The foregoing question will no doubt be one which many readers may ponder in the wake of the reported Equifax data breach, or one which many may have wondered about in the wake of many other similar data breaches which have been announced. The answer however remains, it may very well depend.
On July 29, 2017, Equifax discovered that it had experienced a data breach, some point in time between mid-May and July. The public was informed of the breach on September 7, 2017. According to Equifax, as many as 143,000,000 people may have been affected including some having credit card numbers in addition to “personal identifying information” accessed. “Personal Identifying Information” may include names, birth dates, and social security numbers.
As data breaches become more prevalent so do the lawsuits that they spurn. In general, in order to have a claim a consumer needs to have standing. In other words, a consumer needs to show either a present injury, or a high probability of a future injury. In many data breach cases, a present injury can include fraudulent charges placed on one’s credit card, or the cost of credit monitoring which consumers may purchase to address the breach. However, the bigger concern is often the future risk of identity theft. Indeed, multiple lawsuits have already been filed in the wake of the Equifax data breach raising just these types of concerns.
How the Courts address these issues depends in large part on what actions the consumer or class representatives may have taken, and additionally, exactly what information was divulged. In Whalen v. Michaels Stores, a decision from the Second Circuit Court of Appeals released in May of this year, the Court concluded that Mary Jane Whalen did not have standing to pursue her action against Michaels. Whalen had complained that her credit card information had been stolen, and used twice in attempted fraudulent purchases, that she faced the risk of future identity fraud, and had lost time and money resolving the attempted fraudulent charges in monitoring her credit. However, the Court noted that there was no particularized injury suffered from the attempted purchases. She didn’t pay for any fraudulent charges, and because her complaint did not allege release or disclosure of any personal identifying information such as a birth date or social security number, the Court did not find that she could plausibly face a threat of future fraud or future identity theft.
In contrast, on August 1st of 2017, the United States Court of Appeals for the District of Columbia held in Chantal Attias v. Carefirst, Inc. that a health insurer’s breach which resulted in disclosure of personal identifying information could constitute a substantial risk of identity theft. Although no instances of identity theft were yet demonstrated, the United States Court of Appeals for the District of Columbia quoted a Seventh Circuit decision involving Neiman Marcus Group, LLC for the observation that “why else would hackers break into a … data base and steal consumer’s private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers identities.” Remijas vs. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015).
These decisions illustrate the fact sensitive nature of claims arising following data breaches, also highlight the need for company’s who collect and store personally identifiable information to be proactive in their enterprise risk management, whether that be in dedicating the appropriate time, energy and resources to cyber security, or, on the other end, addressing their potential exposure through obtaining appropriate cyber security insurance. For individuals, vigilant credit monitoring is a must. Personal Information must always be protected, and credit freezes may prevent new accounts from being opened. Credit freezes are requested through Transunion, Experian or Equifax, and Equifax is currently waiving their fee.
In the context of data prevention, Benjamin Franklin’s adage that “an ounce of prevention is worth the pound of cure” surely seems to be applicable.
[To determine if your personal information may have been compromised in the Equifax breach, visit www.equifaxsecurity2017.com/potential-impact/]
If you have any questions on how to address your company’s exposure to data breach liability, don’t hesitate to contact Michael W. Sandner or any of the attorneys at Pickrel, Schaeffer & Ebeling.