By: Charles Simon
In 1984, the credit histories of ninety million people were exposed by theft of a numerical passcode. The code was meant to be dialed through a “teletype credit terminal” located in a Sears department store. The stolen password was posted online to a bulletin board where it existed for “at least a month” before the security breach was even noticed. The New York Times helpfully informed readers that such bulletin boards were “computer file[s] accessible to subscribers by phone.” How did the anonymous hacker crack this code? Well, the password had been handwritten onto a notepad and left in a public space by a Sears employee who found the digits too troublesome to memorize.
Interestingly, while a legal commentator from the ABA had theories about the likely legal harms to consumers and possible liability faced by the credit reporting agency from the hack, simply obtaining unauthorized access to a confidential information system wasn’t yet a crime on its own terms. Legal recourse against the hacker, had they had ever been caught, would have been uncertain given that no mail-order purchases were shown to use consumer data from the Sears/TRW system breach. Two years later, Congress would amend existing law to create the Computer Fraud and Abuse Act of 1986 formalizing the legal harm of cybersecurity breaches, but during this period hacking was generally still considered a hobbyist’s prank.
We’ve come a long way since that time. In 2020, a study funded by IBM Security estimated that the “average cost” of a data breach was $3.86 million. That number is inflated by the largest breaches, but limiting our inquiry to ‘just’ the $178,000 average figure suffered by small- and medium-sized company breaches shows that even smaller hacks can be crippling to business. Breaches of information today can result in serious physical consequences like the loss of industrial controls which govern power grids and automated factories. The healthcare system’s volumes of sensitive patient information make hospitals, insurance providers, and non-profits in the industry extremely attractive targets. Law firms are prime targets for data breach, with sensitive client personal information and litigation documents making for a lucrative prize.
Since 2015, Washington state’s data breach notification laws have required businesses, individuals, and public agencies to notify any resident who is “at risk of harm” because of a breach of personal information. This requirement of notice to customers or citizens affected by an organization’s data breach is mostly accepted among states, but as with other privacy-related rights in the US legal system, there is a patchy history of vindicating plaintiff rights under such laws.
The ruling on a motion to dismiss in a breach of the Target corporate customer database shows a shift in attitudes towards recognizing concrete harms. A broad class of plaintiffs from across the US drew from a patchwork of state notice laws—some of them lacking direct consumer protection provisions or private rights of action under their state law—to argue that Target’s failure to provide prompt notice of the theft of financial data caused harms. What might have once been considered shaky legal ground for a consumer class action claim proved stable enough for a Minnesota federal court to reject the motion to dismiss. The resulting settlement with 47 state attorneys general was a record-setting milestone in cybersecurity business liability.Prompt notice to those affected by a data breach alone is not enough. Many modern statutes now implement standards of care for data security, and may soon begin standardizing other features such as retention and collection limitations (perhaps taking cues from the EU’s General Data Privacy Regulation). Legal scrutiny is certain to intensify as the financial harms—and less tangible harms to the increasingly-online lives—of citizens mount. The proliferation of cyber liability insurance indicates that many businesses see an inevitability to this field of litigation, which is sure to cause development of the law. In this environment, public and private sector lawyers in a broad array of fields must be cognizant of the legal harms that can arise, their organization’s recourses, and the state and federal law they operate under.