According to idtheftcenter.org, the US has seen over 858 data breaches that involved over 29 million records in 2016 (to be more specific, up until November 8). The list of breaches does not include those that go unreported, for obvious reasons, as well as those that weren’t vetted by credible sources like state Attorney General offices or the news.
These numbers are nothing to be surprised about. The past ten years had data breaches numbering in the tens of millions of records and, in unusual yet not so rare cases, in the hundreds of millions. Indeed, this year should also be a “hundreds of millions” year, what with the Yahoo data breach that was reported a couple of months ago. However, idtheftcenter.org currently classifies the number of records exposed as “unknown,” most likely because it’s still being looked into.
These numbers are relegated to the US, however. If you consider that the same thing is happening around the world, and has been happening for the past decade, it is astounding that nobody has come up with an implementable solution to this growing problem.
It is also astounding that nothing has changed in the past decade when it comes to individuals affected by data breaches despite a better understanding of its ramifications. But, it looks like the courts are reconsidering what these data breaches mean to ordinary people.
UK Courts – Awards for Psychiatric and Psychological Injury
This past week, a court in the United Kingdom ruled that
victims of a data breach, in this case asylum seekers, successfully sought compensation for the shock and distress caused to them by the accidental publication of their personal data. (jdsupra.com)
It turns out that the UK Home Office mistakenly uploaded to the internet unanonymized details of approximately 1,600 refugees. Of those, 6 people successfully made a claim for reparations and 2 of them won in court.
Now, these figures aren’t a resounding win for data “breachees,” although the two people who did win received £12,500 each. But, it’s worth noting that these were awarded in line with “awards for moderate psychiatric and psychological damage” (my emphasis).
This is unheard of when it comes to data breaches. Generally, people must show, shall we say, a “real” harm – something for which reparations can be made. For example, your neighbor accidentally trashed your car. The courts rule that he replace the car. Maybe you make your living with your car. So, the courts rule that he also compensate for unearned wages. You also experienced mental duress. Well… what price do you put on that? Chances are the courts will throw that one out.
A data breach brings up the question: what exactly needs to be made whole? It’s not as if your name is a secret. This goes for most of your personal information. Yeah, it’s personal, but it’s not a secret. You’ve probably given it out to complete strangers without thinking twice about it. And if you claim psychological duress because it was added en masse to the interwebs… well, what does that mean? Is that even a real thing, in terms of being harmed?
In 2003, California became the first entity to create a data breach notification law. Back then, it can be said that people generally had very little concern regarding data breaches because nothing seemed to come out of it. In 2016, the story is quite different. People are generally concerned due to the many ways personal information is used to commit fraud or is illegally monetized. You could say that many people are in a state of heightened anxiety when it comes to data breaches.
And with people from every walk of life being affected – including the same lawyers and judges who oversee proceedings – it seems like the courts are rethinking what it means to be the victim of a data breach.
On the other hand…
US – Anxiety Not a Claim for Damages
Around the same time that the surprising UK decision was announced, the US ruled on a Barnes and Noble data breach from 2012. The court decided that customers whose information was breached didn’t really have grounds for compensation. Essentially, the ruling said that you can’t sue a company just because a data breach caused you anxiety.
The ruling was not surprising. It served merely to further hammer the fact that it was nearly impossible for consumers to get satisfaction if they were embroiled in a company’s data breach. Yet, there is something of a silver lining here as well.
In past cases, a data breach lawsuit against a company was usually tossed out of court. In this case, at least the courts agreed to hear and judge on the plaintiff’s case. Granted, they lost for basically the same old reasons (apparently, some are calling this a pyrrhic victory of sorts, in that it got to the courts at all).
But, it does show that some progress is being made, that people everywhere are more aware. Dare I say, the courts are beginning to admit that there’s something there, even if the law, as of yet, does not quite cover it, and are willing to look into it.