Another data breach lawsuit, another case that’s tossed out of court for “lack of standing.” When TRICARE was saddled with one of the largest data breaches of all time – over 4.7 million people affected when backup tapes were stolen from a parked car – it was certain that SAIC, the vendor who was at the center of the breach, would be sued. Less certain was whether the plaintiffs would see their day in court, although I had my own private reservations, seeing how the courts have been pretty consistent over the years: if you can’t prove that you were harmed by an event, you can’t sue for redress. The latest claim further strengthens this position.
But it’s not all déjà vu: the memorandum opinion that put the kibosh on this lawsuit is a pleasure to read, explaining a number legal concepts in plain language.
4.7 Million Affected, 33 Original Plaintiffs, 2 Remaining
One of the most surprising things about this case: the judges do math. After noting that “plaintiffs allege that data-breach victims in general are 9.5 times more likely
than the average person to experience identity theft post-breach,” they go on to show why the plaintiffs’ odds of becoming identity theft victims essentially falls to zero in this particular case:
In a society where around 3.3% of the population will experience some form of identity theft – regardless of the source – it is not surprising that at least five people out of a group of 4.7 million happen to have experienced some form of credit or bank-account fraud.
So one would expect 3.3% of TRICARE’s customers to experience some type of identity theft, even if the tapes were never read or misused. To quantify that percentage, of the 4.7 million customers whose data was on the tapes, one would expect around 155,100 of them to experience identity fraud simply by virtue of living in America and engaging in commerce, even if the tapes had not been lost.
The fact that only a handful of people can even realistically claim that they experienced identity theft that is linked to the TRICARE/SAIC breach means that (a) the thief or thieves are incredibly patient, having waited at least 34 months, and counting, to unleash a torrent of financial pain or (b) these handful of people are attributing their identity theft to the wrong data breach, and the tape was probably never accessed. Chances are, it’s (b).
And this, essentially, is what the entire case revolves around. Having established that the odds of their data having viewed are close to zero, plaintiffs’ claims are speculative and thus have no standing.
You’re Stressing Over Something that Could Be Something…or Nothing
An “increased risk of identity theft” which, as far as I can see, the courts don’t deny has happened, is not sufficient, even if the anxiety surrounding it is real:
This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury. That is, when is a consumer actually harmed by a data breach – the moment data is lost or stolen, or only after the data has been accessed or used by a third party? As the issue has percolated through various courts, most have agreed that the mere loss of data– without evidence that it has been either viewed or misused – does not constitute an injury sufficient to confer standing. This Court agrees.
Likewise, arguing that companies who’ve suffered a data breach should at least compensate data breach victims for the time, energy, and money they’ve spent trying to rectify the situation is unjustified. After all, you’re basing your actions not on facts but on the speculation that something might happen.
But the Supreme Court has determined that proactive measures based on “fears of. . . future harm that is not certainly impending” do not create an injury in fact, even where such fears are not unfounded….
Put another way, the Court has held that plaintiffs cannot create standing by “inflicting harm on themselves” to ward off an otherwise speculative injury. Id. The cost of credit monitoring and other preventive measures, therefore, cannot create standing.
Granted, that doesn’t mean that you shouldn’t do anything after a data breach. You’ve got to take precautions. It’s the smart thing to do. But “smart” does not the same thing as “having a leg to stand on in court”:
“objectively reasonable likelihood” of harm is not enough to create standing, even if it is enough to engender some anxiety…. Plaintiffs thus do not have standing based on risk alone, even if their fears are rational.
Nor is the cost involved in preventing future harm enough to confer standing, even when such efforts are sensible.
Sure, it seems a little crazy. But them are the rules, and until the rules change, potential victims of data breaches can only wait to become actual victims of data breaches if they want to win in court.
And even then, they have to be able to prove a causal link between the breach and their victimization.