Earlier this week, the e-commerce website e-Bay was sued in federal court in Louisiana for allegedly failing to implement adequate security measures to protect the identities of its millions of customers. e-Bay announced in May that there had been unauthorized access to its systems and advised its customers to change their passwords. The lawsuit alleges that the company failed to discover the breach—which occurred in late February or early March—in a timely manner, waited too long to disclose it, and that it was in fact more severe than e-Bay first let on; hackers made off with the complete user database, including contact information, usernames, and encrypted passwords, exposing e-Bay users to phishing attacks and identity theft. On the bright side, consumer financial information and Paypal account data was apparently stored separately and not compromised.
This is just one in a long line of recent security breaches in connection with major retailers and websites that routinely collect vast quantities of our consumer data. In December of last year, Target, the third largest retailer, announced a massive data breach that exposed information associated with around 40 million credit or debit accounts used during the first three weeks of the holiday shopping season. The hackers stole not only the card numbers, but expiration dates, CVV codes (even though the storage of such codes violates industry standards and requirements established by the credit card companies) and cardholder names—enough information to enable them to make fraudulent purchases and open bogus credit card accounts. In April, Michaels, the national chain of arts and crafts stores, announced a data breach that may have affected more than two and a half million customers. Neiman Marcus, Bloomingdale’s, Yahoo and others round out the list.
Verizon, which publishes a report on data breaches, reported last year that most occur at financial institutions or retailers. The largest data breach on record—affecting even more people than the Target breach—occurred in 2009, when Heartland payment Systems, a company that processed payments for more than 250,000 business across the country, announced that cyber criminals had used malware to access approximately 130 million credit and debit cards.
In the wake of all this, data breach class actions are unsurprisingly on the rise, as consumers attempt to band together to hold companies accountable for needlessly storing sensitive data that is not necessary for retail transactions, failing to protect the data, and failing to promptly and accurately disclose the extent of any breaches. Class action plaintiffs have sought compensation for the increased risk of experiencing identity theft, the cost of monitoring their credit and other actions to mitigate the risk of identity theft, loss of privacy and loss of the value of their personal and medical information.
But such plaintiffs clearly face an uphill battle. The U.S. Supreme Court’s decision last year in Clapper v. Amnesty International, USA, 133 S. Ct. 1138 (2013) —a case that did not involve a consumer data breach, but attorneys and human rights organizations who alleged they would be unfairly targeted for surveillance under the Foreign Intelligence Surveillance Act—is frequently relied on for the proposition that the mere loss of data or an increased risk of identity theft does not constitute a tangible injury. After Clapper, “threatened injury must be certainly impending” or plaintiffs must at the very least be able to allege that the defendant’s actions caused them “substantial risk of harm.” Id. at 1147, 1150 n.5. “Allegations of possible future injury are not sufficient.” Id. at 1147.
Recently, some plaintiffs have attempted to demonstrate that they suffered the requisite injury to confer standing by alleging that they did not receive the benefit of the bargain: when they paid for the defendant’s products, they were also paying for the defendant to take appropriate security measures to protect their data and the products were in fact worth less because those measures were not taken. This argument seems to be meeting with limited success, however, as courts point out that cash-paying customers pay the same prices for the products and have no expectation of receiving any additional data security benefits.
The Eleventh Circuit in Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), however, upheld a claim for unjust enrichment based on allegations that insurance premiums the plaintiffs paid to the defendant were supposed to fund the cost of data security, and that the defendant’s failure to implement those security measures barred it from retaining the full amounts received. The case ultimately settled, offering class members cash payments for each year that they bought insurance, with those who experienced identity theft eligible to make additional claims to recover monetary loses.
In a certain sense, it is ironic that our consumer data, a valuable commodity that is collected, shared, bartered and sold by companies we deal with on a daily basis, is considered too “abstract” or “intangible” to confer an injury on consumers affected by massive data breaches, even where most will agree those consumers are many times more likely to be the victims of identity theft as a result of such breaches. Where civil litigation cannot change corporate behavior, the only solution may be greater government involvement. Recent data breaches have led to a cry for more stringent data security standards and regulations. Indeed, the U.S. Senate Commerce Committee has held hearings this year and several bills have been introduced in Congress.
A law review article I recently read proposes an interesting analogy. Professor Dennis Hirsch, writing for the Maine Law Review, compares Big Data to Big Oil; both essential resources that power large economies. In Hirsch’s view, “Big Data is like a massive oil tanker navigating the shoals of hackers, criminals and human error. . . . Like oil, it spills.” Dennis D. Hirsch, The Glass House Effect: Big Data, the New Oil, and the Power of Analogy, 66 Me. L. Rev. 373, 375 (2014). He argues that Congress should take a page from the Clean Water Act and pass legislation authorizing the government to “clean up” data spills by providing credit monitoring, counseling and identity theft recovery services, also allowing them to then seek reimbursement from the parties responsible for the spills. Id. at 385. As with the Oil Pollution Act, Hirsch also favors Congress expanding tort liability to expressly allow plaintiffs to sue for non-economic damages (here, the risk of identity theft) and to require companies that collect data to take certain security measures. Id. Just as oil tankers must use double hulls, for example, data security systems could be required to employ two-factor authentication. Id. at 385-86.
I can’t help but think these are interesting ideas worth exploring in the current legal environment, as consumers absorb the risks associated with one massive data breach after another but are left with little legal recourse to pursue collective actions, the only form of civil litigation likely to truly change corporate behavior.
Photo Credit: Katzuhisa Otsubo