By Daniel J. Solove
The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:
If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. “The data is sold off, and it could be a while before it’s used,” said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. “There’s often a very big delay before having a loss.”
The article reiterates something I have long been arguing, that data involved in a breach can be used long afterwards. The article goes on to quote Ed Mierzwinski:
“Credit card numbers and debit card numbers have a short shelf life, because banks figure out which cards are at risk, and people get new numbers without asking for them,” explained [Ed] Mierzwinski. “Social Security Numbers have a very long shelf life — a bad guy that’s smart won’t use it immediately, he’ll keep a hoard of numbers and use them in a couple of years.”
The OPM breach is far worse because it involves background check information, which could be used in ways beyond identity theft and for an indefinite period of time – perhaps for the rest of the victims’ lives.
Courts have often dismissed cases brought for data breaches because courts conclude that the victims suffered no harm. Courts have rejected the argument that the risk of future identity theft, fraud, or other injury is a cognizable harm. For example, in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a hacker obtained financial information from a company about the plaintiffs, who sued the company. The court dismissed the lawsuit:
We conclude that Appellants’ allegations of hypothetical, future injury are insufficient to establish standing. Appellants’ contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.
The Supreme Court has consistently dismissed cases for lack of standing when the alleged future harm is neither imminent nor certainly impending. . . . Here, Appellants’ alleged increased risk of future injury . . . is dependent on entirely speculative, future actions of an unknown third-party.
Courts are uneasy with recognizing future harm because it involves too much speculation about the future. Nothing bad might ever happen.
The problem with the type of harm suffered in many data breaches such as the OPM breach is that it often will not materialize within the statute of limitations for most causes of action, which can be just a year or two. The harms from a data breach are often not immediate. They are often hard to trace to a particular breach because the culprits are rarely found and prosecuted.
We need a better way to address the harms involved with data breach. The current approach seems to deny reality and try to treat the harm like it is a cut that needs to be bandaged. But the harm is more akin to an exposure to radiation or a toxic chemical, the effects of which might not be felt until years later.
I’m working on an article about privacy and data security harms with Professor Danielle Citron in which we hope to propose a better way to handle such harms, a way that is practical and fair and that does not unduly penalize the organizations that have incidents or fail to protect the victims whose data was compromised. Wish us luck!
Some of my earlier posts on harms:
- Privacy and Data Security Violations: What’s the Harm?
- Why the Law Often Doesn’t Recognize Privacy and Data Security Harms
- Do Privacy Violations and Data Breaches Cause Harm?
- How Should the Law Handle Privacy and Data Security Harms?
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.