It May Not Be Today or Tomorrow. But One Day…

Posted June 24, 2015

What Will Criminals Do “Down the Road” with Personal Information Stolen Today? And Who’s Legally Responsible? Or Will Be?

In her piece on firstlook.org, Farai Chideya begins with a cautionary tale about one Benjamin Nuss:

Benjamin Nuss was one of the nearly 80 million people whose social security number and personal information were compromised in this year’s Anthem data breach. He seems to have taken things in stride, continuing his daily routine of sharing computer time with his brother, eating healthy snacks and making crafts. Benjamin is four years old.

While it may seem trivial to think about the harm a preschooler will suffer from a data breach, the question is not what happens to him now, but what will happen years from now. Data theft poses an indefinite threat of future harm, as birth date, full name and social security number remain a skeleton key of identity in many systems.

Benjamin’s mother, Jennifer Nuss, gave birth while the family had Blue Cross insurance, which was linked to Anthem’s databases. “They sent us a letter saying that Benjamin’s information may have been compromised. All they offered is, ‘We can watch Ben’s credit for you,’” she says. “But you can check that yourself for free.” A stay-at-home mother of two and an accounting student, Nuss is disciplined about family finances and checks her and her husband’s credit records and accounts regularly. “With Benjamin,” she adds, “well, we’re going to have to watch his information forever.”

Waiting for the other shoe

Having data hacked is the equivalent of waiting for the proverbial other shoe to drop. It could happen immediately or it might not happen until the aforementioned Mr. Nuss is ready to collect Social Security. And, information hacked for one purpose (a nation state doing industrial espionage for example) could end up someday being used by cybercriminals to siphon money from a bank account. In her lengthy, well-researched article on firstlook.org, Farai Chideya details what the courts may decide when it comes to responsibility for future damages as a result of current data breaches. The following has been excerpted from her piece and edited to fit our format. You may find the full article by clicking on this link.

Stolen info can be used for a variety of criminal activities

A first-person article by William Gerrity published two years ago by Slate and the website Zócalo Public Square gives a vivid picture of what may lie ahead for those targeted.

In 2007, Gerrity was checking his email after a long day working as a real estate developer in Shanghai. “The message greeted me by a nickname known only to family and close friends,” he wrote, “and it contained a proposal: I could pay 1 million renminbi (about $150,000 at the time), in exchange for which the sender would not forward the attachments to my business partners or competitors.”

In this case, the hackers had obtained confidential business documents, as well as personal correspondence about the death of his mother. The FBI advised him to refuse the request, which he did. But imagine that the request was not for payment in cash, but in federal information. And imagine the trade was not in business documents, but evidence of misconduct or criminal behavior on or off the job. That’s bait, if acquired and used, that could be harder for some to refuse.

The future harm that could be caused by the recent Office of Personnel Management (OPM) breach that compromised 4.1 million current and former federal employees

[The OPM] breach included what’s called a Standard Form-86, on which new hires (including military and intelligence officials) must reveal details that could make them vulnerable to blackmail or influence, including prior drug use, financial woes, and criminal convictions. The form also asks for ties to citizens of other countries; thus the hackers, if they are Chinese, would quickly be able to determine who has friends and family in their country.

Who pays for future damages when data is compromised?

[A] new case pending before the Supreme Court called Spokeo, Inc. v. Robins … centers around whether an unemployed Virginia man named Thomas Robins has legal standing to sue the search site Spokeo because it allegedly got details about his education, wealth and age wrong, which he says hurt his employment prospects. One sign of the interest in the case is the range of amicus (“friend of the court”) briefs filed, from companies including Facebook, eBay and Google, and credit monitors Experian and TransUnion. These companies house and often trade in data, and could potentially be open to huge class-action lawsuits.

Spokeo argues Robins hasn’t suffered concrete harm. And although his case is based on whether the company violated the Fair Credit Reporting Act, the ruling may have a broad impact on what standards companies are held to when it comes to protecting consumer data, and when consumers can sue.

Corporate lawyers and some legal scholars are hoping the court follows its logic in Clapper and decides that the plaintiffs lack standing because they have not suffered any injury yet.

[The journalists and human rights advocates who were plaintiffs in Clapper v. Amnesty International USA alleged they incurred additional cost and inconvenience protecting themselves against likely warrantless electronic surveillance of their international communications….In 2013 the Supreme Court ruled 5-4 against them, concluding that the fear of future harm from surveillance wasn’t enough for plaintiffs to have standing to sue.]

Dana Post, special counsel for e-discovery and data management at Freshfields Bruckhaus Deringer, says that a ruling for Robins in Spokeo could “open up the floodgate for lawsuits, in all contexts, but especially in data breach litigation. The mere allegation of a violation of a statute would allow their cases to go forward if Spokeo is affirmed.”

Legal precedent or a rapidly-changing technological landscape

That prospect similarly dismays Stephen Embry of the firm Frost Brown Todd, who sees a ruling for the plaintiff as a bonanza for trial lawyers. But he understands why the legal system finds itself struggling to interpret old case law in the era of tech entrepreneurship. “As lawyers, our whole mindset involves looking back at precedents, looking back at the past to decide future questions,” he says. “The technological revolution in entrepreneurship is the opposite, very forward-looking. You have a lot of statutes enacted for different times and situations that the court has to apply in dealing with modern day problems. There’s a real tension there.” As in Clapper, courts have to decide whether legal precedent stands or is trumped by the changes in our world wrought by the digital revolution.

Does a class-action settlement settle things?

There’s another legal fork in the road — the question of what options victims of data breaches have if they’re offered a class action settlement. “Let’s take Target,” says Barry Goheen, a partner at King & Spalding. “There’s a pending settlement for the consumers. Notice has gone out or will go out. That brings the class member to the decision point.” And if they don’t do anything, or happen to throw the notice out or it goes to an old address, then they are included in the settlement — and precluded from filing future lawsuits.

But, says Goheen, if someone has not participated in a settlement, “There should be no statute of limitations running. Six years from now, three years from now, if that person’s information is used to open an account,” then they have grounds to pursue a civil lawsuit. In many cases, it’s worth noting, a person whose information is used for financial fraud ends up getting reimbursed by credit card companies or banks, rather than seeking compensation from the company whose data was breached.

Keeping skeletons that belong in the close…in the closet

Yet data breach victims aren’t only concerned with the financial bottom line. Many are more worried about doing the digital-era equivalent of constantly looking over their shoulder, waiting for someone to appropriate their identity, or dredge up some intimate, haunting secret they thought was long buried. It’s not likely that legislation or the courts can fix that.

ThreatMetrix

ThreatMetrix

close btn