Lost Data: The Legal Challenges

Another day, another data breach, another lawsuit. On Sept. 22, 2006, a lawsuit was filed against AOL over its release of 19 million search requests affecting 650,000 subscribers. The suit was filed by three AOL subscribers as a class-action lawsuit where they would represent all of the victims of the release.

The AOL data breach is not the first such incident. In the September issue of Information Today, Phillip Britt reported that more than 190 data breaches had been reported between February 2005 and June 2006. In February 2005, ChoicePoint released information that data on more than 160,000 people was leaked to criminals posing as legitimate businesses. In May 2006, a laptop computer containing access to more than 26 million veterans and military personnel data was stolen from a Department of Veterans Affairs (VA) employee's home. At least two class-action lawsuits are pending over that data breach.

Lawsuits involving the VA, AOL, and others have only been part of the legal response. Congress has introduced at least 10 bills addressing data breaches and identity theft. Most of these bills would enhance criminal penalties for data theft, require additional safeguards on stored personal data, provide for quicker notification to consumers of data breaches, or give consumers greater ability to secure and protect their financial and credit data in the event of a theft. As of yet, none of these bills have been enacted, and only a few have made it out of committee.

Without question, the data breach and identity theft problems are real and growing. The Federal Trade Commission recently estimated that as many as 10 million Americans are the victims of some form of identity theft each year. The cost of this theft is further estimated at more than $50 billion to U.S. businesses and $5 billion more in out-of-pocket expenses. Consumers are asking why the law can't protect them from this problem.

Legal Limitations

Unfortunately, the answer is that the law can but goes only so far in protecting against data breaches and identity theft. Many reported data breaches are the result of criminal activity. In the ChoicePoint case, criminals obtained the data through fraud. In the VAcase, a laptop was stolen in what was likely a typical break-in without the thieves targeting or even knowing that they possessed personal data. While hacking, phishing, and other types of information theft are already criminal offenses, the law is able to protect data only to the extent that people respect the law.

Another challenge of the legal response is that the owner of the data- ChoicePoint or the VA-is the "victim" of the crime. Data thieves are caught and prosecuted, and they may be fined, imprisoned, and/or required to pay restitution. But any restitution would go to the data owner and not necessarily to the people whose information was stolen.

Filing a Lawsuit

For those victims of data breaches, the civil justice system is the main available remedy. Lawsuits filed against Choice- Point, the VA, and AOL(whose data breach was not caused by criminal action) are based on a combination of claims, most typically negligence, breach of contract, or in the case of the VA, violation of existing federal data security laws.

The negligence claim is the most common and tempting, but it can also be difficult to win. In a negligence claim, the victim-in this case, the person whose data was compromised-must show four elements: a duty of care by the data owner, a breach of that duty, an injury to the victim, and that the breach of duty was the main cause of the injury. AFebruary 2006 case involving a breach of student loan data arising from a laptop theft illustrates the problems.

Negligence law typically rests on what a reasonable person would do. Ruling in favor of the student loan data company, the court held that the company had complied with both the law and its own privacy policies. The law did not require perfect care; it only required reasonable steps such as security policies, training in those policies, risk assessments, and other safeguards. The court also found that having the data on the laptop was necessary for the company to process the information, and that both the company and the laptop owner acted reasonably.

What Is Foreseeable

Although the laptop was stolen, it was not a breach of duty because the theft was found to be unforeseeable. Negligence law only protects against injuries that can be reasonably (there's that word again) foreseen. Acriminal action by an unknown person is generally not considered foreseeable. While the evening news may tell us crime is common, the court held that a specific crime against a specific person at a specific time is generally not considered foreseeable.

Finally, the victim must actually suffer an injury. Negligence law considers this to be an actual financial loss or damage and not the "threat of future harm." Under this principle, you must show that you have actually been a victim of identity theft, not just that your data might have been or could be misused. If the actual cash damages from a data breach, which generally do not include the time spent resolving credit and other problems, are not great, the costs of pursuing a lawsuit may outweigh them.

The claim against the VAmay have more success. First, as Britt's article reported, the VAinspector general found that the VAhad ignored previous data security warnings, had weak management, and "dealt with lax rules." This makes a stronger case that the VA had a duty of care toward the information it held and that it breached that duty. Second, the case has been filed as a class-action lawsuit. Instead of one person trying to recover a few hundred dollars of actual damages, all potential victims are considered a single plaintiff, and the recovery for one is considered to apply to all. With more than 26 million potential victims seeking damages of up to $1,000 each, the potential $26 billion recovery (unlikely) becomes worth pursuing.

Federal Privacy Act

Third is a specific federal law that adds additional responsibilities to federal agencies that maintain databases of personal information. The Privacy Act of 1974 mandates that federal agencies create and maintain rules of conduct for the development, operation, and maintenance of personal records. It also requires safeguards against "any anticipated threat or hazard" to the records. In storing the records on a laptop and taking the laptop home, the VA is alleged to have violated the act by either failing to follow established procedures or having procedures that do not meet the act's requirements.

Unfortunately, the Privacy Act only applies to information obtained and stored by the federal government, such as military, tax, VA, and other records. It does not apply to private data providers such as ChoicePoint, AOL, and LexisNexis.

Other federal laws, including the Computer Fraud and Abuse Act of 1984, the Electronic Communication Privacy Act of 1986, and the Identity Theft Assumption and Deterrence Act of 1998, apply to private data providers and have strengthened criminal penalties for hacking and identity theft. However, they do not address standards for the protection of stored data. The Gramm- Leach-Bliley Act of 1999 requires financial institutions to develop and implement a data security program and identify reasonably foreseeable risks to customer information. However, the act only applies to financial institutions and does not detail what specific steps are required.

New State Laws

A number of states have passed laws requiring data companies to notify customers about any data breach. California has enacted several laws requiring notice of security breaches, restricting Social Security number use, mandating the destruction of customer records that are no longer needed, and letting consumers determine whether personal information is provided to third parties. But state laws only apply within the state's boundaries, and they still don't mandate specific security rules or procedures.

Certainly, the law can be strengthened. The Senate is considering the Identity Theft Protection Act, which would extend the Privacy Act's requirements to anyone who maintains or uses personal information. The Data Accountability and Trust Act is a similar bill in the House of Representatives. Both proposals would require stronger data protection procedures, better means for resolving identity theft credit problems, and stronger penalties for data theft, including theft from laptop computers. Both bills have been reported out of their respective committees, but they still have not been voted on by the Senate or the House.

Determining Strict Liability

Will these proposals be enough if they are enacted? While they may make U.S.-based data thieves take notice, they will have little effect on data thieves operating outside the U.S., where much of the stolen data ends up. Some commentators have argued for an even stricter liability standard for data protection. If you have data and fail to protect it, you're liable. Period. Whether this is realistic is questionable.

But something definitely needs to be done. As I was about to compose this final sentence, my RSS newsfeed reported the theft of another laptop containing personal data on 50,000 people. Another day, another data breach