I am a big fan of the SANS Daily Network Security Podcast (Stormcast) with Dr. Johannes Ullrich. Dr. Ullrich provides an overview of organizations that have been hacked that day and how they happened.
What he doesn’t explain, though, is what happens after the hack. The answer of course depends on the nature of the incident and what the attackers’ goal is.
If you are an EU resident (a ‘data subject’), you assume the government has your back. The GDPR (General Data Protection Regulation) created supervisory authorities in all countries.
These regulatory bodies have the power to fine any organization that violates a data subject. Several U.S. corporations, including Amazon (€746 million [about $841 million]), WhatsApp (€225 million [about $254 million]), Google (€57 million [about $64 million]), and Marriott (€23.8 million [about $27 million]), have all received fines.
Despite the scale of those penalties, the affected data subjects don’t receive recompense. Nevertheless, the threat of government enforcement has been sufficient to encourage compliance among European-based organizations.
In contrast, organizations in the U.S. feel a certain smug schadenfreude about their European counterparts. They believe that without the GDPR and with little chance of getting such laws passed in the U.S., they are free of government interference. The reality is quite different.
In the EU, lawyers cannot get contingency fees. These can add up to 40% of an award. In Europe, until quite recently, there was no such thing as a class action lawsuit. These lawsuits allow one lawyer or one law firm to represent millions of plaintiffs and get a large chunk of the total award.
With this sort of incentive, it is not surprising that plaintiff law firms have been trying to sue organizations that have lost data in a breach. There are millions of potential plaintiffs and the awards, even if small for an individual, can add up. But there is a problem.
Spokeo, Inc. v Robins
The problem is the U.S. Supreme Court case Spokeo, Inc. v. Robins, 578 U.S. 330 (2016).
Spokeo operates an online “people search engine” that aggregates information about individuals from online and offline sources. In 2010, a class action lawsuit was filed against the organization, alleging violations of the FCRA (Fair Credit Reporting Act).
The named plaintiff, Thomas Robins, claimed that he was unemployed, whereas Spokeo’s profile of him falsely stated that he worked in a professional field with a graduate degree. Robins’ profile also contained other incorrect information about his personal life, wealth, and age.
The court rejected the claim for not alleging “any actual or imminent harm.” Robins amended his complaint to allege employment, stress, and anxiety injuries. These claims were also dismissed, with the court explaining that the Constitution requires plaintiffs to allege an injury-in-fact that is “concrete and particularized.”
In February 2014, a unanimous panel of the United States Court of Appeals for the Ninth Circuit reversed the dismissal and remanded the case. It was deemed that Robins had alleged injuries sufficient to establish standing because the FCRA protected individual, rather than collective, rights.
Nonetheless, this incident demonstrates how difficult it is for plaintiffs to prove concrete harm in lawsuits. And it’s even harder when it comes to data breaches. Let’s say that you bought something at a retail store with your credit card.
The retail store’s database is hacked, and among the millions of records stolen are your credit card numbers, which are later used to buy a $4,000 television. One would think that you have suffered harm, but that may not be so.
Under federal law, your liability for a false credit card purchase is limited to $50. Most banks will waive this amount if the cardholder signs an affidavit explaining the theft. Retailers and banks will purchase insurance to cover the cost of the fraud. The holder of the card has no losses and therefore no case.
Spokeo stood as a bar to awards for many years, but the law changes over time. Today, cars have seat belts, products have warning labels, lawn mowers have automatic stop levers, and plastic bags instruct that they are not clothing.
All of these changes came about because of product liability. The law states that manufacturers are liable for the harm their product causes, but it did not always. For many years, there was no recovery if an unsafe product caused injury. Cybersecurity is no different.
Things are changing for victims of a breach and for the lawyers who represent them. There are two types of approach that plaintiff firms are using to allow their cases to go forward despite Spokeo.
One approach is to use laws like the California Consumer Privacy Act, which allows for a right of private action. The other is to assert that any hack can result in concrete damages.
Subscribe to our Weekly Round-up to get the latest cybersecurity news and tips delivered straight to your inbox.