In today’s technologically savvy society, it is commonplace to give various types of companies our personal information and to store personal data online. The unintended effect of such a practice is the exponentially increased risk in high-profile hacks.[1] The worries of modern-day consumers are no longer limited to the literal theft of a laptop containing our personal information. In 2017 alone, cyber hacks of personal information stored in online databases made up more than half of the reported data breaches.[2] In terms of the amount of information compromised and resulting costs, some of the worst data breaches in history have occurred in just the last few years.[3]
The largest documented data breach in history was the 2013 Yahoo hack, which compromised three billion Yahoo accounts.[4] The breach gave hackers access to names, email addresses, encrypted passwords, birth dates, telephone numbers, and answers to security questions.[5] The information breached in the Yahoo hack was considered especially critical, as it enabled hackers to access Yahoo users’ “connections to their banks, social media profiles, other financial services and users’ friends and family.”[6] A runner-up to the large-scale Yahoo breach was the 2017 breach of Equifax, a notable credit reporting company.[7] Over 143 million Equifax consumers’ identities were breached, and thus put at risk of misuse. Ultimately, at least several hundred thousand identities were in fact misused.[8] For the purposes of this blog, I will use the word “misuse” to mean an instance of identity theft or some other fraudulent use of a consumer’s personally identifying information, as opposed to a “breach,” in which such information was stolen by hackers, but has not been used in a fraudulent way. Hackers of Equifax gained access to consumer social security numbers, names, and birth dates.[9] The problem that arises when hackers come into the possession of such sensitive data, albeit not proven to have been misused at the time, is that such data is “perpetually valuable.”[10] Once hackers obtain such personally identifying information, it forever remains at their fingertips as a mechanism for causing harm via total identity theft.[11]
The Yahoo and Equifax data breaches are only two of many detrimental data breaches in recent history,[12] signaling an obvious need to address this growing trend as consumers continue to digitally store more personal information,[13] and as hackers become more sophisticated.[14] Such data breaches leave victims in a dangerously vulnerable position because hackers may utilize the information breached to do a great deal of harm, such as file tax returns using a victim’s name, claim tax refunds using a victim’s social security number, file fraudulent medical expense claims, open credit cards, rent an apartment, obtain loans, and buy houses in a victim’s name—all without the victim knowing.[15] In the wake of a data breach and the aforementioned damage that victims either have incurred or could very likely incur in the future, victims often turn to the courts in an attempt to bring claims against the companies that failed to reasonably protect the victims’ information. However, whether victims of a data breach may have their day in court is a question on which federal courts have ruled inconsistently, particularly in regards to a plaintiff’s alleged injury, which must be of a certain nature to satisfy the first of three necessary elements of Article III constitutional standing. To litigate in federal court, a plaintiff must meet all three of Article III’s standing requirements: injury-in-fact, causation, and redressability. A plaintiff will be unable to bring a cause of action in federal court without first showing that an injury-in-fact, which is actual or imminent, and concrete and particularized was suffered. Strictly applying the standing inquiry, some federal courts hold that the alleged injury of a substantial risk of identity theft following a data breach, when the plaintiff’s personally identifying information has not yet been proven to have been misused, fails to meet Article III’s injury-in-fact prong. Other federal courts hold that hackers’ mere access to plaintiffs’ personally identifying information through a breach, even absent proof that plaintiffs’ information was misused, is adequate to meet Article III’s injury-in-fact prong. The latter courts recognize the harm inherent in a breach of one’s sensitive information, and understand the potential gravity of the future harm that could be caused to consumers from later misuse of such information.
The extent to which a data breach plaintiff has alleged the requisite injury-in-fact for Article III standing purposes is a contentious issue that both Congress and the U.S. Supreme Court have yet to address. Earlier this year, the Supreme Court denied certiorari in Attias v. Carefirst, a case in which the Court would have had the opportunity to create a uniform test governing claimant standing in data breach cases, or at the very least, to comment on the issue.[16] One result of this lack of guidance from the legislative and judicial branches is an unequal patchwork of differing state data breach laws.[17] Another result is an inconsistency in standards among the circuit courts, which have adopted various answers to the question of whether an increased risk of future harm, standing alone, is a sufficient injury for standing purposes in federal court.[18] Given the absence of an adequate remedy to this lack of uniformity, I believe there exists an urgent need for Congress to step in and legislate. A federal data breach statute should be crafted so as to clearly define what constitutes an injury in actions brought by consumer victims of a data breach.
Gabriela Nastasi is a second-year law student at Benjamin N. Cardozo School of Law and a Staff Editor of the Cardozo Arts & Entertainment Law Journal. She is a current Trademark Extern at Haug Partners and looks forward to a career within the field of Intellectual Property law.
[1] Nick Wells, How the Yahoo hack stacks up to previous data breaches, cnbc (Oct. 4, 2017), https://www.cnbc.com/2017/10/04/how-the-yahoo-hack-stacks-up-to-previous-data-breaches.html.
[2] Id.; See also 2017 Annual Data Breach Year-End Review, Executive Summary, Identity Theft Resource Center (Feb. 8, 2017), https://www.idtheftcenter.org/2017-data-breaches/ (“The number of U.S. data breach incidents tracked in 2017 hit a new record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center® (ITRC) and CyberScout®. The Review indicates a drastic upturn of 44.7 percent increase over the record high figures reported for 2016.”); See also Lauren Sporck, 11 of the Largest Data Breaches of All Time, Opswat (Nov. 22, 2017), https://www.opswat.com/blog/11-largest-data-breaches-all-time-updated (“There were 8,069 data breaches between January 2005 and November 2017 according to the Identity Theft Resource Center, and in recent years the number of data breaches and compromised records has skyrocketed.”).
[3] See Sporck, supra note 2.
[4] Wells, supra note 1.
[5] Nicole Perlroth, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, N.Y. Times (Sept. 22, 2016), https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html.
[6] Id.; See Patrick J. Lorio, Access Denied: Data Breach Litigation, Article III Standing, and a Proposed Statutory Solution, 51 Colum. J.L. & Soc. Probs. 79, 80 (2017) (“Because individuals often use the same email address, password, and security questions for multiple Internet accounts, the third party hacker could potentially gain access to additional private accounts, including financial accounts, of 500 million individuals.”).
[7] Sporck, supra note 2.
[8] Id. (“In 2017, credit bureau Equifax was breached, putting the data of over 143 million Americans and many people in other countries at risk. At the very least, several hundred thousand identities were stolen. Although Equifax did not announce the breach until September 7, the breach took place several months prior, in May 2017. Hackers were able to breach Equifax by exploiting a vulnerability in open-source software Apache Struts”).
[9] Adam Shell, Equifax data breach could create lifelong identity theft threat, USA Today (Sept. 9, 2017), https://www.usatoday.com/story/money/2017/09/09/equifax-data-breach-could-create-life-long-identity-theft-threat/646765001/.
[10] Id.
[11] Id. (“You are not going to change your name or date of birth or Social Security number. In five years they will be the same, unlike a credit card that takes five minutes to cancel over the phone.”).
[12] Sporck, supra note 2.
[13] Lorio, supra note 6, at 81.
[14] Herb Weisbaum, Hackers scored more Social Security numbers than stolen credit card numbers in 2017, NBC News (Feb. 21, 2018), https://www.nbcnews.com/tech/security/smarter-criminals-find-new-ways-commit-cyber-fraud-n849691 (“Al Pascual, Javelin’s research director and head of fraud and security, expects 2018 to be another record year for identity fraud because thieves have adapted to new security measures. ‘They’re smarter now. They have all the data they need to commit fraud and they know exactly how to use it,’ Pascual told NBC News. ‘They’re getting more sophisticated faster than we can respond — and that’s the big problem.’”).
[15] Shell, supra note 9 (“Armed with your digital history, hackers can file tax returns using your name and social security number to claim a refund. Or file fraudulent medical expense claims. Or attempt to open credit cards, rent an apartment, apply for electric service or get a loan and buy a house in your name without you knowing.”).
[16] Attias v. Carefirst, Inc., 865 F.3d 620, 623 (D.C. Cir. 2017).
[17] Petrina McDaniel & Keshia Lipscomb, Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance, Security & Privacy Bytes (Apr. 30, 2018), https://www.securityprivacybytes.com/2018/04/data-breach-laws-on-the-books-in-every-state-federal-data-breach-law-hangs-in-the-balance/ (“With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy.”).
[18] Daniel R. Stoller, Data Breach Harm Standard May Head to SCOTUS in ’17, Bloomberg News Association (Dec. 14, 2016), https://www.bna.com/data-breach-harm-n73014448542/.