Data Theft and DDT: Courts Increasingly Back ‘Future Risk’ from Data Breaches
Courts in the U.S. are increasingly accepting the risk of imminent and future injuries to consumers resulting from data theft as enough to give them standing in court cases and class action suits.
Courts in the U.S. have been on something of a vision quest in recent years as they weighed the legal implications of (relatively) new phenomenon like hacking and data theft.
One of the big questions concerns class action lawsuits against major corporations such as Home Depot and Target seeking damages for those firms having surrendered customer data, including credit card information. To put it simply: courts have been of two minds about whether simply having your data stolen constitutes an “injury” warranting legal redress. No surprise: breached firms like Home Depot have been anxious to convince the courts that it doesn’t – that consumers whose credit card data is stolen, for example, are not liable for fraudulent charges that result and, thus, have no standing to sue.
In some cases, courts have been willing to go along. In January, for example, a judge threw out a class action suit filed against Michaels Crafts Stores, saying that the plaintiff couldn’t prove she was damaged as a result of her information having been stolen from the store. That ruling cited a recent Supreme Court case, “Clapper vs. Amnesty International,” which found that the human rights group did not have standing to sue the U.S. Government over the actions of its secretive Foreign Intelligence Surveillance Act (FISA) courts.
But there’s mounting evidence of division within the courts. Notably, last week, the U.S. Appeals Court for the Seventh Circuit reversed a lower court’s decision to dismiss a class action suit against chain restaurant P.F. Chang’s, saying that the risk of “future injuries” suffered by consumers wrapped up in the breach there were “sufficiently imminent” to give them standing in court (PDF). The same court reversed a similar lower court ruling in favor of retailer Neiman Marcus in July of last year, as this article at HealthCareInfoSecurity.com notes.
It’s worth noting that other companies that have made the “no standing” argument citing Clapper have settled rather than testing that argument in open court. Among them was Home Depot, which in March agreed to pay out some $19 million in damages to settle a class action suit resulting from the data breach, citing a need to “move on.”
There are differing opinions within the legal field about what this means in the long term. On the one hand, some look at the courts’ willingness to entertain the notion of “future harm” as a promising development for consumers – akin to the notion in environmental law that exposure to toxic chemicals can be damaging, even if the effects of that damage take years to manifest.
On the other hand are those who feel that, given the legal protections in place for consumers in incidents of fraud, companies will still get the benefit of the doubt that simply losing track of customer data leads to harm to consumers.
In the end, our feelings about which side is correct may sway with our understanding of the possible uses and applications of stolen data. The more myriad those are (as with health data, Social Security Numbers, etc.), the more believable are consumer claims that they are likely to be victimized in the future. The narrower the applications of stolen data (for example: credit card numbers), the more believable are businesses’ arguments that consumers are unlikely to suffer damages as a result of the breach.
Of course, our understanding of the workings of the criminal underworld are ever evolving, which may mean that our opinions about the impact of a breach may change, also.