When data is leaked in or following a breach, many courts do not consider the attenuated and hypothesized chain of events between the leak and eventual abuse of that data sufficient to create a cause of action in Court. So, what’s the incentive in requiring any large data holder to take preventative measures against breaches? Depending on the nature of the business or its controlling interests, it may be more valuable to gamble with less-expensive security protections since most data breach victims struggle to establish an actual injury required for court remedies.
As previously quoted, former President Theodore Roosevelt famously said “complaining about a problem without posing a solution is called whining.” Here, the solution to this problem faced by data breach victims may reside with an unlikely source: dark web scanners.
In Steven v. Carlos Lopez & Associates, LLC, 422 F.Supp.3d 801 (S.D. NY, 2019), the Southern District of New York denied standing for a class of persons whose personal data was accidentally leaked by a company employee in an email. Despite the data’s sensitivity, none of the one-hundred-thirty affected individuals could establish a concrete injury beyond the actual leak. Relying on Clapper v. Amnesty Intern. USA, 568 U.S. 398 (2013), Stevens declined to engage with an attenuated chain of possibilities to establish standing; requiring evidence of “‘certainly impending’ identity theft or fraud, or even a ‘substantial risk’ of such harm” to allow the class’s claims to proceed.
In response to Stevens, the Second Circuit Court of Appeals in McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295 (2nd Cir. 2021) reinforced that “[w]here plaintiffs fail to present evidence or make any allegations that an unauthorized third party purposefully obtained the plaintiffs' data, courts have regularly held that the risk of future identity theft is too speculative to support Article III standing.” Alternatively, if plaintiffs demonstrate that a malicious third party intentionally targeted a defendant's system and stole plaintiffs' data stored on that system, the Seventh Circuit in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015), found a greater likelihood that the plaintiffs sustained an injury sufficient to initiate a suit. According to Remijas, requiring “‘the threatened harm to materialize[,]’” before filing suit further diminishes an opportunity for recovery; and, "[w]hy else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities.”
But again, what if the data breach is accidental or difficult to trace to a malicious act? Many forensic analyses of compromised systems cannot definitively state that data was exfiltrated from a particular network. Rather, the analysts are confined to making statements like “it is moderately or highly likely” that data was stolen.
Therefore, finding evidence of an injury likely requires a dark-web scanner. Available from most cybersecurity vendors, a dark web scan is where an entity reviews large databases on the dark web for a particular customer’s information (which are often packaged together with thousands of data bytes for sale). When data is stolen, it is usually sold or dumped onto a server on the dark web for sale to anyone looking to abuse a person’s information in a variety of ways (opening credit cards, applying for loans, etc.)
Albeit far from inconceivable that any person’s sensitive data may be for sale several times over on the dark web from several different data breaches, the recent illegal marketing of that data that shares a temporal nexus with a breach may be sufficient to sustain an injury recognizable to a court. Even if a breach is due to clerical error, not initially believed to result from a malicious act, that error may also result in the leaked data marketed on the web. And, according to the dicta in Steven, Ramijas, and McMorris, the imminent sale of that data through unlawful channels without the consent of the data owner strongly mimics the “certainly impending” standard echoed by the Courts.
Recommendation: data breach attorneys should retain dark web scanning services for evidence of the victims' injuries on the dark web. Far from perfect, even surface-level scans of dark web data dump sites and will flag most personal data, creating evidence of injury.