The Georgia Supreme Court will weigh in on whether a data breach victim has to suffer actual financial loss before he or she can sue for damages.
When a data breach hits the headlines, the work is just beginning. The organization has to investigate the extent of the breach, identify who was affected, and come up with a plan to fix the issue so that the breach won’t happen again. The executives worry about the prospect of lawsuits and potential regulatory fines. The victims have to set up anti-fraud protections, such as buying identity theft protection, credit monitoring, and credit freeze. They have to scrutinize their financial statements for signs of fraudulent activity or other types of theft. There is very little the individual consumer can do to control the damage.
One way for the victims to hold the organizations responsible is to sue—to bring a class-action lawsuit—for negligence (for the data being stolen and putting them at risk). The courts, however, have been divided on whether or not the data breach victims are allowed to sue if their data has not yet been used fraudulently or if there was no follow-up attack using the stolen information. Some U.S. District Courts have allowed lawsuits against Home Depot, Target, Anthem, and Equifax to proceed. Other courts have dismissed lawsuits because the victims could not show they have been harmed by that particular breach.
“Until that day your life is ruined you get nothing? That is a very odd view of the law.” —Justice Nahmias
The Georgia courts thus far have ruled that victims cannot recover damages—the costs incurred to set up protections—if they could not show injury, and it is the Georgia Supreme Court’s turn to address the question.
On Aug. 20, the Georgia Supreme Court heard oral arguments in a class-action suit related to the June 2016 data breach at Georgia-based medical facility Athens Orthopedic. An attacker going by the name “Dark Overlord” stole personal information including names, addresses, dates of birth, telephone numbers, Social Security numbers, and health insurance details of 200,000 current and former patients. Athens Orthopedic advised victims to place fraud alerts on their credit accounts. The clinic did not provide identity theft morning or any other supporting service as recompense to the victims of the breach.
Three of the victims sued the clinic for negligence and breach of implied contract. The plaintiffs wanted compensation for the fees already paid, and future fees, for credit monitoring and identity theft protection services since they had to obtain them out of concern of what could happen after the data breach. These costs were “classic measures of consequential damages” because they were incurred to mitigate “foreseeable” damages, the plaintiffs argued. The court dismissed the lawsuit in June 2017, and the Georgia Court of Appeals ruled 2-1 that “costs of prophylactic measures” were “not recoverable damages.”
While some of the data was offered for sale on criminal forums and some information was publicly available on text-sharing site Pastebin, the plaintiffs could not point to actual fraudulent activity or theft that occurred as a result of the data breach. The courts said the victims needed to provide evidence of future harm that was not based on speculation. In other words, the plaintiffs would have to show evidence a crime would be committed against them before it happened.
During oral arguments, the Georgia Supreme Court justices asked the clinic’s attorneys about what they expected the patients to do after learning they were part of a data breach. According to the Atlanta-Journal Constitution, Justice Sarah Warren said the “Dark Overlord” showed nefarious intent stealing the information, and Justice Nels Peterson said the patients had a duty to mitigate what could happen next.
Justice David Nahmias asked if a person who was mugged and had their keys stolen should change locks to make sure the mugger didn’t break into the house or office next. He did not seem to think that waiting for people to be victims of identity theft was the answer.
“Until that day your life is ruined you get nothing? That is a very odd view of the law,” Nahmias said, according to the AJC report.
Implications Beyond Georgia
The Georgia Supreme Court is just the last in a long line of courts that have grappled with the question of whether data breach victims can sue before their data is fraudulently used. The U.S. Supreme Court held in Spokeo v Robins that plaintiffs must demonstrate that an “injury in fact” has occurred, but did not clarify whether “risk of future harm” qualified as an injury.
The U.S. Court of Appeals for the Seventh Circuit said in Lewert v PF Chang’s China Bistro that ”all class members should be allowed to show that they spent time and resources tracking down possible fraud, changing automatic charges, and replacing cards as a prophylactic measure.” The U.S. Court of Appeals for the District of Columbia, Third Circuit, Sixth Circuit, and Ninth Circuit have ruled similarly.
The U.S. Court of Appeals for the Fourth Circuit held in Beck v McDonald that plaintiffs “failed to establish a non-speculative, imminent injury-in-fact.” The U.S. Court of Appeals for the Second Circuit, First Circuit and Eighth Circuit have ruled similarly.
How the Georgia Supreme Court decides this case will have broad implications, not just within Georgia, but for other data breach victims elsewhere. The plaintiffs argued during the oral arguments that with increasing number of data breaches, future victims need to know what exactly what their legal rights are, if any, and how they can go about protecting those rights.
“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” the plaintiffs’ attorneys argued in their brief.
If the victims cannot hold the breached entity accountable, the attorneys argue, nothing changes. “It [Athens Orthopedic] continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information,” the attorneys said.
From the breached entity’s standpoint, it is difficult to show that a data breach is directly responsible for the fraudulent charges on the credit card. And ironically, the fact that there are so many data breaches makes it even harder to be able to pinpoint which incident led to fraud. There may also be an expectation that most people already have some kind of identity theft protection, again, because there have been so many breaches already.
The fact that there is confusion on whether data breach victims have to prove actual fraud in order to bring a class-action lawsuit affects enterprise risk assessment and breach response planning, too. Enterprises can’t assess whether they have all the pieces in place to respond effectively in case of a data breach if they can’t properly assess the associated costs of a lawsuit.
The Georgia Supreme Court is expected to return a decision within six months, but it definitely won’t be the final word on the matter. Data breach victims and breached organizations will continue to battle the question in courts for years to come.