One of the things that has always been a barrier for people who’s data was compromised during a breach is what lawyers call “Standing”. Standing derives from Article III of the U.S. Constitution. The courts have said that there are three requirements for “standing” to bring an action against another – Injury in fact, causation and redressability. I am not going to even try to pretend that I am a lawyer, but basically, it says that you have to suffer harm, that the harm can be reasonably linked to the action of the defendant and that a favorable court decision will reasonably redress the situation (Wikipedia).
For the most part, the courts have ruled that, most of the time, people do not have standing and therefore cannot sue.
In February, the Fourth Circuit Court of Appeals made it harder to show standing by ruling that plaintiffs had to show that the data thieves intentionally targeted the personal information that is stolen in the breach. The decision centers on the hypothetical future harm and whether you were injured. There have been a number of court rulings like this (Fenwick and West).
However, there are more cases that are starting to rule in the other direction. Not overwhelmingly, and ultimately, it will likely will have to be decided by the Supremes.
Earlier this week U.S. District Court Judge Lucy Koh ruled that a case against Yahoo due to the breaches in 2013, 2014, 2015 and 2016 can proceed, in part due to the actions of Yahoo in not disclosing for years that the breaches occurred.
Before this is blown out of proportion, Judge Koh is only a District Court judge. On the other hand, she was the presiding judge in Apple v. Samsung and made companies like Adobe, Google and Intel bow to her will, so her opinion is not like that of some guy in a diner.
Verizon, who bought Yahoo, had hoped that this case would just go away, but at least, for right now, the case will move forward.
Judicial doctrine takes years, even decades, to create. The doctrine in this case is no different. When it comes to determining standing with respect to the Constitution, it will take time. This is just another building block as the courts continue to figure this out.
When companies reimburse people after a credit card breach or offer them credit monitoring, it is to reduce the injury-in-fact part. This, in turn, makes it harder for people to have standing.
The Yahoo case is a little different. Since they kept the breaches secret for years; didn’t offer to reimburse people and didn’t offer credit monitoring, they did little to reduce the injury-in-fact part. In fact they didn’t even tell people so that they could do these things themselves.
Companies have to make this particular decision all the time. Do we disclose a breach or keep it secret? Do we endure the bad P.R. or do we hope that word doesn’t get out. In Yahoo’s case, the shareholders got to take a $350 million haircut in the form of a reduced purchase price, along with having to own responsibility for certain legal costs associated with the breach as a result of that decision.
As this case moves forward, other companies will be watching closely. Again, this is just one piece in a very large puzzle.
Information for this post came from Reuters.