2014 has been an important year not only for privacy breaches, but for victims of privacy violations. Although there have been more data breaches than ever before, disproportionately targeting U.S. consumers, there are few legal remedies left for victims of privacy breaches to pursue, thanks to the U.S. Supreme Court. Last fall, the Court issued a landmark decision on privacy rights, changing the landscape of the legal rights for victims of privacy violations. In the year that has passed since then, despite increases in the frequency and severity of data breaches involving consumer financial, health, and private data, consumer privacy rights, however, have eroded.
The current U.S. Supreme Court, led by Chief Justice John Roberts, has been criticized for issuing more anti-consumer opinions than any previous court in nation’s history. Among the battery of its opinions issued in the last couple of years (which, among other decisions, awarded large corporations an unprecedented right to contribute to campaign elections, approved the elimination of class actions through forced waivers, toughened the standards for employees’ discrimination, retaliation, and wrongful termination claims, expanded the political clout of the nation’s wealthy election donors by lifting campaign contribution limits, and gave large pharmaceutical companies immunity for manufacturing defective drugs), the Court also issued a landmark ruling in a case involving Amnesty International (Clapper v. Amnesty International) that has had wide implications for victims of privacy breaches.
In Clapper, the U.S. Supreme Court essentially ruled that in order for consumers to bring legal claims for violations of their privacy resulting from mass data breaches, they have to show they have suffered financial damage of some kind. This would include, for example, the cost of credit monitoring services, unauthorized changes, etc. Since it was decided, federal courts across the country have tossed out nearly all mass data breaches based on Clapper. This includes the data breach lawsuits involving Barnes & Noble (2012 data breach of customer payment information at 63 stores nationwide), Trustwave Holdings (2012 breach of 3.6 million social security numbers and other records on the South Carolina Department of Revenue); Adobe Systems (2013 breach involving 38 million users), Nieman Marcus (2013 breach involving 350,000 customers’ payment data) the SAIC (involving personal and medical information for 4.7 million members of the U.S. military). Clapper is expected to be used to tear down the class actions brought involving the largest data breaches to date, involving Target (110 million records), Home Depot (58 million) and others. For privacy breaches involving companies whose clients are forced to sign agreements in connection with the company’s product or service (i.e., wireless cell phone carriers such as AT&T Mobility, which suffered a massive data breach in June, 2014), consumers have even less rights. This is due to another U.S. Supreme Court opinion (Concepcion v. AT&T Mobility) approving the practice of forcing consumers to waive constitutional rights to a court or jury, often using tiny fonts buried in long subscriber agreements, which are rarely ever read, and for which consumers have no option to modify or negotiate.
The problem with Clapper is that it basically impossible for anyone to prove (or even allege) that they suffered “actual financial injury” when it comes to privacy claims. Unless the victim tracks down the perpetrator, discovers unauthorized charges on credit cards or billing statements, receives bills/invoices for unordered products/services, or incurs the cost of credit-monitoring services, Clapper ensures that consumers have few if any avenues of recourse left when made the subject of a mass data breach. Further, because it is not possible to impute one victim’s financial loss to each and every other victim, the U.S. Supreme Court’s decision in Clapper seems to ensure that the universe of individuals able to assert privacy claims at all will remain extremely small.
The U.S. Supreme Court’s reasoning necessarily rests on the value proposition that consumer data is intrinsically worthless. If that were really the case, would companies like Facebook, whose primary assets or products consist of consumer data, have gathered enough gusto to raise millions of dollars of investment funding or reach the point of an initial public offerings? The notion that private data has no value is also inconsistent with the reality of consumer data in light of the large black market that exists for its purchase and sale internationally. Consumer data is regularly bought and sold, fetching high numbers at that. In February, 2014, BBC confirmed that a memory stick containing the personal data of 2,000 Barclay’s customers was stolen and sold “as worth millions on the black market.” In June, 2014, a review of YouTube revealed dozens of videos selling stolen credit card information pilfered through the various data breaches involving blue chip companies that occurred during the earlier part of the year. News reports have confirmed that stolen consumer data is regularly on sale, including information from the data breaches involving P.F. Chang, Target, Home Depot, and others. According to research by Javelin Strategy and Research, selling stolen customer data netted $18 billion in 2014. So if consumer data is being sold on the black market for millions and billions of dollars, why has the U.S. Supreme Court held that the disclosure of private information is worthless unless the consumer has incurred some separate financial loss?
Digging deeper, it appears that the U.S. Supreme Court’s rulings have only impaired consumer rights. State and governmental agencies with enforcement power to pursue administrative actions in connection with privacy breaches have been totally unaffected. In fact, enforcement and corrective actions by the Office of Civil Rights and the Department of Health and Human Services have exponentially grown 1,300% in the past 10 years. In 2014, for example, OCR/HHS investigated 4,463 breaches involving medical information, which resulted in 3,470 corrective actions, as compared to only 339 investigations and 260 corrective actions in 2004. In the past year alone, OCR/HHS has obtained at least $10 million from investigating and fining facilities involved with the breaches of medical information, and the privacy-enforcement business appears to be booming. Jerome Meites, chief regional civil rights counsel at HHS made remarks to the American Bar Association’s recent conference in Chicago, telling attendees that the past 12 months of enforcement will “pale in comparison” to what HHS plans to pursue by way of enforcement actions in the next 12 months.
Connecting all the dots, there is no doubt that consumer data is not worthless, and mass privacy breaches of consumer financial or medical information do result in quantifiable damages to the consumer. Nonetheless, consumer privacy rights seem to have been marginalized in a manner unmatched as compared to other rights. There appears to be no other type of mass injury in the legal world for which governmental agencies are permitted to pursue enforcement actions to recover millions of dollars of fines, but for which the victims of such wrongs are left without any meaningful civil remedies at all. Antitrust violations, price-fixing, securities fraud claims, false advertising, deceptive trade practices claims, employee no-hire/no-poach claims, food and drug litigation, and dozens of similar types of claims all allow for the affected individuals to bring civil claims against the perpetrators, regardless of whether governmental actors are successful or not in pursuing separate administrative fines and penalties.
Privacy breaches are not going away. In fact, they are predicted to swell in magnitude, intensity, extent, and number of consumers affected. Whether the victims of these data breaches will have any legal remedies left, on the other hand, remains yet to be seen. For the time being, the Justices presently sitting on the U.S. Supreme Court are going nowhere.