Identity Theft Legal Damages
Must a data holder pay money if it is the victim of a data compromise? To that question the Connecticut Attorney General has a novel answer.
Background on Legal Liability
Few judicial decisions hold data holders liable for damages suffered by data subjects after a security breach. The best example of such a decision is Bell v. Michigan Council 25 AFSCME [Michigan Ct. of Appeals, unpublished op. 2/15/05]. It held a small labor union accountable to members who became victims of identity theft after a thief stole their Social Security Numbers (SSN) and other data from the union. The damages amounted to approximately a quarter million dollars.
That result required the union members to go to court and prove negligence.
Sometimes state legislatures enact a law that specifically requires a data holder to pay the costs of others in the wake of a breach. A good example of such a special law is Minnesota’s HF 1758 (Plastic Card Security Act), which sometimes requires credit card merchants to reimburse the costs of card issuers when they replace cards after a breach at the merchant.
Politician Demands Liability ... and That's Not Necessarily Good or Bad
Now, in a breach at Countrywide Financial Corp (owned by Bank of America), the Connecticut state attorney general seeks liability without the support of a court decision or special legislation. He did not sue in court.
It appears the AG has simply demanded, in public, that Countrywide agree it will compensate anyone hurt by the breach. Countrywide is a large company, vulnerable to public pressure like this. Countrywide has agreed, and the AG is seeking to get that agreement in writing.
A state attorney general is a politician charged with advancing the interests of consumers. Here, Attorney General Richard Blumenthal is doing that not through traditional legal proceedings, but through his bully pulpit.
Background: Countrywide suffered a breach when an employee downloaded records on as many as 2 million Countrywide customers/prospects and offered them for sale to mortgage brokers who wanted them for sales leads. E. Scott Reckard, “Mortgage firm Countrywide, in response to alleged data breach, offers free credit monitoring,” Los Angeles Times, Sept. 10, 2008. Countrywide says it has no evidence that anyone has suffered identity theft from this incident.
Update: The expansion of legal liability for compromises of e-data security will be a deterrent to the adoption of electronic medical records (aka personal health records or PHRs). As the new Obama administration promotes electronic healthcare records, doctor's offices and clinics will have reason to resist. The reasoning of medical offices could go like this: "The Department of Heath and Human Services says that if I implement e-patient records, I must implement reasonable safeguards to protect patient data. The implication is that if I make a mistake, I could be forced to pay money. Why should I expose my business to punishment by innovative privacy advocates like the Connecticut Attorney General? If a hacker invades or breaks into my e-records, an aggressive consumer advocate, like a plaintiff lawyer, might find a novel way to hold me liable. I'm better off with paper. If someone abuses my old-fashioned paper records, there is unlikely to be an audit trail of the incident (i.e., a smoking gun electronic log showing that the wrong person opened the file). Furthermore, the compromise of paper records is less sexy and newsworthy than the hacking of electronic records. Consumer watchdogs like the Connecticut AG are less likely to make a big deal out of a garden-variety story about an unauthorized person looking at paper records in a manila file folder." The federal government has not yet proposed measures for protecting the security of PHRs. Ben Worthen, "New Epidemic Fears: Hackers," Wall Street Journal, Aug. 4, 2009.