Nearly a decade ago, identity thieves posed as customers to steal more than 160,000 consumer records from data broker ChoicePoint.
If the incident were to happen today, it likely would be met with a passing yawn, common hacker play that is nothing more than just another headline, only to replaced by tomorrow's breach, that one by the next day's. But the ChoicePoint heist remains a landmark incident, mostly because it was the first big breach required to be publicly reported, thanks to a pioneering notification law passed in 2003 in California, known as SB-1386.
After the information theft was announced in 2005, ChoicePoint, acquired three years later by Reed Elsevier, settled with the Federal Trade Commission, as well as 44 states. In total, it paid out some $45 million as a result of the breach, and in the process, effectively created a new source of liability for organizations nationwide, one which has sped forward at lightning rates.
"I think it's an arguable virtual certainty that you're going to be breached," said Jason Weinstein, a Washington, D.C.-based partner at Steptoe & Johnson law firm, which represents corporate clients, in a recent interview with SCMagazine.com. "And if you're breached, it's an absolute certainty you're going to get sued."
That's not to say all of the cases will be successful in court, either through settlements or outright wins. But while there are no state or federal laws and statutes that specifically address illegality related to data breaches, plaintiff's attorneys are remaining steadfast in their attempt to establish working theories of liability and carve out new ground for legal standing.
"Plaintiffs are trying everything they can," said Sasha Romanosky, an associate policy researcher at Rand Corp. who recently obtained his Ph.D. from Carnegie Mellon University in Pittsburgh. "They sue for common law (derived from judicial precedent rather than statute) because there's no single law. There's huge variations in what they're suing for."
Edmund Normand, a civil trial lawyer based in Florida who currently is involved in about a half-dozen lawsuits filed on behalf of data breach victims, said he's finding that state and federal courts are recognizing the potential fallout that could result from breaches and are calling on organizations to step up their protections.
"Now, more than ever, the damage from these data breaches is astounding and limitless," Normand told SCMagazine.com. "And it may not happen today, but you're at risk to worldwide exploitation over decades."
Seeing what sticks
But therein lies the rub. Attorneys representing victims of a data breach – typically customers or employees – generally have met resistance from courts due to their failure to show actual harm (identity theft, fraud, etc.) that is directly linked to the breach in question, Weinstein, who is a former deputy assistant attorney general for the U.S. Department of Justice, told SCMagazine.com.
For example, in 2009, a federal judge dismissed a Missouri man's lawsuit against pharmacy benefit management firm Express Scripts, which sustained a data breach that exposed sensitive customer data. The case was tossed by U.S. Magistrate Judge Frederick Buckles because the claimant, John Amburgy, could not prove that his information was actually used fraudulently.
As a result, lawyers representing plaintiffs increasingly have turned to the legal argument that their clients are at risk to future harm due to the breach.