In the privacy world, few questions are as fundamental and pervasive as “what constitutes privacy harm?” Scholars continue to debate what it means to suffer a privacy injury and policymakers grapple with the parameters for a risk based framework, with some calling for reducing “the focus on data collection and the attending notice and consent requirements, and focus(ing) more on a practical assessment of the risks (and benefits) associated with data uses.” Yet even as these discussions take place, high-profile data breaches continue to hit the newsstands; class-action lawsuits follow; the Federal Trade Commission (FTC) and state attorneys general launch enforcement actions, and consumers complain in record numbers to federal and state regulators. The question of which breaches are actionable and what harms are compensable is more important than ever.
The definition of privacy harm has always been a moving target—and already this year the mark may have shifted again. Recently, in Curry v. AvMed, Inc., a Florida federal district court approved a $3 million class-action settlement believed to the first of its kind: one that compensated victims of a data breach without a claim for realized financial harm. The case reflects an evolution in the notion of consumer privacy “harm” that is taking place both in the courts and through the FTC.
Curry v. AvMed
The AvMed case features a fairly common data breach scenario: In 2009, two company laptops were stolen from a health insurer’s corporate offices. The laptops, which were then sold to a dealer in stolen property, contained unencrypted personal information of 1.2 million insurance customers including names, contact information, Social Security numbers and sensitive medical data.
At its outset, litigation took a standard course: A district court initially dismissed the case for failure to state a cognizable injury. However, in September 2012, the 11th Circuit reversed, concluding that a claim of “actual identity theft arising from a data breach” causing monetary loss states sufficient injury for standing purposes and also finding a plausible connection between the breach and the plaintiffs’ instances of identity theft 10 and 14 months later. The case could have continued on negligence, contract and breach of fiduciary duty theories; however, the parties reached a settlement agreement in October 2013.
Importantly, the circuit court also approved potential recovery based on a theory of unjust enrichment even for class members who did not experience identity theftbut who paid premiums that were intended to contribute to the costs of adequate data security. As it stands, two distinct classes can claim from the $3 million settlement fund: a “Premium Overpayment Settlement Class,” comprising “all current or former AvMed customers who, prior to December 2009, paid AvMed for insurance, and whose sensitive personal information was contained on the laptops” and an “Identity Theft Settlement Class” for “all current or former AvMed customers who … suffered identity theft and incurred unreimbursed losses as a result.” Thus, the former class consists of individuals whose harms have not yet materialized, at least not in a pecuniary sense.
Harm in the Courts
AvMed’s recognition of injury to consumers without direct financial losses reflects a broader, ongoing dialogue between U.S. courts. Although some commenters question the sensibility of class-action lawsuits as a vehicle to remediate consumer privacy violations, they remain one of the primary means by which individual consumers seek redress for data breaches. The stakes for class-action litigants are particularly high, as companies face both public relations and settlement costs. Accordingly, the notion of privacy “harm” is particularly developed in these cases.
The first bar that data breach victims face in bringing a suit is demonstrating that they have suffered a concrete “injury-in-fact” and thus have standing to sue. While courts have recognized “economic” and “aesthetic” injuries for the purposes of standing, injuries that are too speculative or abstract are routinely refused. For many data breach victims who may learn about the loss of their personal information long before their data is actually used against them—or can be proven to have been used against them—this has often proved a frustrating bar to recovery.
However, as academics have noted, “while courts generally have refused to recognize the increased threat of identity theft as a cognizable injury for standing purposes, a few have recognized that, in certain circumstances, the lack of a fraudulent use is not an absolute bar to a claim.” Indeed, the circuit courts are split: The First and Third Circuits consider the increased risk of future identity theft arising from a data breach to be too hypothetical, whereas the Seventh and Ninth Circuits will recognize an allegation of future harm if there is “danger of sustaining some direct injury” that is “both real and immediate”—such as identity theft.
Even if an alleged privacy violation constitutes “harm” that is sufficient to get a data breach victim’s foot in the courtroom door, it may not be enough to see them through to a favorable judgment. Indeed, demonstrating that a data breach has caused compensable damages is often a heavier burden for data breach victims. While credit card companies and financial institutions often cover actual fraudulent charges, data breach victims may face additional financial costs. As the InfoLawGroup notes, in AvMed these included “being forced to spend money to place alerts with credit reporting agencies and to contest fraudulent charges; e.g., cellular telephone minutes, postage, travel-related costs … being forced to spend money an ongoing basis for a subscription to an identity theft protection service and … missing work, incurring lost wages and suffering a loss of goodwill at work to spend time meeting with the police to report and attempt to remedy the effects of the identity theft.”
|Sources and Other Reading|
Even victims of a data breach who have not suffered identity theft may expend significant time, energy and resources protecting themselves against it, often for years after the breach, as well as living with the fear and emotional distress of vulnerability to a future attack. Such damages are difficult for courts to adequately calculate or compensate, often leaving victims without any judicial redress.
Harm in the Commission
While the courts continue to grapple with the definition of consumer privacy harm on a case-by-case basis, the FTC is engaged in its own discussions over what constitutes “harm.” As the U.S.’s primary privacy and data security regulator, with broad enforcement powers and statutory authority, the agency’s determination of consumer privacy harm could carry more immediate weight for businesses than isolated class-action suits.
The agency’s definition of harm is linked to its statutory unfairness authority under Section 5 of the FTC Act. An act or practice is “unfair” only if it, among other things, “causes or is likely to cause substantial injuryto consumers.” In 1980, the commission published a Policy Statement on Unfairness clarifying, “The commission is not concerned with trivial or merely speculative harms. In most cases a substantial injury involves monetary harm … Unwarranted health and safety risks may also support a finding of unfairness. Emotional impact and other more subjective types of harm, on the other hand, will not ordinarily make a practice unfair.”
However, as business practices and technologies have evolved—and consumers’ expectations of privacy along with them—the FTC has begun to recognize a broader range of privacy harms suffered by consumers. Speaking at the Silicon Flatirons Conference this year, FTC Commissioner Julie Brill noted that “the line between concrete and abstract has been blurring. I think that there are harms that I clearly have thought were concrete enough to bring action against under the FTCA, but perhaps others might not have thought that to be the case, say 20 years ago.”
Brill pointed to data breaches leading to the disclosure of sensitive health information, which “doesn’t lead to the same kind of financial harm that disclosure of like credit card information can lead to, but … we brought as an unfair act because it’s considered to be highly sensitive information.” She also pointed to a series of consent decrees that introduced nonmonetary, abstract, autonomy and dignitary-based harms, such as DesignerWare. In that case, rent-to-own companies utilized built-in security software, webcams and keyloggers to spy on renters, an “unwarranted invasion into their homes and lives and its capture of the details of individual and family life … Sharing these images with third parties can cause consumers financial and physical injury and impact their peaceful enjoyment of their homes.” As Brill explained in DesignerWare, “It was clearly nonmonetary harm. It was clearly a statement by the commission that this invasion of personal space and essentially spying on consumers, unbeknownst to them, or not reasonably known to them, was problematic.”
Accordingly, while for unfairness purposes the FTC, like the courts, still bases its definition of consumer privacy harm on concrete damages, it has increasingly recognized and brought enforcement actions on the basis of more subjective harms. Indeed, in the case of Accusearch, these two evolving strains of “privacy harm” briefly united. In that case, the FTC asserted—and the 10th Circuit recognized—injuries arising from the risk of “being stalked or otherwise harassed” or incurring “substantial costs in changing telephone providers to prevent future privacy breaches.” Predating AvMed by five years, Accusearch nevertheless mirrors this most-recent class settlement in providing redress even on behalf of victims of a privacy violation who had not incurred direct monetary damages.
The Next Evolution
While courts and the FTC may be accepting more abstract privacy harms as a basis for redress, consumer complaints remain overwhelmingly dominated by concrete injuries. In its 2013 report on consumer complaints, the FTC announced that 290,056, or 14 percent, of the complaints it had received last year, were related to identity theft and 30 percent of those “were tax- or wage-related, which continues to be the largest category within identity theft complaints.” Additionally, the agency reported 1.1 million fraud complaints, of which 61 percent of consumers reported they had paid money to fraudsters, representing $1.6 billion lost. Clearly, redressing direct financial injuries—including those arising from privacy violations and data breaches—remains a top priority for litigants and regulators alike.
However, as data breaches can impact millions of consumers at a time—consider the 70 million exposed in the Target data breach or even the 1.2 million in the AvMed case—consumers’ ability to recover for non-financial privacy harms, or even simply the increased risk of a privacy harm, means that practitioners should keep an eye on both the commission and the courts. Class-action suits and consent decrees may bind only the parties that enter into them, but they often set the stage for future actions. Whether or not AvMed is the beginning of a pro-plaintiff trend, it is clear that the question “what is a privacy harm” still has no concrete answer.
Editor’s Note: For an analysis of ten top FTC enforcement actions in this space, see the Westin Research Center’s FTC Casebook: First Look.