What do a “smart” TV, a casino fish tank, and a talking teddy bear have in common? They have all been used, over the past year, to steal people’s personal information.
It is no secret that large-scale data breaches have become increasingly prevalent in the last several years. In the first half of 2017, there were reportedly “a record 791 data breaches in the United States, up 29 percent from the same period a year earlier.” Tiffany Hus, “Data Breach Victims Talk of Initial Terror, Then Vigilance,” (Sept. 9, 2017). From Yahoo, which exposed account details, names, and personal information associated with its three billion accounts, to Equifax, which revealed highly sensitive financial information relating to 143 million consumers (Seth Fiegerman, “The biggest data breaches ever,” (Sept. 7, 2017)), the scale and scope of these breaches seems to grow larger every day. Concerns about “Nigerian Princes” gaining unauthorized access to our bank accounts now seem quaint.
Perhaps one cost of our increasingly interconnected online existence is increased vulnerability to cyber-criminals, who make a living exploiting vulnerabilities in the firms and devices we trust with our sensitive personal information. Cyber-criminals can use such information to open fraudulent accounts, claim tax refunds, and even set up sham companies in their victims’ names. One analysis indicated that, in 2016, more than 15 million Americans were victims of such identity theft, at a cost of some $16 billion. In response to these kinds of threats, many companies have increased cybersecurity spending and developed robust cybersecurity policies. E.g., Helen Reid, “Cyber security stock rise in wake of global ‘ransomware’ attack,” (May 15, 2017). But what happens when those defenses fail, or worse, when companies don’t bother with them at all?
Despite the severity of the potential harms in these cases, and the need to protect consumers, private individuals have had mixed success recovering damages from companies who expose their sensitive information to cyber-criminals. As in any case, plaintiffs in these actions must demonstrate that they have standing, as well as a substantive basis for relief. Plaintiffs who know that their sensitive information has been exposed, but who cannot point to any particular example of identity fraud, may find their claims dismissed for lack of a “certainly impending” injury sufficient to afford standing. See Whalen v. Michael Stores, 153 F. Supp. 3d 577, 583 (E.D.N.Y. 2015) (dismissing claim because risk of further harm due to exposure of sensitive information was not a “certainly impending” injury).
Courts in several recent cases have struggled with this issue, recognizing the potential tension between the constitutional requirements of standing and the increasing need to protect the personal information of individuals. A recent decision from the Southern District of New York examines that balance and the scope of a company’s duty to protect the sensitive information of its employees and customers. It is worth a closer look.