Singularity Law

As the number of data security breaches continues to increase, and the number of persons who have their personal information exposed reach over 100 million, you would think these victims would have some remedy for the time and effort they have to go through to get their lives back in order. Yet, the cases have uniformly held that they have no remedy against the companies which, due to lax security, allowed cybercriminals to get into their systems are rummage around in the personal information stored there.

The latest case is Piscotta v. Old National Bancorp., 2007 WL 2389770 (7th Cir. 2007). In that case, the plaintiff claimed that the hosting facility for a banking website had been hacked into and the plaintiff’s personal information was potentially stolen. The plaintiff sued, claiming that the lack of security caused plaintiffs [the suit was a class action] “to suffer substantial potential economic damages and emotional distress and worry that third parties will use [the plaintiffs’] confidential personal information to cause them economic harm, or sell their confidential information to others who will in turn cause them economic harm.” The plaintiff claimed damages because they “incurred expenses in order to prevent their confidential personal information from being used and will continue to incur expenses in the future.”

The trial court dismissed the action for failure to allege any compensable damages, and the Seventh Circuit affirmed. This case is in line with a growing string of decisions, holding that the victims of identity theft do not have a claim unless and until they can prove actual damages, and that those damages flowed from the specific security breach in issue. What is a victim to do? (More after the jump.)

Specific legislation may be needed to address this issue. At a minimum, the company should be responsible for paying for credit monitoring services for at least a reasonable period of time, and if some victims suffer actual losses during that time, the period of credit monitoring should be extended. The law should also ease the burden on the plaintiff of establishing causation, since as it is, the victim would not only need to prove actual damages, but that the damages were proximately caused by this security breach (and not a different breach). It might be reasonable to shift the burden to the defendant to prove that there was another security breach that might have caused the damages before allowing the defendant to avoid liability.

If such legislation existed, it is reasonably certain that insurance companies would step in to provide corporations with coverage of the credit monitoring costs and damages in the case of data security breaches. And in doing so, the insurance companies would require that clients implement adequate security procedures to minimize the risk of break-ins in the first place. As it is, since companies have little risk of liability for data security breaches, they have limited incentives to spend more money to improve their data security.