Unauthorized PI Access: A Compensable Injury (in court)
The recent recognition of data breach victims as litigants with actual injuries resemble previous trends in law. In 1964, Title VII of the Civil Rights Act was enacted, prohibiting employment discrimination based on race, color, religions, gender or national origin. While technically illegal, employment discrimination continued for “a while” before becoming taboo. Now, there are countless manuals and training programs designed to prevent illegal discrimination as employers recognize the extreme risks of such behavior. Data breaches and responses are following a similar temporal trend.
Prior to the massive Equifax data breach, being caught in a data breach was alarming (if even known) but those affected were without remedy or recourse. Now, courts are recognizing standing and, with a basic understanding of commercially reasonable cyber hygiene, apply a negligence standard to evaluate the causation and damages.
A recent and very thorough review of what constitutes standing in a data breach case was provided by the United States District Court for New Jersey In re Am. Med. Collection Agency Customer Data Sec. Breach Litig., Civil Action No. 19-md-2904. In a December 16, 2021, opinion, the Garden State’s federal district court held that an unauthorized "disclosure of private information" is a recoverable injury.
The defendants in this on-going lawsuit are healthcare providers and medical diagnostic companies, including Quest and LabCorp (blood testing, urinalysis, and biopsies). These defendants hired Retrieval-Masters Creditors Bureau, Inc. d/b/a American Medical Collection Agency ("AMCA") to perform collections, granting AMCA sensitive patient information to recover unpaid bills. The affected patients are now suing AMCA and the providers in a class-action, multi-district litigation.
Between late 2018 and March 2019, a hacker gained access to AMCA’s network and stole the private information of millions of patients. Plaintiffs claim ineffective and/or non-existent notice of the breach and resulting harms such as identity theft. Plaintiffs also alleged that the defendants, including AMCA, failed to properly protect their patients’ personal information.
AMCA only learned of the breach from a company called Gemini Advisory, which identified several compromised payment cards for sale while monitoring dark-web marketplaces. Gemini conducted an analysis, which concluded that the information was likely stolen from AMCA's online portal. Gemini notified AMCA but received no response and then proceeded to contact law enforcement. Three months later, Quest and LabCorp announced the breach through SEC filings, before posting information about the data breach on their websites and sending personal notices to impacted customers.
Plaintiffs further argued that the defendants did not employ industry-standard safeguards to investigate AMCA before supplying patient information to AMCA. This claim is buttressed by the fact that AMCA never detected the data breach on its own and ignored Gemini Advisor’s warnings, showcasing a gap in its security capabilities and knowledge. AMCA also allegedly failed to maintain appropriate procedures for encrypting, destroying, and archiving personal information.
To evaluate the claims, the Court looked for 2 primary elements: a concrete injury “in both a qualitative and temporal sense;” and particularization (the injury "affect[s] the plaintiff in a personal and individual way"). With compromised personal information, the Court held that “plaintiffs in information security and data privacy cases raise unique issues with respect to standing” since speculation that a plaintiff's data "may have been accessed" in a large data breach is insufficient.
A potential plaintiff must show that his/her information was disseminated against his/her will – but an additional showing of direct economic injury is unnecessary.
The Court ruled that “intangible harms are sufficiently ‘concrete’ to establish an injury-in-fact where they share a ‘close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.’” And, “an unauthorized ‘disclosure of private information’ is among these harms.”
With negligence similar in each state (duty, breach, causation, and damages), the court found that the plaintiffs sufficiently pled that the defendants breached their duty to take reasonable efforts to safeguard Plaintiffs' personal information by, among other things, providing information to AMCA when they "knew or should have known that AMCA's web payments page was vulnerable to unauthorized access by third parties," and failing to implement measures to monitor, audit, or evaluate AMCA's data security practices to ensure compliance with industry standards.
The only plaintiffs refused by the courts were those individuals that lacked alleged facts to support an inference that their information was accessed, stolen, or misused. Accordingly, such plaintiffs were unable to show any of the following: (1) an increased risk of future identity theft; (2) expenses incurred to prevent future identity theft; (3) the allegedly diminished value of their personal information; and (4) a lost "benefit of the bargain" regarding the services purchased from defendants.
The underlying lessons here are: 1) Evaluate a vendor’s cybersecurity practices; 2) Immediately respond to proposed data breaches; and 3) Data encryption can prevent breaches. Hacking is often a high-volume business. Wasting time trying to decrypt stolen data, especially personal information, is not worth the time and effort for cyber-criminals.