According to ajc.com, lawyers argued last week, in front of Georgia’s Supreme Court justices, whether the threat of future harm to data breach victims is enough to receive compensation or if actual financial losses are necessary.
This is a far cry from years past, when courts used to toss out data breach lawsuits for lack of “legal standing,” which basically means that plaintiffs cannot even argue their case in front of the courts – the case just gets tossed out. However, the issue of standing – which is almost as old as the first data breach law that went into effect in 2003, in California – has recently seen a shift in the courts.
A number of years ago, a handful of lower courts started ruling that lawsuits where data breaches don’t show concrete harm to plaintiffs can proceed (although, truth be told, none of them were successfully argued to date). Nevertheless, after over a decade of ruling in favor of companies – who, incidentally, are also victims, as they’ll loudly proclaim to whomever will listen – the tentative shift was nothing short of groundbreaking. Indeed, even the US Supreme Court indirectly made motions in that direction earlier this year.
Now, thanks to The Dark Overlord (TDO), an international hacker organization, Georgia’s highest court could very well be setting a precedent that will give conniptions to businesses.
Athens Orthopedic Clinic
In 2016, Athens Orthopedic Clinic and three other healthcare organizations were hacked by TDO. In AOC’s case, personal information for 200,000 individuals was breached via an unnamed third party and the hacker collective asked for a hefty ransom – $400,000 according to some reports.
The clinic refused to pay. (While this is supposed to be the idealized reaction to data security blackmail, reports have recently surfaced to point out that paying could actually be cheaper for affected companies. Of course, this would also perpetuate the cycle of hack, then blackmail, and then hack some more, and then blackmail some more ad nauseam).
The clinic also notified the patients who were affected, as required under HIPAA/HITECH, noting that the data included “names, addresses, Social Security numbers, dates of birth and telephone numbers.”
Three of the patients sued the clinic over the data breach.
And while Athens Orthopedic may be at the center of the Georgia Supreme Court case, the way was paved by a number of in-state entities that saw massive data breaches: Equifax, Georgia Tech, and Home Depot, among others. Equifax’s data breach, of course, currently holds the title of “largest US data breach ever.”
Per ajc.com, a number of justices seemed to sympathize with the plaintiffs.
The Obstacle for the Plaintiffs is Ordinariness
Despite the sympathy displayed by the justices, it’s hard to imagine that the plaintiffs will win this one, assuming that the stolen data was relegated only to “names, addresses, Social Security numbers, dates of birth and telephone numbers.”
The basis for the lawsuits, as far as I can tell, is that “obviously” this information will be used in some way in the future to the detriment of AOC’s patients. You’d be stupid not to make the assumption. However, what’s also obvious is that the stolen data, aside from being personal, is also very ordinary: this kind of information has been breached again and again (and again) by so many companies that it’s impossible to tell which company’s data breach was responsible for a particular set of data floating in the criminal underworld.
So, if AOC’s patients eventually are subjected to some crime – be it ID theft, medical services theft, phishing, etc. – it’s impossible to tell whether it’s AOC’s or some other company’s fault. For example, let’s say that 5,000 patients fall for some kind of scam. Since all 5,000 are AOC’s patients, it stands to reason that the crime can be traced back to the company’s data breach. This is the manifestation of the “future harm” the court is debating. However, because the information that was breached is so commonplace, it could also overlap with Equifax’s data security incident.
So, whose data breach was at fault for the 5,000 patients? AOC? Equifax? Both? Or some other unknown party, perhaps a medical insurance company who didn’t report anything and never got caught?
There are additional problems as well. Seeing how the courts (or anyone else, for that matter) cannot predict the future in any specific way, how do they determine how much compensation plaintiffs ought to receive from the purported “future harm?” The harm could be great or small or beyond what one imagined.
Does a company like AOC pay a sort of “down payment” and shell out more money if future harm exceeds the value of this payment? What if nothing happens for 30+ years, does AOC receive the money back? What if something does happen, but it turns out that some other company is actually at fault, one whose case already made its way through the courts and did not pay a “future harm” compensation to customers?
One of Georgia Supreme Court justices remarked:
“So we all have to wait until hundreds of thousands of people are victims of identity theft?” Nahmias asked. “Until that day your life is ruined you get nothing? That is a very odd view of the law.”
The thing is, not waiting but doing something today, before anything really happens (apart from the data breach itself, that is) could also be very odd for the law.
Related Articles and Sites: