For the past few years, federal courts have grappled with whether a plaintiff whose personal information has been hacked has experienced the type of “injury” that gives the plaintiff standing to sue. The debate has hinged mostly on courts’ perceptions of the likelihood that the hack will result in identity theft. For some courts, it’s obvious that the breach of someone’s personal information materially increases the likelihood that the person will be the victim of identity theft. As the Seventh Circuit put it in the Neiman Marcus case: “Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Other courts have been more skeptical.
But maybe the Equifax hack will change the terms of the debate. That hack, of course, disclosed the personal information of roughly 143 million Americans and a handful of Britons. If you’re one of them, your information is floating around the dark web. There’s no unscrambling the egg. So for future hacks, maybe there’s a new standing question: Has a plaintiff experienced any incremental harm from the hack?
Example: Just a few weeks ago, the D.C. Circuit held in the CareFirst case that disclosure of a plaintiff’s social security number—plus some other data, including health information—could give the plaintiff standing. The theory was that mere disclosure put the plaintiff at materially greater risk for identity theft. The Sixth Circuit adopted much the same reasoning last year in the Nationwide case. But if those same hacks happened again today, it seems that the legal result might be different. Because after the Equifax hack, it’s harder to see the harm from the mere disclosure of, say, social security numbers. Or at least, it’s harder for potential plaintiffs whose social security numbers already had been disclosed in the Equifax hack.
There’s a procedural aspect, as well. Suppose courts no longer think that the disclosure of mere social security numbers constitutes a cognizable harm. How do they certify a victim class? Do they have to authorize discovery into each victim and whether that victim’s information already has been disclosed in the Equifax hack . . . or some other hack? Must they must authorize discovery into any additional information disclosed in the hack—maybe something beyond mere social security numbers, maybe some other really sensitive stuff? Class certification suddenly seems harder. And if data breach actions are no longer viable as class actions, the whole dynamic changes.
Whatever the answers to these questions, it seems that the Equifax hack may fundamentally reshape the way data breach cases are litigated.