Data Insecurity
Diminished privacy is one of the consequences of a modern, technology-driven world. Privacy disappears in many ways: It can be lost voluntarily--think of public facebook posts--or involuntarily--think of hackers accessing medical records. To illustrate the ongoing occurrence of involuntary data breaches, a quick review of the "Breach Portal" hosted by the U.S. Department of Health and Human Services Office for Civil Rights serves as a reminder of the magnitude of data breaches in healthcare.
A lot of things happen after a data breach. People are notified. The media runs a story. Victims may receive an identity theft protection service. However, the incident may never truly be "resolved." Victims may never know the ways in which thieves may have used the stolen data. Victims may never receive confirmation about whether or not their private information was used for unlawful purposes. Victims may simply be left hoping for the best. So, in the uncertainty and confusion during the aftermath of a data breach, one of the next logical questions is "what now?"--legally speaking.
The Law
HIPAA, other federal laws, and state laws come into play when data breaches occur that involve personal information.
- For example, Florida Statute section 395.3025(4) states that “[p]atient records are confidential and must not be disclosed without the consent of the patient.”
- Additionally, the HIPAA Security Rule "specifies a series of administrative, physical, and technical safeguardsfor covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information."
- With consumer data, the Fair Credit Reporting Act requires that "[a]ny person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such informationby taking reasonable measuresto protect against unauthorized access to or use of the information in connection with its disposal." 16 C.F.R. § 682.3(a)
But what do these requirements mean for the victim of data theft? It's undisputed that "Congress did not create a private, statutory right of action to enforce HIPAA's terms." Sheldon v. Kettering Health Network, 2015 Ohio 3268, 15 (Ohio Ct. App. 2015). Consequently, any claims brought after a breach of protected health information cannot rely on the fact that the defendant failed to comply with HIPAA; in contrast, the claim must "assert common-law tort claims independent from HIPAA." Sheldon v. Kettering Health Network, 2015 Ohio 3268, 14 (Ohio Ct. App. 2015).
When litigating about identity theft as a consequence of data breaches, plaintiffs may attempt to bring numerous claims, as referenced by the 11th Circuit, including "negligence, negligence per se, breach of fiduciary duty, breach of contract, breach of implied contract, and breach of the implied covenant of good faith and fair dealing." Resnick v. Avmed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012). For example, in an Indiana case, a jury awarded damages to a plaintiff for "professional malpractice and public disclosure of private facts" after her personal medical prescription data was improperly accessed by a Walgreens employee who was also her "on-and-off" partner. Walgreen Co. v. Hinchy, 49 A 02, 14 No. -1311-CT-950 (Ind. App. Nov 14, 2014). Of note, the plaintiff alleged sufficient evidence for the jury to award $1.8 million. Walgreen Co. v. Hinchy, 49 A 02, 21 No. -1311-CT-950 (Ind. App. Nov 14, 2014).
Further, class actions may develop: "In January 2009, Heartland Payment Systems, Inc. ('Heartland') publicly disclosed that hackers had breached its computer systems and obtained confidential payment-card information for over one hundred million consumers. Lawsuits were filed in state and federal courts across the country." In Re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., MDL No. 09-2046 (S.D. Tex. Mar 20, 2012).
Requirements
Victims of identity theft must be able to prove losses. For example, any losses must be tied to the data breach.
[A] Valid Claim shall consist of only those 'Losses' . . . that a Settlement Class Member . . . proves by a preponderance of the evidence (i.e., more likely than not to be true), to have directly and proximately resulted from information . . . having been stolen or placed at risk as a result of the Heartland Intrusion[.]"
Further, plaintiffs must show causation. A mere coincidence is not enough.
Generally, to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence. In an unpublished opinion on summary judgment, the Ninth Circuit found that a plaintiff sufficiently showed a causal relationship where “(1) [plaintiff] gave [the defendant] his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing[defendant's] customers' personal information were stolen; and (3) [plaintiff had] previously not suffered any such incidents of identity theft.” Stollenwerk v. Tri–West Health Care Alliance, 254 Fed.Appx. 664, 667 (9th Cir.2007) (emphasis added)
Resnick v. Avmed, Inc., 693 F.3d 1317, 1326–1327 (11th Cir. 2012)
When these requirements are met, victims may seek redress in the courts. But when comparing the high volume of data breaches to the case law, it becomes readily apparent that most victims lack redress. When data is stolen, the data could be transmitted around the globe, bought and sold, compiled and decompiled, and used for any number of illegal purposes. Most victims will never be able to specifically and definitively tie any harm back to a specific breach.
In summary, the sheer quantity of data breaches suggests that additional case law will develop in this field. However--from a practical standpoint and as the 11th Circuit noted--the vast majority of individuals who have had data stolen will be left alone "to clean up the damage caused by these identity thieves." Resnick v. Avmed, Inc., 693 F.3d 1317, 1329–1330 (11th Cir. 2012).