It’s been said that bad facts make bad law. If that’s true then those who defend class action data breach cases better buckle down for some stormy seas. The facts surrounding the new Equifax breach couldn’t get much worse.
Equifax knew of the breach months in advance of when it announced it. It failed to take even the most simple precautions to prevent it. One key employee’s user name was reportedly admin. His password: you guessed it, admin. And some are claiming the breach was caused by the failure to keep the Equifax software up to date.
And the information held by Equifax was substantial. Names, addresses, health info, credit info, social security info. The most sensitive and valuable stuff. Not to mention the size: 140 million records were stolen.
And the fact that chief officers sold substantial stock in the company right before the breach certainly doesn’t help. Oh and by the way, if you go to the Equifax to check on your personal situation, you will be directed to a page where you can buy protection from…wait for it… Equifax.
All conduct that has received publicity. All conduct which could and will raise the ire of a judge looking at the case and deciding whether to allow it to proceed against Equifax as a class action.
The big issues is damage. Or better put, the lack thereof. In most data breach cases, its hard to find the more concrete, real damages that most courts are used to seeing in other kinds of cases
By way of background, Courts have been struggling with how to deal with data breach cases. The big issues is damage. Or better put, the lack thereof. In most data breach cases, its hard to find the more concrete, real damages that most courts are used to seeing in other kinds of cases. This makes determining whether standing for constitutional purposes exists a harder question for Courts to deal with.
Ever since the Supreme Court decided Clapper if not before, standing could be satisfied by a showing of actual damages or the “imminent threat” of actual damage. It is one the latter point that the federal circuits have split—some are more liberal and some more conservative. What is an imminent threat of harm when electronic records are stolen but not immediately used for fraud? Do the electronic records themselves and the resulting loss of privacy have value apart from any real use of them?
The plaintiffs argument is that we must force companies to be responsible when they put private records at risk. That privacy is a fundamental right. That its worth something. And that the mere theft of records by the bad guys itself shows the imminent harm—you wouldn’t steal the car keys if you weren’t going to drive the car.
The defense says that data breaches are inevitable and really can’t be stopped. How can you hold a company accountable for something that can’t be prevented? And not all hacks result in financial fraud or real damage. Indeed, so far none of the stolen Equifax information has appeared on hacker forums which could suggest that the breach may not be financially motivated.
And as the data breaches mount, as I recently wrote, more and more Courts seem willing to side with those whose personal information has been purloined even if its not used. And certainly, the more heinous the conduct, the more likely Courts will allow actions to proceed: it just doesn’t seem fair or right that a case against an entities like Equifax should simply be dismissed and that they not be called on to account for their conduct.
the more heinous the conduct, the more likely Courts will allow actions to proceed: it just doesn’t seem fair or right that a case against an entities like Equifax should simply be dismissed and that they not be called on to account for their conduct.
So the pressure on the judiciary, even federal judges appoint for life, will be extraordinary. Can you imagine the news headlines if claims against Equifax are dismissed? The editorial comment? The backlash?
So for all these reasons, this is a situation where bad facts may result in a decision that wouldn’t otherwise be made. Once again, the judiciary will be called upon to make the square peg of technology and what it can do fit into the round hole of existing precedent, even though it doesn’t fit very well. And the solution is not obvious since unlike most disrupters, the bind of precedence it particularly tight on judges and lawyers, making a more creative resolution–perhaps one that stops short of full blown standing but recognizes the potential risk of harm– hard to implement.
Photo Attribution: GotCredit via Flickr.