Recently, the US Court of Appeals for the Third Circuit concluded that “the improper disclosure of one’s personal data in violation of FCRA [Fair Credit Reporting Act] is a cognizable injury for Article III standing purposes.”
In other words, people can go to court over data breaches and data breaches alone; there is no need to show that you were adversely affected by events following a data breach (for example, by proving that your data was misused by hackers).
Of course, this doesn’t guarantee that an individual will win in court. However, it does mean that anyone whose personal information was stolen as part of a data breach can, at least, see the inside of a court. For the past ten years or so, most (if not all) judges ruled that plaintiffs in such lawsuits didn’t have “standing” and their cases were “summarily dismissed” from court. That’s a fancy way of saying that the courts booted the cases and moved on to other stuff.
When it comes to lawsuits revolving data breaches where personal information was compromised, this won’t be happening anymore in the Third Circuit – which covers Delaware, Pennsylvania, and New Jersey. Hopefully, other districts will begin to see data breaches in the same light.
Theft of Unencrypted Laptops
What led to this legal development? It started in 2013, with the theft of two laptops, Apple Macintoshes to be precise. These computers contained personal and medical information. Encryption was not used despite the fact that full disk encryption comes gratis on all Apple computers made since 2003. Not an ounce of hyperbole is added when I observe that the performance of a Mac is unaffected by the use of said encryption. Plus, since these were already “password-protected,” users didn’t have to jump through any additional “security hoops” to use their computers.
The owner of these laptops? Horizon Blue Cross Blue Shield of New Jersey, a company that’s been involved in laptop-related data breaches before.
Apparently, the only security was the cable lock that tied the laptops to their desks, and the computers’ location on the eighth floor of Horizon’s headquarters. Under HIPAA, this could have been perfectly adequate security.
However, from the FCRA standpoint, it isn’t. As the Third Circuit pointed out, the law behind FCRA focuses on consumer privacy. The fact that one’s personal information has been transferred to persons unknown (that is, the data was easily accessible once the machines were stolen) means the company is potentially in violation of FCRA. The use of encryption, of course, could have laid this to rest three years ago, when the laptops were stolen. Instead, here we are.
If things continue in this course, we could see a greater number of companies taking a careful look at the use of encryption, or lack thereof. Unlike federal laws and regulations like HIPAA that are limited in scope, or the patchwork of state laws that supposedly govern data security and privacy – which also fall prey to “standing” issues – FCRA affects many companies across many sectors.
Related Articles and Sites: