After the string of data breaches that affected Target, Neiman Marcus and other retailers, the security vulnerability of Big Data has come under scrutiny. The proliferation of data breaches also has banks, retailers, credit card companies, regulators and others all asking one question: How do we solve the data breach problem?
On Friday, February 21, at the Maine Law Review 2014 Privacy Symposium, Capital University Law Prof. Dennis Hirsch suggested we look to environmental law to find an answer. At the symposium, Hirsch presented his forthcoming paper “The Glass House Effect: Big Data, Oil Spills and the Need for Clean Data Technology,” which suggests the legal and policy solutions used to reduce oil spills may provide a framework for reducing data breaches. While Hirsch admits the paper’s recommendations are “intended (to be) provocative suggestions (rather) than full-fledged proposals…to spark creative thinking about solutions,” it’s worth evaluating at least two of his suggestions.
Recognition of Noneconomic Harm
Hirsch begins by explaining that commercial fishermen and owners of businesses relying on beach tourism, whose livelihoods were devastated by oil spills, could not sue for damages until the passage of the 1990 Oil Pollution Act, which created new causes of action for damage to economic interests. Prior to the passage of the Oil Pollution Act, the law only provided recovery for damage to property. Hirsch then suggests that similar legislation recognizing noneconomic damages created by data breaches could help solve the data breach problem.
In data breach litigation, plaintiffs often struggle to prove harm because many courts are reluctant to recognize the risk of future damage as an injury. This struggle is particularly difficult for plaintiffs in federal court, who must demonstrate a “concrete and particular harm” that is “actual or imminent” to satisfy the injury-in-fact standing requirement. Plaintiffs who cannot show that the data breach resulted in identity theft or fraud are likely to have their cases dismissed for lack of standing, even if they have noneconomic harms like emotional distress or embarrassment due to the release of sensitive data like HIV status.
For years, federal circuit courts split on how to handle plaintiffs’ allegations of an increased risk of harm after a data breach. The First, Seventh and Ninth Circuit Courts had found an increased risk of future harm sufficient for standing, while the Third Circuit had not. In 2013, however, the U.S. Supreme Court held in Clapper v. Amnesty International that plaintiffs must show that the threatened harm that establishes their standing to sue for prospective relief is “certainly impending,” not merely “possible.” Even when plaintiffs can satisfy standing requirements, they often struggle with showing compensable damages, as courts traditionally calculate relief by demonstrated monetary losses.
Given that most plaintiffs sue based on an increased risk of future harm, it may be necessary for Congress to pass legislation that recognizes that increased risk is harm in and of itself. Without such legislation, it will remain difficult for consumers to successfully bring data breach actions to recover for the full range of injuries—including non-economic harms—they may sustain as a result of the data breach. Outside of the courts, there are few other means of personal redress for data breach victims, so it is important that consumers have a fair opportunity to have their cases heard. Further, an increased risk of successful litigation provides an incentive for companies to take additional measures to protect themselves against a data breach.
The judiciary has largely shaped the notion of what constitutes harm or injury in the context of a privacy violation like a data breach, while social norms and new technologies have shaped consumers’ notions of harm. Those notions don’t fit neatly within the statutory framework that currently exists for privacy violations. Hirsch’s suggestion that Congress redefine harm as it relates to data breaches deserves consideration because consumers’ notions of privacy have shifted. Further, if privacy laws exist to protect consumers, perhaps legislation should take account of consumers’ notions of privacy.
Privacy by Design Mandate
Next, Hirsch explains that oil transporters operating in U.S. waters were also required by the Oil Pollution Act to use a double-hull design, an environmentally friendly design that significantly reduced the chance of an oil spill. He later suggests that legislation could be used in a similar fashion to require “information-intensive firms” to employ Privacy by Design.
Privacy by Design is an approach to protecting privacy that incorporates privacy protections into the design of systems, processes and products at each stage of development. However, simply legislating that companies adopt a particular approach to information protection would likely yield widely varying results and would be difficult to monitor and enforce.
A statute requiring the use of Privacy by Design would likely either be too vague or too specific to bring about meaningful, sustainable change. Such a statute would need some flexibility, because technology is rapidly changing and methods appropriate to protect consumer information vary depending on a number of factors, including the type of information. Too much pliancy, however, could lead to a situation where an organization has a good-faith belief that they have implemented Privacy by Design without providing the privacy protection contemplated.
On the other hand, if the statute’s standard were more rigid, the method prescribed could be rendered obsolete by changes in technology or business models. As a result, it would be difficult for Congress to mandate any meaningful privacy or security standards by statute. To avoid such problems, the Federal Trade Commission, for example, has traditionally refused to prescribe particular technical standards for comprehensive privacy and security programs. Additionally, mandating privacy and security standards may decrease an organization’s incentive to improve upon their privacy practices or develop data security technologies that go beyond the statutory standard. Moreover, Hirsch’s suggestion that Congress adopt legislation requiring “information-intensive” firms to utilize Privacy by Design may neither yield enhanced privacy protection nor reduce the incidence of data breaches.
Nevertheless, there are alternatives to legislation that could incentivize companies to implement and maintain privacy and security measures that reduce their risk of suffering a data breach. For example, in February, the Obama administration launched the Cybersecurity Framework, a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. According to the White House, “The Framework enables organizations—regardless of size, degree of cybersecurity risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.”
The Cybersecurity Framework was developed by the National Institute of Standards and Technology, with extensive input from businesses and industry experts. This approach is favorable because government-industry collaboration sets the foundation for future cooperation and facilitates greater accountability and buy-in among industry stakeholders. Further, collaborative efforts such as this often yield balanced standards rather than standards that favor of either public or private interests. Another benefit of avoiding the legislative process is that the resulting code of conduct can be updated and modified more quickly than a statute so that its guidance can keep up with changing technology.
Whether Hirsch’s suggestions at this stage are viable or not, these suggestions certainly open the door to new conversations about how to approach the data breach problem. There is nothing new under the sun, goes the old cliché, and so perhaps privacy professionals should take a closer look at the examples set by environmentalists and oil companies to see how we can learn from their successes and failures.