It happened to over 155 million people in the year 2020 alone. In a single year, it happened as people accessed Microsoft accounts, joined Zoom meetings, logged into Facebook, booked Marriott and MGM Resorts rooms, traveled by Amtrak, and shopped at Home Depot. Data breaches have put the confidential information of innumerable users and consumers at risk, often when they least expect it. But data breaches are a relatively new phenomenon, and many victims are not aware of exactly what happens when personal data is exposed during a breach, or what can be done about it.
What Is a Data Breach?
When a breach occurs, secure data is intentionally or unintentionally exposed to an unknown environment. Information is released without authorization and is generally the result of one or more of the most common ways data is leaked: hacking, malware or ransomware, vulnerable network systems, weak security measures, improper disposal of data-storing devices, or employee negligence or misconduct. The breached data may pertain to an organization, group, company, or individual, and includes sensitive information such as credit and debit card info, bank account numbers, user passwords and login credentials, and other forms of personally identifiable information (PII). Entities within the healthcare industry are statistically most likely to be the victim of a data breach. Government agencies, financial organizations, retail companies, and educational institutions also rank highly as potential targets.
Taking Legal Action
When you learn that your personal, sensitive information has been compromised, you want to know that there is legal action you can take to both seek compensation and prevent future incidents. Although it is a major international concern, data breach is a newly-emerging issue, and the existing body of law dealing with this area is consequently new and often insufficient. Factors such as the types of claim a victim may bring, the value of the claim, and who the defendant should be in each situation are often left in a gray area.
One of the primary issues that evolving law is working to address is how to award damages. The damages incurred in a data breach do not always resemble the damages a victim may sustain in more common personal injury cases. While a car accident claim looks to tangible evidence of harm suffered by the plaintiff, current data breach legislation is grappling with the issue of how to define and assess damage as it relates to leaked personal information.
A difficulty which data breach lawsuits have faced is related to standing. “Standing,” in simple terms, refers to the right of a plaintiff to bring a claim against a defendant. The injured party must show that legal criteria for standing is met. One of the criteria of standing is “injury in fact,” meaning that the plaintiff must show that they have or imminently will suffer harm.
In past data breach cases, defendants have attempted to argue that there was not enough evidence to show that the plaintiff had actually been harmed by the unauthorized release of personal data. High-profile class action lawsuits filed against corporations including P.F. Chang’s and eBay gained attention for bringing awareness to this issue.
Attorneys advocating for plaintiffs in data breach cases are compelled to carefully consider how to address situations in which sensitive data is obviously compromised, yet the actual use of the data and its effect on the plaintiff is so far unclear or difficult to prove. Let’s take a look at a few types of damages that have been considered in data breach incidents.
Types of Damages
- Actual Misuse. In this most obvious example of damage that can result from a data breach, the personal information of the plaintiff is used to their detriment. This could include stolen funds, loss of property, fraudulent tax filing, damaged credit status, or even criminal activity in the victim’s name.
- Heightened Risk of Injury. When a data breach occurs and the company or organization fulfills their legal duty to notify the affected parties, the notice may come early enough that the leaked information has not yet been misused. In 2021, the U.S. Court of Appeals for the Second Circuit ruled that data breach victims have standing to sue even if they have not yet been subject to identity theft or fraud. This ruling supports the theory that the unauthorized release of private information puts people at increased risk of injury, even if the injury has not yet happened.
- Expectation Damages. Also referred to as “benefit of the bargain,” these are damages that are awarded when a contract is breached. The purpose is to compensate the injured party so as to allow them to return to the financial position they would have been in if the defendant had not caused harm. For example, in a 2014 case against retailer Target, data breach victims claimed they would not have shopped at Target if they had known the company was not sufficiently upholding its obligation to protect shoppers’ personal credit card data.
- Devalued Personal Information. It is the unfortunate situation that information such as credit card and social security numbers are highly valued by parties seeking to commit identity theft and fraud. Confidential PII can thus be sold at a very high price. If personal data has been compromised and released, it no longer holds its value. One form of damage plaintiffs have claimed in past data breach cases is the loss of value of their personal information which was leaked into unknown and untrusted environments.
- Consequential and Mitigation Damages. These additional damages can result from a data breach as a victim take steps to regain security after a leak, conducting forensic searches, hiring credit monitoring services, or otherwise expending time, effort, and expense to return to the position they held before the incident. Plaintiffs have been able to claim, in some cases, that they would have been able to take appropriate measures (such as changing passwords or increasing network security) to avoid fraud or identity theft, if they had been aware that there was risk of a breach. Through a defendant’s negligence, however, victims were unable to take preventative action and were forced to fund their own recovery.
- Emotional Distress. As in other types of personal injury claims, damage can come in the form of emotional suffering. It is not uncommon for a victim of a catastrophic life events to experience persistent psychological trauma. Data breach victims may experience an ongoing fear of undertaking daily tasks and activities. They may also accrue long-term medical expenses as they pursue recovery from the emotional harm they sustained.
The Changing Landscape of Data Breach Law
As incidents of data breach occur at record frequency, as more people become aware of the injurious effects of leaked PII, as companies are repeatedly exposed for inadequate security measures, and as courts begin to take more seriously the damages incurred by data breach victims, the law is changing to reflect the public awareness of these problems.
There are multiple and continuing examples of recently changing legislation. The state of Connecticut passed a new law going into effect October 2021 to incentivize the adoption of cybersecurity standards for businesses, following in the footsteps of Ohio, which enacted similar legislation in 2018. In July 2021, the Office of Inspector General released a report that U.S. Customs and Border Protection (CBP) had failed to use adequate cybersecurity measures to protect travelers’ data and would implement eight new measures to increase security. In the same month, Microsoft took legal action to disrupt cyberattacks against the company and its customers, bringing public attention to the use of “homoglyphs” and other deceptive methods used to steal confidential data. Data breach lawsuits are now being handled with more thorough attention, with fundamental issues like standing and damage being reexamined in light of the complexities of data breach cases.
As we can see, things are changing in the legislative landscape for data breach cases. Lawmakers are realizing that there needs to be a better system in place to defend the rights of those whose private, personal information has been compromised. And attorneys are learning the need to expand their knowledge and understanding of this critical safety issue.
If your personal data has been leaked, the best thing you can do is reach out to a well-informed lawyer as soon as possible. You may be eligible to file a data breach lawsuit or take part in an existing class action lawsuit. To learn more about data breach law and what you can do to protect your private data, we invite you to speak with our team at The Solomon Law Group. Our firm may be able to help you.