X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Dear Mr. Rogers: You don’t know us, but we know you. We know where you live. We know your Social Security number. We know your credit card number. We even know what you like to buy with that card number. Unfortunately, now some other people know about you, too. We don’t know exactly how your data were lost — these things happen, you know — or where they went. We aren’t responsible for what the data thieves might do with your personal information. But under law, we have to notify you when this type of loss happens, and now we have. Good luck! Love and kisses, MegaCorp Data Broker When private data are lost, the real notice to consumers sounds more formal (if less frank). But the result is the same: The company goes on with its business. It doesn’t have to compensate those whose private data may be floating around the Internet, and it may or may not adopt adequate security measures for the future. What will prevent an avalanche of future we’re-so-sorry consumer notices? What really inspires a company to improve its sloppy security? Is it more paperwork and regulations — or the threat of a lawsuit and an angry jury? In an economy already awash in government requirements, lawsuits may provide a deterrent effect much greater than the enforcement of additional regulations. That’s something Congress should ponder as it tries to stop companies from losing consumer data. By now, the stories are depressingly familiar. CardSystems Solutions admitted in June that hackers had obtained information on more than 200,000 credit and debit card accounts. This year alone, Citigroup, the shoe retailer DSW, Bank of America, Time Warner, and LexisNexis have also acknowledged security breaches, according to The Wall Street Journal. Because California law requires disclosure of breaches in certain situations, the list of apologetic companies is likely to grow even longer in the future. Alarmed by this pattern of breaches, Congress is moving to act. The House Committee on Energy and Commerce is developing a bipartisan bill to be introduced in September, and Sens. Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.) have introduced the Personal Data Privacy and Security Act (S. 1332). The bills have much to recommend them. Under the bipartisan Senate proposal, citizens nationwide would receive notice of security breaches, criminals would face higher penalties, and businesses would have to follow additional restrictions on the use of Social Security numbers. The draft House bill would establish a national standard for consumer notification, require companies holding personal data to develop security policies, and order information brokers to submit their security policies to the Federal Trade Commission for audit. But perhaps the most fundamental policy question is whether to deal with sloppy data companies by issuing top-down dictates or adopting victim-driven remedies, chiefly lawsuits. On that question, the congressional bills could profit from an increased appreciation for the merits of private suits over government commands. A NEW PROGRAM? The Senate bill would make companies adopt a new “personal data privacy and security” program. It must include safeguards “appropriate to the size and complexity of the business entity and the nature and scope of its activities.” Likewise, the draft House bill requires companies to adopt security policies. Will this protect the privacy of consumer data? It seems doubtful. Some companies involved in the latest breaches already had policies about data security. Those obviously didn’t do the job. The requirements of the Senate bill would be loose enough — a program merely “designed” to work — that they provide little assurance of success. Similarly, it seems optimistic for the House to believe that FTC audits are going to ensure good practices on the ground. Organizations can adopt policies and comply with formal restrictions without really fixing the underlying problem. Formal policies and practical reality often don’t overlap. It’s easy to draft an emergency action plan to comply with Occupational Safety and Health Administration requirements, for example, but far more difficult to undertake the training to ensure that employees respond safely under stress. The effectiveness of the current proposals also depends on how willing the executive branch is to enforce the law. Even if the Justice Department or the FTC acts vigorously, any fines would go to the government, not the consumer victims. Although the Senate bill authorizes the Justice Department to obtain compensation “on behalf of” the consumers for a company’s failure to adopt a security program, the focus of the bills isn’t on providing compensation to consumers for direct financial losses from data theft, costs of monitoring, time spent cleaning up one’s records, or the intangible harm of knowing that one’s private information fell into the hands of criminals. IT’S A TORT There is an alternative to top-down federal mandates: private tort suits. Already, a class action on behalf of California residents has been filed in that state against CardSystems alleging negligence in data security. According to The Recorder, a sister ALM paper in San Francisco, the big guns of the plaintiffs bar haven’t yet joined in these suits. Yet the negligence claims here don’t seem frivolous: Consumers are foreseeable victims of a company’s loss of their private information, and thus a duty of care seems reasonable. In addition to the negligence claims, one could argue in good faith that the accumulation of private data should be akin to a “dangerous beast” whose keeping brings strict liability under common law for any resulting harm. But while the state suits bring plausible claims, there are good reasons why any tort liability ought to exist on a national level, rather than state by state. The lost data frequently involve instruments of interstate commerce such as credit cards or Social Security numbers, which are within Congress’ legitimate constitutional purview. And the burdens on companies subjected to possibly conflicting tort outcomes in 51 different jurisdictions for the same breach could be significant. If Congress doesn’t address the tort issue, state litigation may essentially moot whatever federal regulations pass. If state juries are awarding significant damages against data brokers, federal requirements for a security program become almost trivial in comparison. State liability will drive what measures businesses adopt, just as California’s notice requirement already has had a nationwide impact. If the upcoming federal legislation doesn’t address tort liability, it may turn out to be largely symbolic, and state courts will effectively set national policy. What might a federal tort entail? The cause of action would be the wrongful loss of consumer information. The standard for liability might be negligence, though Congress might consider strict liability, if only to simplify the judicial costs of administering the tort. A requirement to notify customers of any breaches in data security would still be necessary to allow potential plaintiffs to identify the tort-feasor. The notice requirement should cover all businesses that compile consumer data. Damages are more complicated. Those who can establish extensive actual losses should be able to recover them. But particularly for adjudicating class actions, some form of liquidated damages might be appropriate (possibly $500 per victim, or even the $1,000 amount set under the Fair Debt Collection Practices Act). This would compensate consumers for the heightened risk of identity theft, the costs of monitoring one’s credit reports, the costs of responding to losses, and the nontangible emotional harm from the loss of privacy. But to prevent sympathetic juries from awarding windfalls, no punitive damages should be allowed. To facilitate private enforcement, the statute could allow a recovery of reasonable attorney fees, which should encourage the plaintiffs bar to pursue these suits with far more vigor than might government agencies with many other obligations. FAIR AND FLEXIBLE The advantages of a tort remedy would be considerable. Chief is that the damages would go to the victims, not to the government. Those who were directly injured would be made whole. It also seems fairer to the businesses to tie their punishment as closely as possible to the harms caused. A primary goal of regulation is to force companies to internalize the external costs of their activities. Tort law does so more directly by focusing on those actual costs, rather than politically determined fines. Tort liability also could encourage all businesses to solve the problem of data security. As a July 26 New York Times story suggested, perhaps the greatest vulnerability isn’t with large data brokers, but rather with retailers that have shoddy security practices. If so, the current proposed requirements in the federal legislation that are limited to only certain data businesses might not be especially effective, but a tort applicable to all businesses that store consumer data would work better. Another advantage of tort over regulation is that businesses can bring their expertise to bear on how to best avoid liability. Perhaps drafting a new corporate compliance program to show to regulators isn’t the best solution. Maybe it’s one of the many other ideas that have been floated. Fewer credit card offers in the mail? More use of one-time credit card numbers? More photos on cards or biometric identification? More encryption? I don’t know the best way to achieve data security. Neither does Congress or the FTC. That’s why any statute should focus business efforts on solving the underlying problem. LIKE CASH The risk of facing irate jurors won’t thrill data brokers. But do the data companies (hardly sympathetic parties in these incidents) have a compelling objection? Some scholars associated with the Progress & Freedom Foundation suggest that the market itself can provide optimal incentives for security. They argue that companies that lose information suffer stock declines and that companies, not consumers, bear the majority of the costs of data breaches. So far, however, the market does not seem to be ensuring security or compensating consumer victims. The string of losses within this year alone suggests that market incentives haven’t done the job. And it’s questionable if market forces can protect consumers when those whose data are lost are not direct customers of the data brokers and thus cannot bring much market pressure to bear on them. More generally, as former FTC Commissioner Orson Swindle pointedly observed at a July 22 seminar sponsored by the Progress & Freedom Foundation, companies don’t appear to be treating compilations of consumer data as carefully as they treat large sums of cash. Both are assets of the business, but cash is transferred by armed guards in an armored truck and stored in a safe. In contrast, consumer data might be casually sent through the mail or sent by standard courier services and shelved in a warehouse. What might drive companies to treat data as carefully as they treat cash? Tort liability provides an immediate incentive to do so, one that doesn’t depend on the limitations of government enforcement. So when MegaCorp has to tell consumers “We’re sorry your data have been lost,” at least its notice letter will be followed by a check.
Robert L. Rogers is associate opinion editor at Legal Times . He can be reached at [email protected].

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.