'Can Data Breach Claims Survive the Economic Loss Rule?' by Catherine M Sharkey in (2017) 66(2)
DePaul Law Review comments
Data security breach cases are fertile ground to explore the impact of the economic loss rule and to challenge the conceptual underpinnings of this judge-made doctrine. The extent to which the economic loss rule serves as a formidable barrier to credit card data security breach cases depends upon the underlying state law; in particular, whether a state adopts the majority or minority position on the rule, as well as how it defines various exceptions thereto. Upon closer examination, it becomes clear that the rule operates in a fundamentally distinct manner in the ‘stranger paradigm’ as compared to the ‘contracting parties paradigm’. What makes the credit card data security breach cases so vexing is that they often straddle the stranger/contracting parties paradigms. The credit card data breach cases can be reframed in a coherent way that defers to contractual allocation of risk and responsibility but nonetheless allows tort liability to be deployed when needed to ensure the internalization of third-party costs. Seen from a broader regulatory perspective – especially taking into account state statutory provisions relating to enforcement of private industry standards in the credit card arena – the economic loss rule functions as a boundary-policing doctrine between tort and regulation as alternative mechanisms to regulate private parties. Moreover, as a more robust third-party liability insurance market emerges in response to a greater threat of tort liability, insurers will engage in further risk management, exerting more potent regulatory control.
'Perspectives on Privacy, Data Security and Tort Law' by Robert L Rabin in (2017) 66
DePaul Law Review asks
In 2014, did you shop at any of these retailers who had consumer records compromised: Target (70 million records), or EBay (145 million records), or Home Depot (56 million records)? Did you have a health insurance plan through Anthem or Blue Cross prior to 2015 (80 million records)? Did you have a bank or credit card account with JP Morgan Chase prior to 2015 (83 million records)? Have you applied to work in the federal government in the past fifteen years (21.5 million records)?
Rabin responds
If you answered Yes to any of these questions, there is a good chance that your personal data has been stolen, leaked, exposed, or otherwise revealed to an unauthorized third party as part of a data breach.
Since 2005, more than 900 million records have been improperly exposed or accessed as a result of 5.041 million data breaches in the United States alone. In 2015, $15 billion was stolen from 13.1 million American consumers who were victims of identity theft, much of which could be traced back to data breaches. Corporations and governments also suffer: In 2014, the estimated cost per record lost or stolen due to data breach was $145. Given that over 85 million records were lost or stolen in 2014, corporations undoubtedly face substantial costs from data breaches. Even apart from data breaches, consumers face privacy risks from the misuse or misappropriation of their data by corporations.
Data breaches can be traced to three main causes: (1) malicious or criminal attack; (2) system glitch or malfunction; or (3) human error. In 2014, approximately 47% of data breaches resulted from malicious or criminal attacks, 29% from system glitches, and 25% from human error. Breaches due to malicious attacks were more expensive to resolve ($170 per record) compared to those that stemmed from glitches ($142 per record) or human error ($137 per record).
Certain industries are more affected by data breaches than others. In 2014, 42% of data breaches stemmed from the education sector, though these breaches only resulted in 9.7% of the total number of exposed records. In the same year, 33% of the total number of breaches came from the business sector (not including finance or healthcare), but these breaches resulted in nearly 80% of exposed records. The remaining breaches fall within the financial, health-care, or government sectors. Unsurprisingly, data breaches affect each of these industries differently. The education and healthcare sectors, for example, suffer the greatest costs-per-record-per-breach, at
$300 and $363 per record respectively, where the average cost per record released for any given data breach is around $154.
Estimating the effects of a data breach on individual consumers is more difficult. As noted, an increasing number of Americans have become victims of various forms of identity theft, which often results in monetary loss and a decrease in an individual’s credit score. Beyond identity theft, data breach victims are likely to feel that they need to mitigate future harm by replacing credit cards, closing accounts, and obtaining continuous credit monitoring. At a more basic level, consumers who have been victims of data breaches feel that their privacy has been violated. Little survey work has been published on these subjects, but it seems beyond dispute that data breaches have tangible effects that are widely felt among the American population.
Several recent cases help illustrate the risks and challenges posed by data breaches. During the 2014 holiday shopping season, hackers stole at least 70 million records from Target. Hackers obtained credit card information from 40 million consumers who shopped at Target between November 2014 and December 2014 by installing malware on Target’s systems. The same hackers also stole up to 70 million additional customer records, including mailing and email addresses, phone numbers, and names. In the months following the data breach, it was revealed that Target’s security system — installed by the well-reputed computer security firm FireEye — detected the breach before any data had been stolen. For somewhat unexplained reasons, Target’s security officials declined to intervene — in fact, they had even turned off a FireEye feature that would have automatically deleted the malware from the system (again for unexplained reasons). The result of this reportedly conventional and relatively unsophisticated malware attack was the loss of 70 million records, touching nearly one in three American consumers. Target did not realize that it had been hacked until federal law enforcement officials notified them on December 12, 2014, by which time it was too late.
In July 2015, the White House revealed that the records of 21.5 million people were stolen as a result of a data breach of the Office of
Personnel Management (OPM). “Every person given a [federal] government background check for the last 15 years was probably affected,” according to OPM. Hackers were able to steal names, social security numbers, biometric fingerprint data, travel information, addresses, and other sensitive personnel information as part of the OPM data breach. As in the Target case, there were warning signs over a period of years indicating that OPM’s computer systems were antiquated and at serious risk of intrusion, yet no action was taken to secure the vast amount of personal data until it was too late. The hack has since been blamed on elements associated with the Chinese government.The U.S. government has provided victims with credit and identity theft monitoring for three years, but this likely provides little comfort to national security experts concerned about the potential intelligence ramifications of government employees’ sensitive personnel files in the hands of the Chinese government. The OPM case shows that the negative effects of data breaches go far beyond identity theft and monetary loss. Anthem, one of the largest health insurers in the United States, suffered a data breach in 2015 that resulted in the exposure of 80 million patients’ records, including “names, social security numbers, birthdays, addresses, emails and employment information.” There was no evidence that sensitive medical records were stolen as part of the breach, but the loss of protected personal information was substantial. Investigators suspect that Chinese state-sponsored hackers were behind the Anthem breach as well. As in the OPM case, Anthem has provided victims with credit monitoring and identity theft protection.
Consumers face threats to their personal privacy wholly separate from the types of unauthorized data breaches described above. Most notably, consumers face risks that their personal privacy will be violated by unauthorized corporate access, misuse, or misappropriation of their data. These claims of corporate misconduct can be grouped under a separate umbrella of “data misuse” issues. Data breaches relate to the unauthorized access to personal information by a third party. Data misuse or misappropriation, by contrast, involves the authorized — at least at some level—access to information by the party that holds that information for unauthorized commercial or other purposes.
Statistics on the scope of this problem are hard to come by, given the less public nature of the problem and the less tangible and immediate nature of the harm. In many cases, corporations sell or transfer consumer data to a third party without clear authorization from the consumer. One prominent example was the ChoicePoint debacle of 2005. In that case, ChoicePoint, a prominent data trader, admitted to selling personal information of 163,000 California residents—which they possessed legally—to identity thieves. At least 800 consumers had their identities stolen because of this incident. This case raised difficult data privacy dilemmas: ChoicePoint existed to sell personal information to legitimate businesses, but instead, they provided this information to a ring of identity thieves who had registered fake companies. The Federal Trade Commission’s (FTC) enforcement action resulted in a $15 million settlement, which was the largest civil penalty in the FTC’s history at that time.
In addition to improper sales to a third party, some data misuse cases focus on a corporation’s use of consumer data for its own purposes—generally to provide targeted ads or products to consumers. In 2012, it was revealed that Google had placed tracking cookies on Safari users’ computers to collect data on their web browsing preferences in order to provide targeted advertisements. Google then
used this information to better target ads to users, in turn making their ad products more valuable to potential ad buyers. Presumably in response to consumer pressure, Safari, an Apple browser, created a tool to limit both the creation of cookies and the ability of cookies to track web browsing habits. In violation of a previous FTC settlement and its public pronouncements, however, Google proceeded to override the Safari tool and continued to use cookies to track Safari users. The result was extended litigation that eventually resulted in a $22.5 million FTC settlement.
A similar case was brought against Facebook for its use of members’ images in targeted advertisements known as “Sponsored Stories.” Unlike the case against Google, this was not a regulatory action brought on unfair competition grounds, but rather a class action brought on Right of Publicity grounds. The principal claim in this case, Fraley v. Facebook, Inc. — which is discussed further in the next section — was that Facebook misappropriated the plaintiffs’ images in paid advertisements without consent, and in so doing, unwillingly drafted them as unpaid and unknowing spokespersons for Facebook products. After the court denied Facebook’s motion to dismiss on newsworthiness grounds, the parties settled for $20 million.
Despite the successes just mentioned, the continuing problems of data breaches, data misuse, and the consequent failure of current laws to adequately deal with the problems is widely acknowledged. Notwithstanding the widespread recognition of the problems, there is little consensus on the appropriate legal mechanisms to prevent or punish data breaches or provide compensation to those harmed by such breaches. This Article surveys one approach to dealing with these problems: The pathways available through tort law.
But tort, of course, is not the only strategy for addressing the data breach concerns. Current legal approaches to dealing with data breaches can be divided into three main categories. First, regulatory strategies aimed at setting standards of data protection through stateBut tort, of course, is not the only strategy for addressing the data breach concerns. Current legal approaches to dealing with data breaches can be divided into three main categories. First, regulatory strategies aimed at setting standards of data protection through state and federal laws, and enforced either through the courts or federal administrative agencies. Second, information disclosure laws that require entities suffering data breaches to reveal to victims that their information has been lost or stolen, with the general hope that the market will favor companies with fewer breaches and thus provide competitive incentives for companies to protect data. And finally, ex post tort liability that allows victims to sue for damages, with the twofold goal of compensating victims and shifting the incentives of companies holding private data toward better data protection practices.
Before turning to tort (the third of these approaches), I will provide an overview in Part II of the regulatory enforcement and information disclosure strategies for addressing the problem of data breach. And following my assessment of tort remedies in Part III, I will offer some concluding thoughts, in a final Part, including a brief reprise on the potential for more proactive federal regulatory action under the mandate of the FTC.