The year 2005 really marked the beginning of the “era of data breaches,” and with it, the “era of data breach lawsuits.” The ChoicePoint data breach in late 2004, which first became newsworthy in early 2005, was the catalyst. That breach involved approximately 163,000 records, which by 2005 standards was a “major” data breach, and ChoicePoint was the first organization to notify the data subjects of the breach under the first (and only) data breach notification law in the country – the California law known back then by privacy experts simply as SB 1386. The media floodgates that opened in the aftermath of ChoicePoint’s notification set off a chain reaction that ultimately resulted in similar data breach notification statutes being passed in 47 states, the District of Columbia, and three U.S. Territories, as well as under various federal statutes, including the Gramm-Leach Bliley Act and HIPAA. It also resulted in what is now commonplace in the wake of major data breaches – class action “privacy” litigation on behalf of data subjects, seeking millions of dollars in damages, under a dizzying array of legal theories.
What’s perhaps not widely realized is that, more than 10 years later, significant obstacles to would-be class action plaintiffs still exist. In fact, there is still a divide among various U.S. Circuit Courts as to what is necessary to even establish standing by data subjects in these cases. Many pundits have been theorizing for years that this issue of standing is finally about to be resolved in favor of plaintiffs. But even in the few courts where plaintiffs have achieved favorable decisions on standing, there still has never been a single jury verdict in a consumer class action data breach case. One reason for that is because not a single court in the country has ever even certified a class in such a case. Not one – in more than 10 years.
There have been many settlements, and many of them have been quite large. But the settlements have been driven mostly by the non-legal risks of data breaches – the public relations nightmare, the customer churn, the glare of the regulatory spotlight, and the mounting legal fees.
Still, what gets lost in all of this is that none of the underlying claims included by plaintiffs’ lawyers in the consumer class actions has been successfully litigated to a conclusion on the merits. Many of these underlying claims are based on so-called “rights to privacy.” But, in most consumer data breach cases, “private” information is not really what’s at issue.
What Do We Mean by “Privacy”?
Legally, when we have traditionally discussed rights of “privacy” in the U.S., what we mean has been heavily influenced by two important law review articles. The first article was written by Samuel Warren and Louis Brandeis (who ultimately became Justice Brandeis) – “The Right to Privacy” – published in the Harvard Law Review in 1890. The second article is entitled, merely, “Privacy,” penned by Dean William R. Prosser of Berkeley Law School and published in that school’s Law Review in 1960.
In regard to a definition of privacy, Warren and Brandeis famously coined the phrase – “the right to be let alone.” They wrote,
“It is like the right not be assaulted or beaten, the right not be imprisoned, the right not to be maliciously prosecuted, the right not to be defamed.”
In Dean Prosser’s article, he dealt with the recognized causes of action related to privacy:
- (1) intrusion of solitude and seclusion;
- (2) public disclosure of private facts;
- (3) false publicity; and
- (4) misappropriation of name or likeness.
The difference in these concepts of “privacy” and what we are commonly dealing with in consumer data breach cases is obvious. Consumer data breach cases commonly involve information that is not truly “private,” but what we have come to refer to as “personally identifiable information” or “PII.” This includes, among other things, information such as payment card data, social security numbers, physical and email addresses. But most of this information is not, in any sense conceived by Warren, Brandeis or Prosser, “private” at all. Payment card information is not private. It’s freely exchanged in merchant transactions and is, in fact, information that is intended to be shared. Name and address are not private. There was a time not long ago when everyone had a large book in their home that had the name and address of almost everyone in their city! Email addresses aren’t really private. They are commonly included on business cards, websites, Facebook pages, and more. Even a social security number is not truly private. It’s used – or “published” by the owner – for all kinds of purposes. For example, it’s shared freely when applying for credit, and every employer is privy to the social security number of every employee in their workforce. It’s notable that Warren and Brandeis argued, “The right to privacy ceases upon the publication of the facts by the individual, or with his consent.”
Thus, it’s a fair conclusion that much of the information commonly at issue in a consumer data breach class action is not really subject to a “right of privacy,” as we have traditionally thought about such rights in the U.S. What we are really talking about in data breach cases is not “privacy” at all. Rather, it’s data security. What is being litigated is not “the right to privacy,” but an expectation of data security. And data security is defined quite differently from privacy. Data security may be defined as “the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.”
The problem for plaintiffs in consumer data breach class actions is that, if one of these cases ever gets to the merits, there are very few, if any, laws in the U.S. that grant an individual a private right of action to challenge the practices employed by organizations to defend information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. And, moreover, the standards for what constitutes the correct set of practices are subject to interpretation. The answer is often – “it depends.” Certainly, with respect to consumer data breaches of PII, there is, as of yet, no case law – from which the “common law” develops – that establishes which practices are correct and which practices are insufficient. And with more than 10 years of litigation and not a single case that has even gotten past the class certification stage, the first case establishing such precedent is likely still far off.
Which means that plaintiffs in consumer data breach cases still have a long way to go.