Will the Equifax Data Breach Finally Spur the Courts (and Lawmakers) to Recognize Data Harms?

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially devastating. Worse still, if a criminal uses stolen information to commit fraud, it can lead to the arrest and even prosecution of an innocent data breach victim.    

Given the scope and seriousness of the risk that the Equifax breach poses to innocent people, and the anxiety that these breaches cause, you might assume that legal remedies would be readily available to compensate those affected. You’d be wrong.

While there are already several lawsuits filed against Equifax, the pathway for those cases to provide real help to victims is far from clear. That’s because even as the number and severity of data breaches increases, the law remains too narrowly focused on people who have suffered financial losses directly traceable to a breach.

The law consistently fails to recognize other sorts of harms to victims. In some cases this arises in the context of threshold “standing” to sue, a legal requirement that requires proof of harm (lawyers call it “injury in fact”) to even get into the door in federal courts. In other cases the problem arises within the claim itself, where “harm” is a legal element that must be proven for a plaintiff to win the case. Regardless of how the issue of “harm” comes up, judges are too often failing to ensure that data breach victims have legal remedies. 

The consequences of this failure are two-fold. First, there’s the direct problem that the courthouse door is closed to hundreds of millions of people who face real risk and the accompanying reasonable fears about the misuse of their information. Second, but perhaps even more important, the lack of legal accountability means that the companies that hold our sensitive data continue to have insufficient incentives to take the steps necessary to protect us against the next breach. 

Effective computer security is hard, and no system will be free of bugs and errors. 

But in the Equifax hack, as in so many others, the breach resulted from a known security vulnerability. A patch to fix the vulnerability had been available for two months, but Equifax failed to implement it even though the vulnerability was being actively exploited. This wasn’t the first time that Equifax has failed to take computer security seriously.

Even if increasing liability only accomplished an increased incentive to patch known security problems, that alone would protect millions of people.

The High Bar to Harm

While there are exceptions, too often courts dismiss data breach lawsuits based on a cramped view of what constitutes “harm.” These courts mistakenly require actual or imminent loss of money due to the misuse of information that is directly traceable to a single security breach.

Yet outside of data breach cases, courts routinely handle cases where damages aren’t just a current loss of money or property. The law has long recognized harms such as the infliction of emotional distress, assault, damage to reputation and future business dealings.1Victims of medical malpractice and toxic exposures can receive current compensation for potential for future pain and suffering. As two law professors, EFF Advisory Board member Daniel J. Solove and Danielle Keats Citron, noted in comparing data breach cases to the recent claims of emotional distress brought by Terry Bollea (Hulk Hogan) against Gawker: “Why does the embarrassment over a sex video amount to $115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?” “Why does the embarrassment over a sex video amount to $115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?”

For harms that can be difficult to quantify, some specific laws (e.g.