Privacy and personal data security - the new litigation frontier?
Widespread adoption of rules regarding security of personally identifiable information has been paralleled by a surge of class-action litigation against companies whose databases have been breached. They are a potential target beyond modern parallel. This setting potentially offers class action lawyers bountiful fuel. But courts and legislators should take a different path.
The fundamental policy issues require that we ask how much law should be given over to protect non-confidential, personal information and whether that law should be in a form of liability suits or non-litigation guidelines. Even if protection of non-confidential personal information is vital, laws grounded in rules not susceptible to high cost litigation and damage claims can better establish social expectations without causing a massive shift of value, largely to plaintiff’s lawyers.
There are two liability issues.
The first is whether the holder of the data owes a duty to the person about whom the data relate in the absence of an express assumption of such duty. This “duty” issue can arise in tort or under implied warranty rules in contract law.
Either way, no implied obligation should exist. Most courts so hold. The traditional rule is that a person who properly obtains non-confidential data has a right to use it. The fact that I know your home address does not create a duty to keep that information secure. Indeed, such information is known by many people.
Some information is delivered under confidentiality restraints or is sufficiently sensitive that an implied duty can be inferred. But the presumption should be that data is free from legal constraints unless there are over-riding reasons to restrict its use, or impose liability for its disclosure. No general obligation of maintaining security should exist. If it were created, we would face an unwarranted restriction on ordinary discourse and information sharing, socially and commercially. While there are some benefits in reference to a sense of data security, these benefits do not over-ride the benefits of being able to use and deploy the information one knows without fear of a lawsuit.
The second issue is the “damages” issue.
Even if a duty were created, no cause of action should exist if there are no proven, foreseeable damages cognizable under the particular cause of action chosen. The mere compromise of a database involving personally identifiable information does not necessarily lead to legally cognizable damages in the absence of a foreseeable and provable connection to actual harm to the data subject.
The damages most frequently asserted in security breach settings entails the risk that a wrong-doer may use the data for identity theft. But, while there have been numerous security breaches of identity theft incidents associated with those breaches has been very low. Thus, the litigation issue has been that, even if no identity theft occurred, is the distress and preventive actions caused by the risk of identity theft compensable. Most courts correctly hold that they are not.
In Forbes v. Wells Fargo Bank,420 F. Supp. 2d 1018 (DMN), the court held that a bank was entitled to summary judgment on claims of negligence and breach of contract because the plaintiffs had no damages. There were no unauthorized transactions and plaintiffs could not recover damages for a risk of harm unless that risk resulted from a present injury, that is, “the threat of future harm, not yet realized, will not satisfy the damage requirement.”
Similarly, in Pisciotta v. Old Nat. Bancorp, 2007 WL 2389770 (7th Cir. 2007), the court was asked to decide whether Indiana law would allow individuals receiving notice of a security incident to recover their costs for credit monitoring or emotional distress. The Seventh Circuit said no. An Indiana statute imposed an obligation to provide notice in the event of a security breach but not liability:
Had the Indiana legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent. … The narrowness of the defined duties imposed, combined with state enforced penalties as the exclusive remedy, strongly suggest that Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.
The Seventh Circuit explained that plaintiffs had “not suffered a harm that the law is prepared to remedy. …”
Although, personal data security has become a burgeoning field in law, courts properly have shown a reluctance to impose an implied obligation to maintain the security of data of a non-confidential kind, regarding another party. A person rightfully in possession of such information has a right to use and disclose it – rights co-equal to the data subject. There is no actionable legal obligation to the other person, except for confidential or highly dangerous information.
There can be little doubt that will see a rise in litigation given the rise in reported data breaches.
makes sense to me
Carl Icahn made similar expressions regarding Yahoo about different matters. However, there seems to be a recurring theme of custodians and stewards improperly managing implied duties all around us! I enjoyed this. Thanks for sharing.
Great read. Very interesting topic...
dangerous line buddy. yearning to get more from your side :)
Seems plausible on its face, and I generally agree as to such things as telephone directories, magazine subscriber lists and retailer data bases. However, in a no liability world, some businesses inevitably push the envelope, and you get to systematically outrageous conduct for which litigation is the only solution.
Unfortunately that's what we have here. In a situation where litigation is restricted, consider: Essentially all banks provide highly sensitive information from credit applications, including name with social security number, to credit bureaus (Experian, Equifax, TransUnion) who in turn sell to data aggregators most people have never heard of (ChoicePoint, Acxiom, LexisNexis), who in turn sell to hundreds of thousands of customers (they won't say who) including all lawyers (whether or not in the debt collection business), all private detectives, all credit providers and anyone else with access to credit bureau reports, etc., etc. Any ChoicePoint customer can look up the SSN of all approximately 200 million Americans with credit of any kind. There have of course been repeated major breaches involving hundreds of thousands of individuals (e.g., ChoicePoint 2005, Seisint 2005, Ford Motor Credit 2004). Some breaches have led to systematic emptying of numerous innocent people's bank accounts.
Banks/credit bureaus engineered Gramm-Leach-Bliley to give them wiggle room to assert that these practices are legal under the statute. (I believe the practices are illegal under G-L-B, but there has been no such adjudication so far.) I understand that if I default on my credit card and disappear, it should be OK to look up my SSN in the effort to find me. But when I am current on all debt, I do not understand why several million people I do not know have access to look up my SSN behind my back.
You say there should be no implied duty. Are you so sure in the instance I describe? If it's OK with you for banks to sell SSNs as described, is it OK with you for them to sell customer annual income as disclosed on a credit application -- as to which the law on whether or not they can sell it (namely G-L-B and common law, which does not prohibit) is identical?
Important topic and nice article. I have always worrying about my privacy.