Are Data Breaches A Victimless Crime?
Home improvement giant Home Depot is asking a court to dismiss a class action lawsuit against it stemming from a massive theft of credit card numbers from its corporate network last year. The argument: no harm was done as a result of the breach.
In the new “normal” of mega data breaches at prominent corporations, class action lawsuits on behalf of affected consumers are de rigueur – a predictable coda that follows the disclosure of the incident, the eye-popping numbers, the assurances from corporate executives and the offers of free credit monitoring services.
But a lawsuit connected to one of the largest breaches ever is challenging the right of consumers to sue breached corporations for damages. The reasoning: consumers whose information was caught up in a massive data haul by hackers can’t prove that they suffered any harm as a result, and thus don’t have standing to sue.
The case involves the September 2014 revelation that the home improvement giant had been the victim of a widespread and long-running security breach. The incident exposed information on as many as 56 million customers who had shopped at Home Depot stores in the U.S. or Canada between April and September, 2014.
In a May filing, consumers affected in the breach filed a consolidated suit alleging negligence by Home Depot, which exhibited what the complaint called "overarching complacency when it came to data security."
"Home Depot management’s attitude towards data security in the years and months leading up to the breach can best be described as willfully dismissive," the 187-page complaint charged. Home Depot’s management refused to upgrade its security systems or to follow recommendations of information technology employees and experts, despite ample evidence that it could be the target of hackers.
That suit followed media reports in the immediate aftermath of the hack that quoted former employees saying that the company relied on outdated antivirus software to protect its systems and failed to continuously monitor its network for unusual behavior that might suggest a compromise. Management at the home improvement giant did not take cyber threats seriously, adhering to the philosophy that one former employee characterized as “we sell hammers.”
Now Home Depot is asking a federal court in Atlanta to dismiss that suit, claiming that the consumers behind it cannot prove they were damaged by the breach.
"All of the claims alleged in the complaint suffer from the same fatal defect found in the vast majority of other breach cases ... they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot's alleged conduct," the company says in its filing, according to a report in the Atlanta Business Chronicle.
The filing, which you can read here, argues that the plaintiffs in the Home Depot case fail a standard established by the Supreme Court in Clapper vs. Amnesty International, a 2013 5-4 ruling in a case involving the Foreign Intelligence Surveillance Act (FISA). "Respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending," Justice Samuel Alito wrote in the majority opinion there.
In its filing, Home Depot argues that the plaintiffs in the class action against it were doing just that. “No two of these plaintiffs’ alleged experiences are alike, much less would any of their claims predominate across the alleged classes,” the company wrote.
Besides, the company argued, customers are not liable for any fraudulent charges on their payment cards and “most of the named plaintiffs admit that they have been fully reimbursed for their losses and do not even allege any monetary loss.”
So a data breach is a victimless crime? Not so fast. For one thing, the consequence of Home Depot’s security lapse for customers goes far beyond fraudulent charges on a credit card. The consequence is identity theft – a pernicious and costly problem that extends far beyond mere credit card fraud. As this 2013 report from the Department of Justice notes, 66% of the 16.6 million victims of identity theft reported a direct financial loss as a result of the identity theft incident, a number that includes 68% of credit card fraud victims. Victims of existing account misuse (the bucket that fraudulent credit card charges falls into) experienced an average loss of $1,003 per incident with a median direct loss of $200.
And credit card misuse is just one form of fraud. Depending on the extent of the breach and the data lost, victims may be prone to other kinds of fraud as well, including bank fraud, new account fraud (opening new lines of credit in the victim’s name), and so on.
My point: Home Depot is engaged in some magical thinking about the downstream effects of losing control of credit card information on some 50 million people. It might be tempting to think that there is no harm caused by the company’s negligence, but the data would suggest otherwise: that simply absolving consumers of the need to pay for fraudulent charges, issuing a new credit card and offering credit monitoring services (which few victims elect) is enough to wash away the damage they have caused to individuals and to our society, which bears the considerable cost of data- and identity theft.
Here’s hoping that the courts see through Home Depot’s porous reasoning and allow consumers to pursue their case!
Paul F. Roberts is the Editor in Chief of The Security Ledger and the organizer of The Security of Things Forum, a conference focused on securing the Internet of Things.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business