Academic journal article Boston University Law Review

Integrating Integrity: Confronting Data Harms in the Administrative Age

Academic journal article Boston University Law Review

Integrating Integrity: Confronting Data Harms in the Administrative Age

Article excerpt

Introduction

Data breaches are becoming increasingly common.1 As more and more businesses, industries, and government bodies begin to rely upon data as an integral part of operations, data breaches will continue to plague consumers and businesses. In the aftermath of these intrusions into corporate and government infrastructure, however, the several parties to a data breach are left without many viable options to make themselves whole again. As two leading privacy law scholars have proclaimed, "[d]ata breaches have become an epic problem."2

Commonly, no post-breach remedy is available to harmed parties. And when one is available, it is woefully inadequate. The parties to a data breach, their relations to one another, the harms faced by each party, and the prevalence of international actors all contribute to the quandary. To better understand these issues, consider the recently reported breach of Equifax, one of the nation's three credit reporting agencies. The Equifax hack exposed the data of some 145.5 million U.S. customers.3 The breach included individuals' names, Social Security numbers, dates of birth, addresses, and some individuals' driver's license numbers and credit card numbers.4 Since between fourteen and thirtythree percent of data-breach victims ultimately become victims of fraud, at least twenty million Americans are likely to suffer real world consequences.5 Initially, people were outraged that a large company like Equifax would "allow" their data to be compromised.6 This criticism is not entirely without merit, as a subsequent investigation discovered that Equifax was alerted to a security vulnerability but did not take simple steps to secure its systems.7 Notwithstanding, Equifax was the victim of a criminal act whereby outside hackers infiltrated its corporate infrastructure to take something without permission. In fact, the hack may have been perpetrated by a state-sponsored intelligence service.8 In addition to the public relations calamity, Equifax was subjected to congressional hearings,9 regulatory action,10 and litigation.11

Individuals whose data is hacked face substantial harm, but that harm is difficult for courts to conceptualize. Indeed, academics have devoted significant attention to finding ways for courts to better understand the future harms faced by data-breach victims.12 For example, a victim of the Equifax breach who suffered only from the exposure of her credit card number can contact the issuing bank and receive a new number. At first glance, this may seem like a minor inconvenience at worst. But, in addition to the time costs imposed on the individual, it imposes a financial cost on the issuing bank (i.e., making the new card, mailing the new card, administrative costs, etc., multiplied by the tens of thousands of customers that may be impacted at any given bank).13 A victim who lost control of immutable data, like her Social Security number or date of birth, will now incur pecuniary costs to pay for credit monitoring services, spend valuable time scouring financial statements for suspicious charges, and may even develop anxiety over the possibility of future identity theft.14

At present, secondary victims, like the issuing bank in the above example, have no means of recuperating these losses, and individuals seeking legal redress are often stymied by the judicial doctrine of standing. Standing, derived from Article III of the U.S. Constitution, confers federal court jurisdiction only when there is a "case" or "controversy."15 In the landmark case Lujan v. Defenders of Wildlife,16 the court laid out the three prongs of the standing inquiry: in order for a plaintiff to have standing, she must show (1) an injury-in-fact, (2) that is fairly traceable to the defendant, and (3) which is susceptible to redress by a favorable judicial decision.17 Data-breach victims seeking to become plaintiffs in suits against breached organizations, which can be either public or private entities,18 are often turned away at the first stage of the standing inquiry for failure to identify a concrete and particularized "injury in fact. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.