The courts have yet again ruled that breached personal data does not equate harm. Earlier this month, the U.S. District Court for the Western District of Kentucky dismissed a lawsuit centered around a data breach at Countrywide Financial Corporation. The breach was one of those affairs where the use of data protection tools, like AlertBoot drive encryption software, have limited value because it was instigated by an insider. This fact was also the basis for tossing one of the claims by the plaintiffs: that Countrywide “furnished” information to third parties.
Summary of the Breach
According to the details I’ve found online, Countrywide suffered a data breach which was initially reported in August 2008. At that time, an employee was arrested and charged for downloading information on 20,000 customers every week and selling it to mortgage brokers over a period of two years. Based on an initial settlement reached in December 2009, approximately 17 million people were affected by the breach, although I’m reading a conflicting report that only 2.4 million were affected. Regardless of the actual numbers, I think we can agree that a lot of people were affected.
Some opted out of the 2009 settlement, which resulted in a brand new lawsuit. These new plaintiffs:
alleged that they suffered injury from the data theft because they were forced to take measures to protect themselves from identity theft, such as enrolling in independent credit monitoring service (despite being offered free monitoring by Countrywide) and spending time researching identity theft; and forced to cancel their telephone service after being inundated with telemarketing calls. [infolawgroup.com]
As the article at infolawgroup.com goes on to point out, they were essentially suing for future-oriented crimes: plaintiffs were seeking remuneration for what might happen, and not what had happened. And the courts have show time and time again that that’s not going to happen. The result was no different in this case.
Perhaps a silver lining for consumers is that the court did find the plaintiffs to have standing to sue. In most past cases, people suing companies over a data breach couldn’t even get their day in court. However, I’ve recently read of a couple of cases where lawsuits over data breaches do go through an actual trial.
However, the cases generally end up concluding that the plaintiffs don’t have a leg to stand on, as in this case.
Among the things pointed out which are just plain common sense: An employee that steals data from a company and resells that data to a third party doesn’t equate to “the company providing data to third parties,” which can be a violation of FCRA
I’m not sure why that even has to be pointed out, but I’m glad to see that’s been cleared up.
Related Articles and Sites: