The Weekly Breach Breakdown Podcast by ITRC - Measure For Measure - S2E25

Show Transcript

The Weekly Breach Breakdown Podcast by ITRC - Measure For Measure - S2E25

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for August 27, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. Today we dive into a subject we haven’t explored before, and for good reason – filing a data breach lawsuit. It’s a bit complex and a little dry. However, it is very important when it comes to the concept of justice for victims of data breaches. So, bear with us as we talk about the legal idea of standing and what recent court rulings mean when it comes to the ability for data breach victims to sue for damages in federal courts.

Shakespeare mentioned the legal profession more than any other, outside of royalty, devoting several of his plays to various concepts of justice. One of his dark comedies – Measure for Measure – is even named for the very concept of justice: punishment should fit the crime.

That’s a concept that cuts both ways – for and against defendants in criminal courts, and the same is true of plaintiffs in civil trials where money damages are the punishment.

“Standing” Needed to File a Civil Data Breach Lawsuit

To file a civil lawsuit in federal court, you must have what is called “standing.” You must have a valid reason to stand at the bar of justice. For years, U.S. courts have been split over what is a good reason when it comes to the standing of a person whose personal information has been exposed in a data breach. Some courts said the mere threat of harm was enough to justify a data breach lawsuit. Others ruled that no, proof of actual harm was required before a data breach lawsuit could be filed. After a data breach, your ability to sue for damages had more to do with where you lived than what happened to your data.

U.S. Supreme Court Sets A New Standard for Data Breach Lawsuits

Earlier this year, though, the U.S. Supreme Court issued a major decision that set a new standard: People impacted by data errors cannot file a data breach lawsuit for damages unless there is actual, probable harm. Inconvenience, threat or harm no longer counts as an acceptable reason in some federal courts. Now, plaintiffs filing lawsuits based on those kinds of claims lack standing. No standing = no lawsuit.

Now, you may have noticed the subtle distinction that the Supreme Court decision was based on data errors, not data breaches. How very observant of you, and you are correct. However, it’s called the Supreme Court for a reason. Lower federal courts are bound to follow the decision of the Supremes and are now applying the new standard to similar but not identical cases.

Ohio Sixth Circuit Court of Appeals Ruling

This week the Sixth Circuit Court of Appeals based in Ohio ruled that a person lacked standing to sue, even though their credit score dropped because their mortgage lender reported, by mistake, that they had failed to make a payment. The lower credit score was inconvenient but not harmful, according to the Court.

What It Means for Data Breach Lawsuits

What does this have to do with data breaches? A data breach lawsuit is subject to the same rules for filing a claim. That means data breach lawsuits are all but guaranteed to be tossed out of court unless there is actual harm from the breach at issue. That’s very difficult to prove in the best of times. When there have already been more than 1,100 data breaches reported this year, how do you prove which data breach caused the harm?

That doesn’t even begin to address the bigger issue of identity criminals don’t always use the data right away, or only once. The risk of harm down the road is high, and the ITRC’s 2021 Consumer Aftermath Report shows nearly three in ten identity crime victims are hit a second or third time, sometimes before the original impacts are resolved.

What Can Be Done?

Congress can make it clear that organizations that fail to protect data can be sued based on the risk of future harm. Or states can pass their own laws allowing data breach lawsuits based on potential damages.

However, the reality is that this is the exact situation that Shakespeare wrote about in Measure for Measure: “O just, but severe law.”

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours. Just visit www.idtheftcenter.org to get started.

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown.