Skip to main content

Data Theft and DDT: Courts Increasingly Back ‘Future Risk’ from Data Breaches

by Paul Roberts on Thursday April 21, 2016

Contact Us
Free Demo

Courts in the U.S. are increasingly accepting the risk of imminent and future injuries to consumers resulting from data theft as enough to give them standing in court cases and class action suits.

Courts in the U.S. have been on something of a vision quest in recent years as they weighed the legal implications of (relatively) new phenomenon like hacking and data theft.

One of the big questions concerns class action lawsuits against major corporations such as Home Depot and Target seeking damages for those firms having surrendered customer data, including credit card information. To put it simply: courts have been of two minds about whether simply having your data stolen constitutes an “injury” warranting legal redress. No surprise: breached firms like Home Depot have been anxious to convince the courts that it doesn’t – that consumers whose credit card data is stolen, for example, are not liable for fraudulent charges that result and, thus, have no standing to sue.

In some cases, courts have been willing to go along. In January, for example, a judge threw out a class action suit filed against Michaels Crafts Stores, saying that the plaintiff couldn’t prove she was damaged as a result of her information having been stolen from the store. That ruling cited a recent Supreme Court case, “Clapper vs. Amnesty International,” which found that the human rights group did not have standing to sue the U.S. Government over the actions of its secretive Foreign Intelligence Surveillance Act (FISA) courts.

But there’s mounting evidence of division within the courts. Notably, last week, the U.S. Appeals Court for the Seventh Circuit reversed a lower court’s decision to dismiss a class action suit against chain restaurant P.F. Chang’s, saying that the risk of “future injuries” suffered by consumers wrapped up in the breach there were “sufficiently imminent” to give them standing in court (PDF). The same court reversed a similar lower court ruling in favor of retailer Neiman Marcus in July of last year, as this article at notes.

It’s worth noting that other companies that have made the “no standing” argument citing Clapper have settled rather than testing that argument in open court. Among them was Home Depot, which in March agreed to pay out some $19 million in damages to settle a class action suit resulting from the data breach, citing a need to “move on.”

There are differing opinions within the legal field about what this means in the long term. On the one hand, some look at the courts’ willingness to entertain the notion of “future harm” as a promising development for consumers – akin to the notion in environmental law that exposure to toxic chemicals can be damaging, even if the effects of that damage take years to manifest.

On the other hand are those who feel that, given the legal protections in place for consumers in incidents of fraud, companies will still get the benefit of the doubt that simply losing track of customer data leads to harm to consumers.

In the end, our feelings about which side is correct may sway with our understanding of the possible uses and applications of stolen data. The more myriad those are (as with health data, Social Security Numbers, etc.), the more believable are consumer claims that they are likely to be victimized in the future. The narrower the applications of stolen data (for example: credit card numbers), the more believable are businesses’ arguments that consumers are unlikely to suffer damages as a result of the breach.

Of course, our understanding of the workings of the criminal underworld are ever evolving, which may mean that our opinions about the impact of a breach may change, also.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Tags:  Data Breaches Policy

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.