The 200 million registered voters whose personal details were compromised in a massive data breach face an uphill battle should they choose to petition for a class-action suit or seek recompense for the exposure.
The breach has been attributed to a misconfigured database managed by Deep Root Analytics (DRA), a data analytics firm contracted by the Republican party during the presidential campaign. The data included names, dates of birth, home addresses, phone numbers, and other details for registered voters from both political parties.
When asked if those affected might have any recourse, Everett L. Monroe, an attorney at Hanson Bridgett, a law firm with more than 150 attorneys in offices throughout California, told SC Media that the outcome is not certain.
"Affected people may not have a clear way to get recourse because most laws about data security and data breaches don't contemplate the kinds of harms we will see from what happened here," Monroe said. "Some states have laws requiring that businesses have reasonable security measures in place to protect personal information, but those laws are generally directed toward financial harms like identity theft. The information here, while many would consider it sensitive, probably wouldn't be subject to those laws."
Other tort causes of action, like invasion of privacy or publication of private facts, often requires that the information either be obtained in an improper manner or not be publicly available," he told SC. "It sounds like the exposed information was collected from publicly available sources, which makes it difficult for individuals to successfully sue on those grounds."
And when pressed on whether there are regulations on the books to penalize offenders who don't secure their systems, Monroe pointed to gray areas and ambiguities in the various state laws.
Some key findings
93% will use sensitive data in an advanced technology environment this year
63% of enterprises are using advanced technologies without securing sensitive data
59% of respondents voiced worries about security breaches from attacks targeting cloud service providers
– 2017 Thales Data Threat Report, Advanced Technology Edition
"A number of states have requirements that businesses implement reasonable security measures to protect personal information, typically enforceable by the Attorney General of the state, but (as above) those laws are not typically designed to protect the kind of data exposed here," he told SC.
In addition, he said, the Federal Trade Commission and other, more specialized federal agencies do have some data security requirements. "But it is not clear to me that any of those federal agencies would have the authority to pursue this kind of incident."
Monroe said he would not expect class action suits to follow. "I don't see an easy way forward for those class action suits because I can't think of a legal recourse that quite fits the injury," he said. "Finding a viable class action suit for something like this will be cramming a square peg into a round hole."
Judy Selby, national lead of cyber insurance and data privacy in BDO's Technology Advisory Services practice, agreed that the inconsistencies in applying various state laws to the data breach make prosecution problematic.
The question of what recourse do the people affected have can't be answered in a vacuum, she told SC, because it is largely a matter of state law. "Different states have different laws concerning voter information, and some voter information is considered public, while other information may be considered confidential."
It also likely depends on whether there was any unauthorized access to the information, Selby said. "Another factor will be whether any relevant law or regulation prescribes how protected voter information should be stored and secured. It will be important to identify the states the affected voters were registered in, and determine if and how those states' laws or regulations would apply."
Slawomir Ligier, SVP of engineering at Skyhigh Networks, told SC that voter registration data breaches have become commonplace, but they have never been more dangerous. "With third-party data analytics companies creating individual profiles for every voter, a breach can leak information down to an individual's stance on specific policies. Factoring in the threat of foreign interference in domestic elections, keeping voter information safe becomes an element of democratic infrastructure."
However, he added, Deep Root may not face significant repercussions in the current environment. "The organization claims the data was publicly available, and only some U.S. states have laws regulating voter information," Ligier said.
In contrast, he pointed out, the EU has recently taken steps to crack down on careless data protection practices with the General Data Protection Regulation (GDPR), taking effect in a year. "The law sets harsh fines for any loss or unauthorized sharing of data on an individual, designed to make companies think twice about collecting information they cannot protect. This breach may leave U.S. citizens wondering when their GDPR will arrive.”