September 3, 2007
Individuals affected by massive data breaches have regularly filed lawsuits or joined class-action lawsuits against the offending company or agency in order to seek restitution for their personal lives being put at risk.
But several recent court decisions have weakened the individual's right to sue in case of a breach, ruling that the lack of actual harm precludes the plaintiffs from having a case.
An Ohio judge tossed out a lawsuit brought by two graduates of Ohio University over the institution's massive data breach by outside hackers. The judge ruled on August 29 that the plaintiffs failed to prove that specific harm had been caused as a result of the breach.
Donald Kulpa and Kenneth Neben claimed that Ohio University had failed to effectively protect their privacy, while the university argued that their suit was based on "vague fears" of potential damage in the future.
University president Roderick McDavis said that the university had already undertaken a top-to-bottom reconstruction of its information technology department to prevent further breaches.
"I understand how people felt when they learned that their data may have been exposed, because I was one of those people," McDavis said in a statement. "It can be frightening to think your personal information could be vulnerable."
"No individuals have suffered losses from this, though, and we remain hopeful that no one ever will," McDavis said. "I am pleased that the court agrees."
The Ohio University judgment followed a similar ruling in a lawsuit against Old National Bancorp over a 2005 data breach that exposed Social Security numbers and personal information.
The U.S. 7th Circuit Court of Appeals ruled on August 23 that the plaintiffs' claim of suffering "substantial potential economic damages" was insufficient, and that they had to demonstrate actual concrete damage from identity theft before being able to legitimately sue to seek restitution.
Victims of data breaches have exceptional difficulty proving actual harm to them in a court case, due both to the high number of data breaches in recent years, and the fragmented trail from a data breach to a case of fraud. Sophisticated hackers and data thieves will take data purloined from an outside hack or stolen equipment, and mix it with data from other sources to create "synthetic" identities that can fool credit agencies and fraud detection systems into thinking they are the genuine article. It can take months, or sometimes years, before a case of fraud or theft can be definitively linked to a data breach. A fraud ring operating in Florida was arrested in March 2007 for scams involving data stolen from the TJX company, in a massive data breach that went on for at least two years prior.The financial industry and federal government agencies largely favor a "risk-based" notification standard, where consumers would only be notified of a breach if there was a direct threat of immediate harm.
Privacy and consumer advocates argue that any breach can potentially lead to identity theft, and are pushing state legislatures to pass stronger laws guaranteeing the right to sue an entity in case of a breach.
