The most dangerous Luddites are those, who don’t care about your privacy. Many of them wear black robes, and, despite their childlike understanding of technology, they make decisions that negatively impact all of us.
But…it gets worse, my friends.
Hackers have already stolen your most intimate information. Some of us know this, and some of us do not. Skeptics argue people willingly give away their data, but this eschews the meaning of “consent.” We all know Americas have trouble understanding the concept of consent—especially men.
People are forced to supply their names, Social Security numbers, dates of birth, street address, and other personal information to obtain a good credit score, which will allow them to purchase a house, a car, get a job, rent an apartment, purchase insurance, and live in America. There are countless other instances where people have very little choice but to share their data. Modern life forces people to share their individual data, which leaves everyone in America vulnerable—even children.
“Data breaches at as Target, Yahoo!, Home Depot, HSBC, and many other breaches, which are far too numerous to list demonstrate that American law is ill equipped to combat these incidents and the growing threat to our personal data and to our privacy in general.[1] Despite our supposed innovation in software, the security of the cloud, and other advancements, data breaches keep occurring, and there is no sign they will stop or even abate.
When it comes to data privacy, the law is not equipped to handle or is indifferent to the present and ever-expanding problem of the security of individual personal data. It should not be so difficult for organizations to protect personal information. Although laws in the United States need to be more comprehensive and cohesive, that is not the topic discussed in this paper. The United States does have some very good legislation, but the problem is the courts often will not hold organizations accountable as federal judges choose to surround the law in an impenetrable miasma.
Generally speaking, do you think federal judges care about or even understand what happens when your personal information (or data) are stolen?
Think about it this way: do you think a snake cares about what happens to a mouse it ate?
If you don’t believe me, then read below…I’m just using their words.
The Clapper case cemented the federal courts’ refusal to recognize data breach harms.[2] In Clapper, plaintiffs challenged the constitutionality of a provision of the Foreign Intelligence Surveillance Act (FISA) where plaintiffs believed the government was illegally spying on their communications with foreign individuals (the government suspected these individuals were terrorists), which caused them to incur great expense to travel to foreign countries to keep these communications confidential.[3] The Supreme Court held the plaintiffs lacked standing because they could not show the actual injury of the surveillance was occurring or “certainly impending.”[4]Specifically, Justice Alito, writing for the Court, held, “because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.”[5] Incidentally, Edward Snowden subsequently uncovered the government was spying on the plaintiffs.[6] Courts have relied on Clapper, which does not provide for recovery for fear, anxiety, worry, stress, time spent guarding against identity theft in the future all of which it refers to as “speculative” no matter how probably future harm is. [7]
In 2016, Spokeo followed Clapper and was supposed to resolve ambiguities in the case.[8] The Spokeo case, however, provided a frightening example of how incorrect information about an individual posted online can be very damaging and difficult to remedy. [9]
Plaintiff Robbins (Respondent in the Supreme Court case) alleged the dossier of information listed by Spokeo on the internet suggesting he was overqualified and may be unwilling to move because of a nonexistent family, all of which hurt his chances of securing a job.[10] The Court was unmoved and disregarded the violation of the Federal Credit Reporting Act (FCRA); the Court held the violation of the FCRA (minor or “bare procedural violation”) did not injury him sufficiently enough to confer standing, nor were his injuries “concrete.”[11]
Under Clapper and Spokeo, worry, anxiety, fear, or time spent guarding against future identity theft are not considered harm no matter how probable the possibility of future identity theft.
TransUnion[12] is a data privacy case that dealt with reputational damage that ultimately had economic impact. Although the history of the case is long and the factual situation complex and varied, the basic facts involved a watch list created by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). The so-called “OFAC watchlist” was meant to identify terrorists, drug traffickers, and other serious criminals. If a consumer’s first and last names matched the first and lasts names of a person on this list, then that person was listed as a “potential match” and put on the OFAC watch list.
8,185 people whose names were on the list filed a lawsuit in federal district court in California saying TransUnion 1) failed to ensure accuracy of their credit files, and 2) sent defective notices to the consumers both of which clearly violated the Fair Credit Reporting Act (FCRA)[13]. The case eventually went to trial, and the jury was so upset that it awarded punitive damages, driving the verdict to $60 million, a verdict that was later reduced to $40 million.[14]
TransUnion appealed the case to the Supreme Court. The Supreme Court essentially canceled the jury verdict (vacated it), and it said only those people, 1,853 in total, who had the credit reports with the inaccurate OFAC watch list sent to third-parties (banks, car dealers, etc.), had suffered any “actual harm.”[15]
The Court dismissed the case as to 6,332 people whose credit reports contained misleading alerts, yet had not been sent to third-parties, reasoning the “mere presence of an inaccuracy in an internal credit file, if it was not disclosed to third party, caused no concrete harm.”[16] The Court concluded these 6,332 people had no “standing,” which meant they had not been harmed enough to allow the Court to hear the case. Basically, the Court did not think having your name incorrectly placed on a terrorist watch-list without your knowing meant you were even harmed.[17]
The ramifications are wide and are alarming for a few reasons that affect everyone: First, Congress passed the FCRA to remedy these kinds of situations, and it was clearly violated, yet the Supreme Court explicitly said the Court had the right to overrule Congress and take away its law-making ability. Essentially, the Court “legislated from the bench” and made no bones about its ability to continue to do that if it did not like the law(s) Congress passed. Second, the Court referred to this violation of a privacy statute (conceptually like those in data breach cases) as a “mere procedural violation,” which is the language it has used to describe violations of consumer privacy the Court does not deem to be serious.
Federal courts continue to focus on financial harm while discounting reputational harm, anxiety, worry, fear, time spent remedying such a situation, and other what are called “intangible harms,” which are largely unrecognized in American law these days. Third, it shows that you must wait for something terrible to happen to you financially to be considered “harmed,” and the law cannot be used to prevent harm.
Clapper, Spokeo, and TransUnion all have profound implications for our personal information, and they are cited in virtually every case that deals with data privacy issues, yet these cases and their progeny, for the most part work from the implicit (if not explicit) assumption that data breach cases are so new, so novel, that there is no way the federal courts can even consider these claims absent some direct evidence financial harm or physical harm.
Because Clapper and Spokeo, and others that followed, the standard is still to show “concrete” harm, and, according to many judges, virtually the only way is to show monetary loss. Having your data stolen is not enough harm, if any, to be considered “actual harm” even if common sense and historical precedent indicate otherwise. The rationale behind this notion is data breach cases somehow lack historical precedent, which ignores history because recognizing the kind of harm asserted by plaintiffs in data breach cases is entirely consistent with precedent.
Data breach harms are consistent with precedent because the historical precedent found in the common law does not require you to assign a monetary value to emotional harm. Injured parties have always been able to recover for emotional injuries such as emotional distress and other forms of suffering, and the denying the ability of injured parties to recover for emotional harm, emotional distress not only ignores and disregards not only what the law always has been, but what it should be now.[18]
Moreover, the narrow conception of data breach harm as set forth in Clapper, Spokeo, and TransUnion largely ignores precedent that is conceptually similar and can easily support data breach cases surviving dismissal.
For example, “The tort of assault—where the harm is the emotion of fear—dates back six and a half centuries.”[19] Historically, the tort of assault was based on fear of imminent physical harm, and it required no any showing of physical injury or any other kind of harm in and of itself.[20] The law has recognized and does recognize still the tort of alienation of affection (having sex with someone else’s spouse), which permitted recovery for emotional distress.[21] Noises, odors, dust, smoke, and excessive vibration has been recognized as harm, and property evolved to include intangible and tangible harms to property.[22]
The tort of defamation protected reputation without showing proof of financial or physical suffering. [23] In fact, Solove & Citron take us through the very development of the right to privacy in American law, which dates to 1890 when William Brandeis, writing with famed lawyer and Harvard Law School Professor, Samuel D. Warren, referred to an “injury of the feelings.”[24]
As Warren & Brandeis famously said, “mental pain and distress, far greater than could be inflicted by mere bodily injury” when referring to privacy invasions and how it makes a person feel about themselves .[25] They also state people should be able to decide the extent to which her personal information would be revealed, shared, and disclosed to others.[26]
In essence, Solove & Citron along with Calo argue that Clapper and Spokeo and the other leading cases of the day should recognize that injured parties can recover in data breach cases for emotional harm resulting from the breach such as fear, anxiety, and worry. For example, the law recognizes (and has for hundreds of years) emotional harm coming from a breach of privacy such as assault, defamation, alienation of affection, intentional infliction of emotional distress, negligent infliction of emotional distress, which are just like he very injuries (fear, anxiety, worry, and lost time) that occur in these cases and that are largely ignored, explained away, or vastly discounted, by judges who dismiss data breach cases.[27]
Solove’s & Citon’s views are supported by industry experts. Private information can take the form of so-called personally identifiable information (PII) or protected health information (PHI).[28] PHI can be more than ten times more valuable than credit card information because it contains highly sensitive information, such as Social Security numbers, dates of birth, addresses, credit card numbers, and medical conditions.[29] It is referred to as “the crime that kills” because cyberthieves can use it to file false claims, often altering your health information in your medical records, which can have lethal effects.[30]
How valuable is your PII and PHI? Surely, little old me can’t have information that’s worth much money?
THINK AGAIN!
The high value of PHI is why cybercriminals attempt one hack every thirty-nine seconds; in fact, the healthcare sector reported the second largest number of data breaches among all measured sectors in 2018, and it had the highest rate of exposure per breach.[31] It does not end there because one report found the average cost to resolve a healthcare identity theft-related incident was $20,000, and 50% of victims lost their healthcare coverage as a result due to spikes in premiums they could not afford or the inability to resolve fraudulent charges, while 30% said their insurance premiums went up after the event.[32] Unfortunately, 40% of the customers were never able to revolve their identity theft at all.[33]
The same kind of risk exists when PII is exposed. For instance, consider something as banal as a driver’s license. Even according to a rival credit bureau of TransUnion, Experian:
A driver's license is an identity thief's paradise. With that one card, someone knows your birth date, address, and even your height, eye color, and signature. If someone gets your driver's license number, it is also concerning because it's connected to your vehicle registration and insurance policies, as well as records on file with the Department of Motor Vehicles, place of employment (that keep a copy of your driver's license on file), doctor's office, government agencies, and other entities. Having access to that one number can provide an identity thief with several pieces of information they want to know about you. Next to your Social Security number, your driver's license number is one of the most valuable pieces of identifying information to keep from thieves.”[34]
American law requires an individual must have “standing to sue” to survive dismissal at the earliest stage possible.[35] Simply put, this means in order to maintain a case in federal court, you must have evidence you have been injured (usually a financial injury), and if you do not have this kind of injury, then your case will be dismissed (thrown out) of court. A great deal of research has gone into focusing on what the seminal cases such as Clapper, Spokeo, and TransUnion say and what those cases mean. Of course, those cases must always be kept in mind when used in any analysis of federal data privacy cases. Most—if not all—cases that are dismissed for lack of standing are going to be because there is no “concrete” evidence of harm, which means no evidence of financial harm or “fraud” generally. However, little research has considered what, if any, patterns exist in most, if not all, federal data breach cases dismissed for lack of standing.
In short, most data breach cases are dismissed because a judge finds no clear evidence of financial harm. Sadly, your mental anguish, stress, reputational damage (unless clearly quantifiable as if that’s possible), time spent remedying the situation, are not recognized as “actual harm” under American law.
How do you handle this?
I can’t give you an answer other than to say: be careful. Think before you click. Say no to cookies tracking your movements on websites, and use websites that are more secure (as if that’s possible!).
Thanks again for reading.
Feel free to email me at michaelwuva78@gmail.com with questions.
Best regards,
Michael Wells, Esq., MLS
[1] See Jon L. Mills & Kelsey Harclerode, Privacy, Mass Intrusion, and the Modern Data Breach, 69 FLA. L. REV. 771 (2017).
[2] See Clapper v. Amnesty International USA, 568 U.S. 398 (2013).
[3] Clapper, 568 at 401.
[4] Id. at 421-2. Daniel J. Solove and Daniel Keats Citron provide an incredible discussion of Clapper and other pertinent cases in the data privacy realm, and much of the discussion in this section is aided by their insightful analysis. See, Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 TEX. L. REV. 737, 741-742, (2018).
[5] Id.
[6] See Solove & Keats, Risk and Anxiety, supra note 16, at 741-42.
[7] Id.
[8] Spokeo v. Robins, 578 U.S. 330 (2016).
[9] See generally, Spokeo v. Robins, 578 U.S. 330 (2016).
[10] Spokeo, 578 U.S. at 353-54 (Ginsberg, J. dissenting); see also, Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety, supra note 16, at 743-45.
[11] Id. at 342-43 (majority opinion).
[12] See generally, TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021).
[13] TransUnion, LLC, 141 S.Ct. at 2216.
[14] Id., 141 S.Ct. at 2204.
[15] Id., 141 S.Ct. at 2212.
[16] Id., 141 S.Ct. at 2210.
[17] Id.
[18] Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 TEX. L. REV. 737, 741-742, (2018).
[19] Ryan Calo, Privacy Harm Exceptionalism, 12 COLO. TECH. L.J. 361, 363 (2014). For a further discussion on the history of the legal foundation for recognizing anxiety as harm, see Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety fn. 20, supra, at 741-742.
[20] Solove & Citron, supra note 14, at 767.
[21] Id. at 768.
[22] Id.
[23] Id.
[24] Id.; see Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 193 (1890).
[25] Quoting Id. at 196-197. This passage and the evolution of privacy law is discussed poignantly in Solove & Citron, supra note 16, at 768.
[26] Id.
[27] See supra note 21.
[28] Personally identifiable information (“PII”) generally refers to information that alone or in conjunction with other information identifies an individual, including an individual’s contact information (including postal addresses, email addresses, and phone numbers), Social Security number (SSNs), date of birth, driver’s license number or government-issued identification number, financial account numbers. See generally 2 C.F.R. § 200.79. Personal health information (“PHI”) is a category of information that relates to an individual’s physical or mental health and the provision of health care. Among other things, as used in this complaint PHI includes medical information as that term is defined in C.F. R. §160.103.
[29] The Value of Personal Medical Information: Protecting Against Data Breaches, https://www.naham.org/page/ConnectionsThe-Value-of-Personal-Medical-Information# (last visited Apr 16, 2023).
[30] Id.
[31] Identity Theft Resource Center, 2018 End -of-Year Data Breach Report, available at: https://www.idtheftcenter.org/2018-end-of-year-data-breach-report/ (last accessed Mar. 26, 2023).
[32] Id.
[33] Elinor Mills, Study: Medical identity theft is costly for victims, CNET (March 3, 2010), available at: https://www.cnet.com/news/study-medical-identity-theft-is-costly-for-victims/ (last visited Apr. 11, 2023).
[34] Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card Numbers, IT World, Tim Greene, Feb. 6, 2015, available at: http://www.itworld.com/article/2880960/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html (last visited on Apr.7, 2023).
[35] Standing, LII / Legal Information Institute, https://www.law.cornell.edu/wex/standing (last visited Apr 1, 2023).
No comments:
Post a Comment