Ten Things You Should Know About the Law and Social Media: When Bad Judgment Goes Viral, Watch Out!

 1.     The things you say may have legal consequences: Be careful what you say about people on Facebook, Twitter, or other forms of social media. What you say may be libel. This extends to emails (especially in the work setting) where people say the dumbest, most abusive things possible, all of which can subject them to legal liability. Ask yourself: why is it lawyers always want emails in discovery? Although this does not relate to social media directly, we all remember the lawyers in the news recently for their racist and disgusting emails, which ripped their firm—a firm they started—apart. Ultimately, that story was spread by social media. If you say anything in an email, assume it never goes away. If someone says something horrible to you in an email, make sure you keep a record.

Do I keep such things, you may ask?

I won’t answer that question other than to say that I have a Master of Science in Library Science, and I’ve been a litigator for 18 plus years. And…I’ve published two short stories.

Surely those things cannot be related, right? What is it writes do? They describe. Of course, the fictional stories are made up. After all, it’s fiction.

2.     Get permission before using pictures, articles, or content written by someone else:  Using a person’s or corporation’s pictures, articles or other intellectual property without permission may be copyright infringement. This may subject you to a lawsuit for money damages. Copyright law can be quite thorny, especially with the new Copyright Claims Board, which is essentially a small claims court for copyright claims. This makes it easier to pursue such claims whereas before it was too expensive. Consider number 5, which relates to trademark issues as those may be raised as well.

Donate through Venmo

Donate through PayPal

3.     Do not say anything on social media sites you do not want repeated: Be careful about what you say and when you say it. There are numerous examples of employers seeing Facebook (or other social media posts) posts where people have said they never work at work; then the employer fires the employee. You can imagine other things people post online while clearly at work.

4.     Be careful about the pictures you post:  They might make you look bad (I don’t mean just appearance) or get you sued. Anyone remember what happened to Urban Meyer after those pictures of him at the bar surfaced?

5.     Do not use trademarks without permission: It is against the law to use a trademark without permission. Examples of trademarks include McDonald’s golden arches, Allstate’s good hands, and anything else that may be or is intellectual property.

6.     Watch out for spammers:  Be wary of spammers on Facebook, your phone, email, and other social media outlets. They may be trying to steal your identity. One recent scam is that Facebook scam on Facebook Marketplace where a potential buyer wants a Google Code to “verify you are who you say you are.” It’s a scam.

7.     Refrain from giving TMI (Too Much Information):  Some people chronicle their entire lives on Facebook, which, although entertaining (we love to watch a good train wreck),it can create all kinds of issues. For example, this exposes you to identity theft and blackmail. It can also be used to piece together what’s known as a “synthetic identity” for you, which can result in theft of your information and resources.

8.     Assume what you say never goes away: The internet is vast, and things said on the internet never go away. In other words, what you say may come back to haunt you. If you doubt me, look at the “WayBack Machine,” which takes snapshots of the Internet even if those snapshots no longer exist on websites. It is run by the Internet Archive, which is tasked with preserving the internet.

9.     Police catch criminals by reading their Facebook pages all the time: Criminals like to brag, and they often do so on Facebook. Police know this, and they catch criminals this way all the time. They use TikTok, Twitter, and other social media as well. This applies to other situations that are not of the criminal variety.

10.  Assume people Google you and look at social media about you: I look people up on Facebook, TikTok, Twitter, and other social media all the time. But the first thing I do is Google them, which can tell you a lot very quickly and cheaply. What people say on social media outlets says a lot about them.

Thanks for reading. Feel free to email me at michaelwuva78@gmail.com or michael@wellslaw.us. I use both.

Donate through Venmo

Donate through PayPal

For Whom Does the Ambulance Bell Toll?

Corporations can be terrible, but so can greedy lawyers.

Data breach class actions have spawned a whole new breed of class action lawyers—I can’t wait for John Grisham to jump on them.

I believe corporations and other entities should be held legally accountable. Sometimes the only way to do that is with a lawsuit. At times, single lawsuits wouldn't work, and similarly aggrieved people must band together. This is what happens in a class action lawsuit, which allows representative plaintiffs to act as plaintiffs for their class. There are often multiple classes in a federal class action lawsuit. This is true in some state class actions as well. The settlements are often tens of millions of dollars, sometimes hundreds of millions of dollars.

Leave a comment

What do the class members get for all of this?

The suspense must be killing you…

Not much. Shocking…I know.

Between $13-$90 per person according to a 2019 empirical analysis done by Reuters.

Screwed by a spreadsheet warrior who is OCD.

I’m as pro-plaintiff as it gets, but I don’t like the direction of class actions in the data breach realm.

And what is the size of the average class action settlement? $56.5 million. Furthermore, the median claims rate (according to the FTC) is 9%. Contrast that with the average personal injury settlement where the average settlement is $60,000 plus. Usually this would mean $20,000 for the medical bills, $20,000 for the client to walk away with, and $20,000 for the lawyer. Now, the standard fee is 40% if a lawsuit is filed, but, if the lawyer can resolve it without a bunch of time and costs, then it can be a good idea to split 1/3 1/3 1/3.

What do lawyers make in class action lawsuits? Well...the defense lawyers make hundreds of thousands of dollars defending these massive lawsuits, and the plaintiffs lawyers get between 35-40%  of the total recovery on average. The more claims that are filed the smaller the payout for the class members. Lawyers can elect to take a percentage, or they can multiply their hourly rate times the hours they worked, and there is a formula that's applied. In larger states it's not unusual for lawyers to bill exorbitant rates ($500-$1,000). It's great for the lawyers, but most of the money goes to ID protection and credit monitoring neither of which help much.

So... What do you do when you hear lawyers talking about "truth, justice" and all those inflated and meaningless words in the context of many class actions? I'd be skeptical.

For whom does the ambulance alarm toll? It tolls for thee if the lawyer makes it only about him or her.

If you are an associate, it means you are lining the pockets of the ONLY person whose name is on the door. You must ask yourself, why is only this person’s name on the door? Reasonable minds can disagree, but it makes you wonder…and I don’t curse in emails. It’s bad for business.

Give me a mass action any day because at least clients will “get paid” as opposed to the chicken feed they make in class actions.

Mass actions are individual claims filed by individuals and settled on a case-by-case basis against a common defendant. The claims likely have similar elements to them, but they vary based on the specifics of each plaintiff’s case.

Quite frankly, when I worked on class actions, I got tired of making money for one guy—especially when the claimants made comparatively very little money. At most a few thousand? That’s nothing compared to what the lawyers make, which is hundreds of thousands if not millions.

How is this JUSTICE? Give me a freaking break.

I’ll tell you what kind of justice it is: ersatz justice.

Thanks for reading. Feel free to email me at michaelwuva78@gmail.com or michael@wellslaw.us. I use both.

Banks Stink at Cybersecurity, but why?

 Banks typically stink at protecting YOUR data; they know it; and they know better. Why is this? The main reason: GREED. They are cheap when it comes to cybersecurity because it allows them to pay their executives more. Oh...they like to blame lawyers and regulators, but that's all talk. It rings hollow. What’s that Bob Dylan says about money not talking? And swearing instead?

The banks "doth protest too much." 

Donate through Venmo

Donate through PayPal

Their bellyaching is meant to blind you to what they do, which is almost nothing. Banks are supposed to be secure. They aren't and likely won't be anytime soon. 

What that saying about _____ flowing down hill? You are at the bottom of that hill.

 Here are some ways banks screw up (almost all the time): 

1. Weak Cybersecurity Measures: Insufficient cybersecurity measures, such as outdated software or lack of regular security audits, can make banks vulnerable to hacking and data breaches. Just look at Wells Fargo, which CNN reports "has been plagued by scandal." Consumer deposits just disappeared back in March. This should come as no surprise since Wells Fargo settled a lawsuit for $3 billion back in 2020 over fake accounts; that’s not the only lawsuit they’ve settled in the last few years. They are serial defendants. One of the funniest and most absurd things I ever heard came from a lawyer who used to work for a large bank (it wasn't Wells Fargo), and he claimed the bank he worked for then cared about the people whose mortgages the banks held. I swear I think the dude was wearing an ascot as he said this.

Fortunately I wasn't near the guy because I spit out my coffee in shock over this absurd statement. Big. Banks. Do. Not. Care. They don't care. They have never cared. And they never will care. 

But…you need to care…a lot. And I care about what happens to you, dear reader, as we are all in this muck together.

2. Inadequate Data Encryption: If sensitive personal data is not properly encrypted, it can be easily accessed by unauthorized individuals during data transmission or storage.

3. Improper Data Handling: Banks might mishandle data by sharing it with third parties without consent or keeping it longer than necessary, increasing the risk of unauthorized access. In other words, they sell your data to third-parties, some of whom are not exactly above board.

4. Weak Authentication: Banks sometimes use weak authentication methods, like simple passwords or outdated security questions, making it easier for attackers to gain unauthorized access to accounts.

5. Lack of Employee Training: Without proper training, bank employees might inadvertently mishandle data, fall victim to social engineering attacks, or fail to recognize suspicious activities. People are the biggest problem with 91% of cybersecurity incidents coming from human error. 

6. Insufficient Access Controls: Poor access controls can allow unauthorized personnel to access sensitive customer information, increasing the risk of data breaches.

7. Inadequate Incident Response Plans: Without a robust plan in place, banks might struggle to respond effectively to data breaches, leading to prolonged exposure of sensitive information.

8. Ignoring Regulatory Compliance: Failure to comply with data protection regulations like GDPR or CCPA can result in legal consequences and damage to the bank's reputation. Reputation, of course, implies they have one that is worth damaging.

9. Overlooking Physical Security: Focusing solely on digital security while neglecting physical security measures can expose sensitive data to theft or unauthorized access.

10. Vendor Management Issues: Banks that work with third-party vendors must ensure these partners also adhere to stringent data protection practices, as vendor breaches can impact the bank's customers.

To mitigate these mistakes, banks need to invest in robust cybersecurity measures, implement strong encryption protocols, train employees on data privacy, regularly update their systems, and establish effective incident response plans. Additionally, staying informed about evolving cybersecurity threats and compliance requirements are essential to maintaining the security and trust of their customers. Of course, this would require caring about their customers, which they may not always do. In fact, I suspect they rarely care. If they did, they would protect their customers.

Thanks for reading. Feel free to email me at michaelwuva78@gmail.com or michael@wellslaw.us. I use both. 

The CCPA Should Scare You

 Introduction:

On November 3, 2020, Californians voted in favor of Proposition 24, which introduced amendments to the California Consumer Privacy Act (CCPA). These amendments are collectively known as the California Privacy Rights Act (CPRA) and went into effect on January 1, 2023. The CPRA expands and modifies the CCPA while establishing the California Privacy Protection Agency (CPPA) as the new administrator of the law. This post aims to provide an overview of the CCPA 2023 as amended by the CPRA.

A. Summary:

The CPRA amendment, which builds upon the existing CCPA framework, brings several significant changes. It expands the definition of a "business" by raising the threshold of consumers or households to 100,000 and includes "sharing" in addition to "selling" consumer information for reaching that threshold. Significantly, the CCPA (as amended by CRPA) no longer makes a distinction between “sharing” and “selling” consumer information. It is the same, and sharing personal information without permission may result in liability under the CCPA regardless of where you are located. You could even be located in North Carolina.

Donate through Venmo

Donate through PayPal

If you do business with a California consumer, you could fall under the purview of the CCPA.

Watch out for the “private right of action.”

The private right of action under the CCPA is expanded to include breaches of email addresses and passwords or security question answers that would allow access to a consumer's account. In other words, if you are a California resident, your email address cannot be taken, sold, or shared to a third party without your permission. Email addresses are deemed personal information worthy of protection, which makes a lot of sense given the value of the email addresses to businesses hoping to use information to make a sale or to sell the information itself.

The CPRA introduces new provisions, such as the inclusion of "sensitive personal information," an extended look-back period for consumer information requests, expanded consumer rights, and non-discrimination protections.

 B. Pleading Questions:

For lawyers, the question arises: how do you plead a CCPA claim under the CPRA amendment? When filing a complaint under the CCPA 2023, it is still appropriate to plead the CCPA itself, as the CPRA amendment is integrated into the CCPA framework. While it may be prudent to include a footnote acknowledging the CPRA amendment, it is not necessary. However, it is essential to update the definition of a "business" in complaints to reflect the new threshold of 100,000 consumers or households, and to recognize that both "selling" and "sharing" of consumer information count towards that threshold.

C. Main Points for Private Right of Action:

The CCPA is likely to be the model for comprehensive cybersecurity measures under federal law if Congress ever takes this kind of action. Below is a list of things to keep in mind when pleading a claim under the CCPA as amended by the CPRA.

1.  Pleading the CCPA: Complaints should continue to plead the CCPA, but the definition of a "business" must be updated to include the new threshold of 100,000 consumers or households, and "sharing" should be considered alongside "selling" for reaching that threshold.

2. Expanded Private Right of Action: The CPRA expands the private right of action to include breaches of email addresses in combination with passwords or security question answers, eliminating the need to tie such breaches to a specific category of "personal information" to trigger the notice provision and protections of the CCPA.

3. Introduction of "Sensitive Personal Information": The CPRA adds "sensitive personal information" to the existing category of "personal information." This includes biometric information for unique identification, personal health information, and personal information related to a consumer's sex life or sexual orientation.

4. Extended Look-Back Period: The CPRA allows consumers to request information beyond the usual 12-month period, if it is not impossible or disproportionately burdensome for businesses to provide. This expands the scope of consumer information requests.

5. Expanded Consumer Rights: The CPRA grants consumers the right to correct inaccurate information, opt out of sharing their personal information, and limit the use of their information. It also introduces non-discrimination protections to safeguard employees, job applicants, and independent contractors who exercise their rights under the CCPA.

   Leave a comment

D. Main Points "Fleshed Out":

Below are a few more things to keep in mind: 

1. Use of CCPA after January 1, 2023: The CCPA is still used even after the CPRA amendment.

2. The CPRA modified and expanded the CCPA without creating a separate law. Therefore, when referring to the law, it remains the CCPA.

3. Impact on the Definition of a "Business": The definition of a "business" 

The CPRA amendment to the CCPA introduces several changes that impact how businesses are defined and regulated under the privacy law. These changes broaden the scope and obligations for businesses in handling consumer data. Let's delve into the key modifications brought about by the CPRA.

a. Redefinition of "Business":

Under the original CCPA, a business was defined as an entity that met one or more of the following criteria: (A) had an annual gross revenue over $25 million, (B) possessed personal information of 50,000 or more consumers, households, or devices, or (C) derived 50% or more of its annual revenue from selling consumers' personal information.

The CPRA amends the definition of a "business" by increasing the threshold for the number of consumers or households from 50,000 to 100,000. This means that a business must now meet the requirement of buying, selling, or sharing the personal information of 100,000 or more consumers or households to be subject to the CPRA.

Moreover, the CPRA expands the definition of "business" to explicitly include the sharing of consumer information, treating sharing in the same way as selling. This change expands the reach of the CCPA, ensuring that businesses engaged in sharing consumer data on a large scale are also subject to the law's provisions.

b. Strengthened Private Right of Action:

The CPRA amendment enhances the private right of action provision under the CCPA. Previously, to trigger the notice provision and protections of the CCPA, a breach had to involve a category of "personal information." However, under the CPRA, a breach of an email address in combination with a password or security question and answer that would permit access to the consumer's account is sufficient to trigger the CCPA's provisions. This expansion removes the requirement of a breach involving personal information, thereby broadening the circumstances in which consumers can enforce their rights under the law.

c. Addition of "Sensitive Personal Information":

The CPRA introduces a new category called "sensitive personal information" under the CCPA. This includes all the elements of the previous definition of personal information but adds specific types of data, such as the processing of biometric information for unique identification, personal information related to a consumer's health, and personal information related to a consumer's sex life or sexual orientation. The inclusion of sensitive personal information highlights the heightened privacy concerns associated with these types of data and imposes additional obligations on businesses in handling and protecting them.

d. Extended Look-Back Period:

The CPRA expands the "look-back period" for consumer data requests beyond the previous 12-month period under the CCPA. Consumers now have the right to request information that goes beyond the 12-month period, if providing such information is not impossible or disproportionately burdensome for the business. This change enables consumers to access a broader range of historical data held by businesses, enhancing transparency and empowering individuals to exercise their privacy rights.

Conclusion:

The CPRA's amendments to the CCPA significantly impact how businesses are defined and regulated under the privacy law. With changes to the threshold for businesses, the strengthened private right of action, the introduction of sensitive personal information, and the extended look-back period, the CPRA broadens the scope and obligations for businesses in protecting consumer privacy. These changes reflect the evolving landscape of privacy rights and emphasize the need for businesses to adapt their practices to comply with the new requirements imposed by the CPRA.

Feel free to contact me at michaelwuva78@gmail.com. You can leave a comment, too.

I also publish a legal technology blog NC Legal Technology, a New Frontier. 

Your Personal Information Will be Stolen But...When, by Whom, and How Many Times?

The most dangerous Luddites are those, who don’t care about your privacy. Many of them wear black robes, and, despite their childlike understanding of technology, they make decisions that negatively impact all of us.

But…it gets worse, my friends.

Hackers have already stolen your most intimate information. Some of us know this, and some of us do not. Skeptics argue people willingly give away their data, but this eschews the meaning of “consent.” We all know Americas have trouble understanding the concept of consent—especially men.

People are forced to supply their names, Social Security numbers, dates of birth, street address, and other personal information to obtain a good credit score, which will allow them to purchase a house, a car, get a job, rent an apartment, purchase insurance, and live in America. There are countless other instances where people have very little choice but to share their data. Modern life forces people to share their individual data, which leaves everyone in America vulnerable—even children.

“Data breaches at as Target, Yahoo!, Home Depot, HSBC, and many other breaches, which are far too numerous to list  demonstrate that American law is ill equipped to combat these incidents and the growing threat to our personal data and to our privacy in general.^[1] Despite our supposed innovation in software, the security of the cloud, and other advancements, data breaches keep occurring, and there is no sign they will stop or even abate.

When it comes to data privacy, the law is not equipped to handle or is indifferent to the present and ever-expanding problem of the security of individual personal data. It should not be so difficult for organizations to protect personal information. Although laws in the United States need to be more comprehensive and cohesive, that is not the topic discussed in this paper. The United States does have some very good legislation, but the problem is the courts often will not hold organizations accountable as federal judges choose to surround the law in an impenetrable miasma.

Generally speaking, do you think federal judges care about or even understand what happens when your personal information (or data) are stolen?

Think about it this way: do you think a snake cares about what happens to a mouse it ate?

If you don’t believe me, then read below…I’m just using their words.

Donate through Venmo

Donate through PayPal

The Clapper case cemented the federal courts’ refusal to recognize data breach harms.^[2] In Clapper, plaintiffs challenged the constitutionality of a provision of the Foreign Intelligence Surveillance Act (FISA) where plaintiffs believed the government was illegally spying on their communications with foreign individuals (the government suspected these individuals were terrorists), which caused them to incur great expense to travel to foreign countries to keep these communications confidential.[3] The Supreme Court held the plaintiffs lacked standing because they could not show the actual injury of the surveillance was occurring or “certainly impending.”[4]Specifically, Justice Alito, writing for the Court, held, “because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.”[5] Incidentally, Edward Snowden subsequently uncovered the government was spying on the plaintiffs.[6] Courts have relied on Clapper, which does not provide for recovery for fear, anxiety, worry, stress, time spent guarding against identity theft in the future all of which it refers to as “speculative” no matter how probably future harm is. [7]

In 2016, Spokeo followed Clapper and was supposed to resolve ambiguities in the case.^[8] The Spokeo case, however, provided a frightening example of how incorrect information about an individual posted online can be very damaging and difficult to remedy. [9]

Plaintiff Robbins (Respondent in the Supreme Court case) alleged the dossier of information listed by Spokeo on the internet suggesting he was overqualified and may be unwilling to move because of a nonexistent family, all of which hurt his chances of securing a job.[10]  The Court was unmoved and disregarded the violation of the Federal Credit Reporting Act (FCRA); the Court held the violation of the FCRA (minor or “bare procedural violation”) did not injury him sufficiently enough to confer standing, nor were his injuries “concrete.”[11]

Under Clapper and Spokeo, worry, anxiety, fear, or time spent guarding against future identity theft are not considered harm no matter how probable the possibility of future identity theft.

TransUnion[12] is a data privacy case that dealt with reputational damage that ultimately had economic impact. Although the history of the case is long and the factual situation complex and varied, the basic facts involved a watch list created by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). The so-called “OFAC watchlist” was meant to identify terrorists, drug traffickers, and other serious criminals. If a consumer’s first and last names matched the first and lasts names of a person on this list, then that person was listed as a “potential match” and put on the OFAC watch list.

8,185 people whose names were on the list filed a lawsuit in federal district court in California saying TransUnion 1) failed to ensure accuracy of their credit files, and 2) sent defective notices to the consumers both of which clearly violated the Fair Credit Reporting Act (FCRA)[13]. The case eventually went to trial, and the jury was so upset that it awarded punitive damages, driving the verdict to $60 million, a verdict that was later reduced to $40 million.[14]

TransUnion appealed the case to the Supreme Court. The Supreme Court essentially canceled the jury verdict (vacated it), and it said only those people, 1,853 in total, who had the credit reports with the inaccurate OFAC watch list sent to third-parties (banks, car dealers, etc.), had suffered any “actual harm.”[15]

The Court dismissed the case as to 6,332 people whose credit reports contained misleading alerts, yet had not been sent to third-parties, reasoning the “mere presence of an inaccuracy in an internal credit file, if it was not disclosed to third party, caused no concrete harm.”[16] The Court concluded these 6,332 people had no “standing,” which meant they had not been harmed enough to allow the Court to hear the case. Basically, the Court did not think having your name incorrectly placed on a terrorist watch-list without your knowing meant you were even harmed.[17]

The ramifications are wide and are alarming for a few reasons that affect everyone: First, Congress passed the FCRA to remedy these kinds of situations, and it was clearly violated, yet the Supreme Court explicitly said the Court had the right to overrule Congress and take away its law-making ability. Essentially, the Court “legislated from the bench” and made no bones about its ability to continue to do that if it did not like the law(s) Congress passed. Second, the Court referred to this violation of a privacy statute (conceptually like those in data breach cases) as a “mere procedural violation,” which is the language it has used to describe violations of consumer privacy the Court does not deem to be serious.

Federal courts continue to focus on financial harm while discounting reputational harm, anxiety, worry, fear, time spent remedying such a situation, and other what are called “intangible harms,” which are largely unrecognized in American law these days.  Third, it shows that you must wait for something terrible to happen to you financially to be considered “harmed,” and the law cannot be used to prevent harm.

Clapper, Spokeo, and TransUnion all have profound implications for our personal information, and they are cited in virtually every case that deals with data privacy issues, yet these cases and their progeny, for the most part work from the implicit (if not explicit) assumption that data breach cases are so new, so novel, that there is no way the federal courts can even consider these claims absent some direct evidence financial harm or physical harm.

Because Clapper and Spokeo, and others that followed, the standard is still to show “concrete” harm, and, according to many judges, virtually the only way is to show monetary loss. Having your data stolen is not enough harm, if any, to be considered “actual harm” even if common sense and historical precedent indicate otherwise. The rationale behind this notion is data breach cases somehow lack historical precedent, which ignores history because recognizing the kind of harm asserted by plaintiffs in data breach cases is entirely consistent with precedent.

 Data breach harms are consistent with precedent because the historical precedent found in the common law does not require you to assign a monetary value to emotional harm. Injured parties have always been able to recover for emotional injuries such as emotional distress and other forms of suffering, and the denying the ability of injured parties to recover for emotional harm, emotional distress not only ignores and disregards not only what the law always has been, but what it should be now.^[18]

Moreover, the narrow conception of data breach harm as set forth in Clapper, Spokeo, and TransUnion largely ignores precedent that is conceptually similar and can easily support data breach cases surviving dismissal.

For example, “The tort of assault—where the harm is the emotion of fear—dates back six and a half centuries.”[19] Historically, the tort of assault was based on fear of imminent physical harm, and it required no any showing of physical injury or any other kind of harm in and of itself.[20] The law has recognized and does recognize still the tort of alienation of affection (having sex with someone else’s spouse), which permitted recovery for emotional distress.[21] Noises, odors, dust, smoke, and excessive vibration has been recognized as harm, and property evolved to include intangible and tangible harms to property.[22]

The tort of defamation protected reputation without showing proof of financial or physical suffering. [23] In fact, Solove & Citron take us through the very development of the right to privacy in American law, which dates to 1890 when William Brandeis, writing with famed lawyer and Harvard Law School Professor, Samuel D. Warren, referred to an “injury of the feelings.”[24]

As Warren & Brandeis famously said, “mental pain and distress, far greater than could be inflicted by mere bodily injury” when referring to privacy invasions and how it makes a person feel about themselves .[25] They also state people should be able to decide the extent to which her personal information would be revealed, shared, and disclosed to others.[26]  

Donate through Venmo

Donate through PayPal

In essence, Solove & Citron along with Calo argue that Clapper and Spokeo and the other leading cases of the day should recognize that injured parties can recover in data breach cases for emotional harm resulting from the breach such as fear, anxiety, and worry. For example, the law recognizes (and has for hundreds of years) emotional harm coming from a breach of privacy such as assault, defamation, alienation of affection, intentional infliction of emotional distress, negligent infliction of emotional distress, which are just like he very injuries (fear, anxiety, worry, and lost time) that occur in these cases and that are largely ignored, explained away, or vastly discounted, by judges who dismiss data breach cases.[27] 

 Solove’s & Citon’s views are supported by industry experts.  Private information can take the form of so-called personally identifiable information (PII) or protected health information (PHI).^[28] PHI can be more than ten times more valuable than credit card information because it contains highly sensitive information, such as Social Security numbers, dates of birth, addresses, credit card numbers, and medical conditions.[29] It is referred to as “the crime that kills” because cyberthieves can use it to file false claims, often altering your health information in your medical records, which can have lethal effects.[30]

How valuable is your PII and PHI? Surely, little old me can’t have information that’s worth much money?

THINK AGAIN!

The high value of PHI is why cybercriminals attempt one hack every thirty-nine seconds;  in fact, the healthcare sector reported the second largest number of data breaches among all measured sectors in 2018, and it had the highest rate of exposure per breach.^[31] It does not end there because one report found the average cost to resolve a healthcare identity theft-related incident was $20,000, and 50% of victims lost their healthcare coverage as a result due to spikes in premiums they could not afford or the inability to resolve fraudulent charges, while 30% said their insurance premiums went up after the event.[32] Unfortunately,  40% of the customers were never able to revolve their identity theft at all.^[33]

The same kind of risk exists when PII is exposed. For instance, consider something as banal as a driver’s license.  Even according to a rival credit bureau of TransUnion, Experian:

A driver's license is an identity thief's paradise. With that one card, someone knows your birth date, address, and even your height, eye color, and signature. If someone gets your driver's license number, it is also concerning because it's connected to your vehicle registration and insurance policies, as well as records on file with the Department of Motor Vehicles, place of employment (that keep a copy of your driver's license on file), doctor's office, government agencies, and other entities. Having access to that one number can provide an identity thief with several pieces of information they want to know about you. Next to your Social Security number, your driver's license number is one of the most valuable pieces of identifying information to keep from thieves.”[34]

American law requires an individual must have “standing to sue” to survive dismissal at the earliest stage possible.^[35] Simply put, this means in order to maintain a case in federal court, you must have evidence you have been injured (usually a financial injury), and if you do not have this kind of injury, then your case will be dismissed (thrown out) of court. A great deal of research has gone into focusing on what the seminal cases such as Clapper, Spokeo, and TransUnion say and what those cases mean. Of course, those cases must always be kept in mind when used in any analysis of federal data privacy cases. Most—if not all—cases that are dismissed for lack of standing are going to be because there is no “concrete” evidence of harm, which means no evidence of financial harm or “fraud” generally. However, little research has considered what, if any, patterns exist in most, if not all, federal data breach cases dismissed for lack of standing.

In short, most data breach cases are dismissed because a judge finds no clear evidence of financial harm. Sadly, your mental anguish, stress, reputational damage (unless clearly quantifiable as if that’s possible), time spent remedying the situation, are not recognized as “actual harm” under American law.

How do you handle this?

I can’t give you an answer other than to say: be careful. Think before you click. Say no to cookies tracking your movements on websites, and use websites that are more secure (as if that’s possible!).

Thanks again for reading.

Feel free to email me at michaelwuva78@gmail.com with questions.

Best regards,

Michael Wells, Esq., MLS

---

^[1] See Jon L. Mills & Kelsey Harclerode, Privacy, Mass Intrusion, and the Modern Data Breach, 69 FLA. L. REV. 771 (2017).

^[2] See Clapper v. Amnesty International USA, 568 U.S. 398 (2013).

[3] Clapper, 568 at 401.

[4] Id. at 421-2. Daniel J. Solove and Daniel Keats Citron provide an incredible discussion of Clapper and other pertinent cases in the data privacy realm, and much of the discussion in this section is aided by their insightful analysis. See, Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 TEX. L. REV. 737, 741-742, (2018).

[5] Id.

[6] See Solove & Keats, Risk and Anxiety, supra note 16, at 741-42.

[7] Id.

^[8] Spokeo v. Robins, 578 U.S. 330 (2016).

[9] See generally, Spokeo v. Robins, 578 U.S. 330 (2016).

[10] Spokeo, 578 U.S. at 353-54 (Ginsberg, J. dissenting); see also, Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety, supra note 16, at 743-45.

[11] Id. at 342-43 (majority opinion).

[12] See generally, TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021).

[13] TransUnion, LLC, 141 S.Ct. at 2216.

[14] Id., 141 S.Ct. at 2204.

[15] Id., 141 S.Ct. at 2212.

[16] Id., 141 S.Ct. at 2210.

[17] Id.

^[18] Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 TEX. L. REV. 737, 741-742, (2018).

[19] Ryan Calo, Privacy Harm Exceptionalism, 12 COLO. TECH. L.J. 361, 363 (2014). For a further discussion on the history of the legal foundation for recognizing anxiety as harm, see Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety fn. 20, supra, at 741-742.

[20] Solove & Citron, supra note 14, at 767.

[21] Id. at 768.

[22] Id.

[23] Id.

[24] Id.; see Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 193 (1890).  

[25] Quoting Id. at 196-197. This passage and the evolution of privacy law is discussed poignantly in Solove & Citron, supra note 16, at 768. 

[26] Id.

[27] See supra note 21.

^[28] Personally identifiable information (“PII”) generally refers to information that alone or in conjunction with other information identifies an individual, including an individual’s contact information (including postal addresses, email addresses, and phone numbers), Social Security number (SSNs), date of birth, driver’s license number or government-issued identification number, financial account numbers. See generally 2 C.F.R. § 200.79. Personal health information (“PHI”) is a category of information that relates to an individual’s physical or mental health and the provision of health care. Among other things, as used in this complaint PHI includes medical information as that term is defined in C.F. R. §160.103.

[29] The Value of Personal Medical Information: Protecting Against Data Breaches, https://www.naham.org/page/ConnectionsThe-Value-of-Personal-Medical-Information# (last visited Apr 16, 2023).

[30] Id.

^[31] Identity Theft Resource Center, 2018 End -of-Year Data Breach Report, available at: https://www.idtheftcenter.org/2018-end-of-year-data-breach-report/ (last accessed Mar. 26, 2023).

[32] Id.

^[33] Elinor Mills, Study: Medical identity theft is costly for victims, CNET (March 3, 2010), available at: https://www.cnet.com/news/study-medical-identity-theft-is-costly-for-victims/ (last visited Apr. 11, 2023).

[34] Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card Numbers, IT World, Tim Greene, Feb. 6, 2015, available at: http://www.itworld.com/article/2880960/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html (last visited on Apr.7, 2023).

^[35] Standing, LII / Legal Information Institute, https://www.law.cornell.edu/wex/standing (last visited Apr 1, 2023).