Course Correction—Data Breach as Invasion of Privacy
22 Pages Posted: 25 May 2018
Date Written: January 15, 2018
The news comes by e-mail. Your health insurer has been hacked. You’ve confided in your doctor, sharing some of your deepest secrets, even that you are HIV-positive. Among the records stolen in the data breach were the doctor’s notes. Your social security number, too, was compromised. You are distraught. Months go by and no one tries to steal your identity or commit any other crime using your personal information. Do you have any legal recourse against the insurer?
Data breach litigation has given rise to new questions, like whether claims may proceed against hacked companies in the absence of fraudulent account activity or actual identity theft affecting those whose information was lost. Courts have recognized a distinction between cases involving actual fraud or identity theft—or, at least, signs of a malicious hack—and cases not involving misuse, as where a thief may have broken into a car and grabbed a laptop without realizing what it contained. Plaintiffs in the first category, who suffered economic loss or were subject to intentional data theft, have been deemed to have standing to sue the hacked company for negligence and other alleged violations. In the second category, plaintiffs whose information was merely exposed, but never exploited, often find themselves out of luck. Highlighting this distinction, the court in Khan v. Children’s National Health System surveyed existing case law and suggested that plaintiffs can pursue damages if they “provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.”
However tidy this “Khan dichotomy” may seem, it is also incomplete. The Supreme Court’s decision in Spokeo, Inc. v. Robins supports applying the common law of privacy to personal data loss. Established privacy principles counsel against tying the fate of claims solely to the criminal intent of hackers or the presence of economic harm from data misuse. Against this legal backdrop, the Khan dichotomy of misuse vs. no misuse pays short shrift to the nature of the stolen information and the intangible harm that data breaches can cause.
The news in autumn 2017 that half of all Americans’ information had been taken from Equifax left many deeply rattled. As this collective experience shows, the dominant harm from data breaches lies not in low-level fraud but in the loss of private facts themselves and consequent damage of an intangible nature: anxiety, embarrassment, and distress. That these feelings are well founded should be uncontroversial, given the severity and increasing prevalence of identity theft. There is good reason why, even as many people are now resigned to their online searches and purchases being tracked, few would willingly list their medical facts or social security numbers on unencrypted websites.
Several early data breach cases involved the theft of payment card information. Within a few years, economic harm—traditionally incidental and at the periphery of privacy torts—gained a toehold at the core of data breach jurisprudence. A decade into this body of law, courts should embrace invasion of privacy principles, under which the legal rights of victims derive in part from the nature of the information exposed.
Not all types of hacked information carry the same status. Breaches of payment card databases, however large (as in the Target and Home Depot incidents), are of lesser magnitude than certain breaches of medical or governmental systems (as in the Anthem, Premera, and U.S. Office of Personnel Management incidents). A debit or credit card can be canceled or reissued. Private medical information can never be changed and is far more sensitive. Social security numbers—taken, for example, in the massive Equifax breach—can be hoarded and used to steal identities or tax refunds or to inflict other harm years later, after all applicable statutes of limitations have run.
Courts have too often skipped over this hierarchy of personal information in deciding data breach cases. Yet the common law of privacy necessarily looks to the nature of exposed information in determining whether its exposure would offend a reasonable person.
Spokeo recognizes that the common law should guide standing rules in the digital age. Although it was the negligence tort that dominated the early years of data breach litigation, breaches releasing highly sensitive information implicate privacy torts as well. Especially relevant are two aspects of the cause of action for intrusion upon seclusion. First, a defendant may be liable for enabling a privacy invasion even if the defendant did not carry out the invasion. Second, a plaintiff need not have sustained out-of-pocket loss to recover for a privacy invasion because the central damage is the invasion itself and the intangible harm it brings about. Under the common law of privacy, the nature of the stolen information—not just whether it has been misused—should figure prominently in data breach legal analysis.
Keywords: Privacy, Data Breach, Hacking, Standing, Damages
Suggested Citation: Suggested Citation