to sue Neiman Marcus in the wake of a malware breach that leaked
their debit and credit cards into the hands of hackers. Plaintiffs alleged
that the theft of their personal data increased their risk of identity
theft and future fraudulent charges. The breach allegedly caused 9,200 of
the plaintiffs to lose time and money to resolve fraudulent charges on
their cards, and for all of the class members to spend money to protect
against future identity theft. The district court dismissed the complaint
on the grounds that the data breach failed to inflict concrete injury on
the plaintiffs sufficient to warrant standing.

As the Seventh Circuit explained in Remijas v. Neiman Marcus Group,
“allegations of future harm can establish Article III standing if that harm
is ‘certainly impending,’ but ‘allegations of possible future injury are
not sufficient.’” The court held that for 9,2000 members of the class who
wrestled with fraud on their cards, identifiable, concrete costs associated
with sorting out the mess had been suffered. Time spend to set things
straight, to reset payment associations after the change of credit cards,
and to pursue relief for unauthorized charges constitute real injuries for
the purpose of standing.

What about the rest of the class who had not yet suffered fraud but who
took “immediate preventative measures” to prevent fraud, including
replacing their cards and monitoring their credit scores? The defendant
argued that such injury was too speculative to serve as an injury-in-fact
because plaintiffs would be reimbursed for fraudulent charges as a matter
of common credit-card-company practice. On this point, the court found that
“a material factual dispute” as to the “class members’ experiences and the
content of, and the universality of, bank reimbursement policies.”

The key point of disagreement between the district court and the Court of
Appeals was the significance of the Supreme Court’s decision in Clapper v.
Amnesty International. In Clapper, attorneys, journalists, and human rights
activists challenged the constitutionality of a provision of the Foreign
Intelligence Surveillance Act (FISA), which expanded the government’s
authority to conduct surveillance over non-U.S. persons. Plaintiffs argued
that there was an “objectively reasonable likelihood” that communications
with clients and sources would be monitored, forcing them to spend money
and time to protect the confidentiality of their international
communications.

Although the Second Circuit found that plaintiffs’ precautionary measures
amounted to a concrete injury since they were taken in response to a
reasonable fear of governmental action, a majority of the Supreme Court
ruled that plaintiffs had no standing to challenge FISA. According to the
Court, plaintiffs were speculating about governmental surveillance and that
“allegations about possible future injury are not sufficient” to establish
injury. Plaintiffs’ fear of surveillance was unwarranted because it was
based on “highly attenuated chain of possibilities.” Those contingencies
included the fact that the government would have to target plaintiffs’
clients for surveillance, that the Foreign Intelligence Surveillance Court
would have to sanction the surveillance, and that the government would have
to succeed in intercepting plaintiffs’ conversations with clients. The
Court held that plaintiffs’ “fears of hypothetical future harm” did not
justify the countermeasures they took.

In Remijas, the Seventh Circuit explained, “Clapper does not foreclose any
use of future injuries to support Article III standing.” It did not
“jettison the ‘substantial risk’ standard,” an important point that the
district court disregarded (and as have so many courts since the Clapper
decision was handed down). As the court noted, the Clapper decision
recognized “our cases do not uniformly require plaintiffs to demonstrate
that it is literally certain the harms they identify will come about. In
some instances, we have found standing based on a ‘substantial risk’ that
the harm will occur, which may prompt plaintiffs to reasonably incur costs
to mitigate or avoid that harm.” The court found that unlike in Clapper
where “there was no evidence to suggest that respondents’ communications
either had been or would be monitored,” there is “no need to speculate as
to whether the Neiman Marcus customers’ information had been stolen and
what information was taken.” It was in the hands of hackers who used
malware to breach the defendant’s systems. The risk that plaintiffs’ data
would be misused was immediate and very real. Crucially, for the Court,
“[r]equiring the plaintiffs to wait for the threatened harm to materialize
in order to sue would create a different problem”—that of causation. “The
more time that passes between a data breach and an instance of identity
theft, the more latitude a defendant has to argue that the identity theft
is not ‘fairly traceable’ to the defendant’s data breach.”

Now for a key finding: “it is plausible to infer that the plaintiffs have
shown a substantial risk of harm from the Neiman Marcus data breach. Why
else would hackers break into a store’s database and steal consumers’
private information? Presumably, the purpose of the hack is, sooner or
later, to make fraudulent charges or assume those consumers’ identities.
The plaintiffs are also careful to say that only 9,200 cards had
experienced fraudulent charges so far; the complaint asserts that
fraudulent charges and identity theft can occur long after a data breach.”
On remand, the district court “may want to look into the length of time
that a victim is truly at risk.” According to a GAO report, the risk that
stolen data will be used for identity theft is usually a year. But, as the
court in Remijas explained, more data may shed light on the question.

What about the financial losses incurred by class plaintiffs to protect
themselves against future identity theft and fraudulent charges? The court
explained that customers, having been notified about the breach, might
think it essential to purchase identity theft protection services to
minimize the impact of fraud. For the court, the cost of credit-monitoring
services is a real injury, not a de minimus harm that can be ignored.

As for the argument that plaintiffs have a concrete injury in the loss of
their private information, an intangible commodity, the court explained
that they cite no statutory authority recognizing such a property right.
The court notes, in a seeming nod to the impending Spokeo case now before
the Supreme Court, that “the actual or threatened injury required under
Article III can be satisfied solely by virtue of an invasion of a
recognized state-law right.” The problem for plaintiffs is that the
applicable state laws fail to posit a statutory right that has been
invaded. The court further rejected the defendant’s arguments about
causation and redressability, both essential for standing. It was
“plausible for pleading purposes that plaintiffs’ injuries are ‘fairly
traceable’ to the data breach.” Mitigation expenses or future injuries
related to the failure to obtain full reimbursement for unauthorized
charges are redressable injuries.

The defendant was unsuccessful in its argument that plaintiffs failed to
state a claim upon which relief can be granted under Federal Rule of Civil
Procedure 12(b)(6). This was because the district court failed to reach
that ground and defendant had failed to seek that additional relief and
file a cross-appeal. That was unfortunate because it would be helpful for
the Seventh Circuit to tackle the cognizability of the harm squarely. As
Professor Daniel Solove has highlighted in a series of recent posts, courts
have difficulty understanding and recognizing privacy harms.

Data breaches and other privacy violations leave individuals and society
worse off, but the courts have had difficulty recognizing the harm
suffered. The aggregate harm inflicted is profound even in cases when the
individual harm is small. Privacy violations produce emotional distress.
They make us vulnerable to fraud, identity theft, and other abuses and
force us to incur expenses to protect ourselves. They destroy reputations
and relationships. They rob us of essential decisions and chill expression.
In other areas of the law, our understanding of harm has evolved with the
evolution of technology and social practices. Daniel Solove and I are
working on a project exploring the extent to which our understanding of
privacy harms should evolve as well.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!