Antitrust and Unfair Competition Law

Competition: Winter 2017-18, Vol. 27, No. 1

RETHINKING HEALTHCARE DATA BREACH LITIGATION

By Jay Edelson and Aaron Lawson1

I. INTRODUCTION

In the wake of the Equifax data breach, the risk to consumer data is something that not only individuals are facing, but also companies dealing in that commodity. Maciej Ceglowski, a web developer and Silicon Valley-based entrepreneur, likens collections of personal data to radioactive waste: "easy to generate, easy to store in the short term, incredibly toxic, and almost impossible to dispose of."2 Bruce Schneier analogizes data to a "toxic asset."3 Ceglowski and Schneier both advocate for companies to limit the data they collect and store, if for no other reason than for companies to limit their own exposure to the fallout from data breaches, hacks, and other leaks of personal information.

Most firms, however, treat consumer data not as toxic but as beneficial: data generates value, and effort should be put into figuring out how best to wring profits from collected personal data.4 On some level, most consumers are aware of this. Thus, the maxim "if the product is free, that means you’re the product."5

But whether a company treats consumer data as a beneficial asset to be used or a toxic asset to be disposed of quickly, it frequently ignores the perspective of the party most affected by the nigh, ubiquitous collection of personal data: the consumer. Consumers must hand over their data to transact just about any kind of business, and this data, when aggregated can paint a remarkably revealing and intimate portrait of a given individual.6 Consumers have an obvious interest in the security of this data, despite their choice to surrender it in a given transaction. Not only does the decision to disclose information in one circumstance not constitute blanket permission to use this data in any way the acquiring firm might want, but "the power of compilations to affect personal privacy that outstrips the combined power of the bits of information contained within."7

[Page 105]

Moreover, most assessments of the costs and benefits associated with collecting and storing consumer data ignore a key, and growing, piece of the puzzle: ransomware. Data breaches can lead to bad press, customer turnover, or regulatory action; but in many cases the most immediate cost in any data breach will be the price paid for the return of access to a given system. Since most firms pass costs onto the consumer at the end of the day, this means that consumers might pay double for a firm’s lax data security: once because their sensitive data has been compromised, and once because they bear a share of the ransom paid.

Both firms and courts have given insufficient attention to the consumer’s interest in data privacy and security. These interests are paramount in the healthcare space. Privacy interests in healthcare-related data are both more complicated and more intuitively grasped, as demonstrated by the fact the healthcare privacy is subject to one of the most comprehensive privacy schemes.

Moreover, for institutions in the healthcare sector, heeding the suggestions of Ceglowski and Schneierā€”to collect as little data as possible and dispose of it as quickly as possibleā€”is simply not feasible. Hospitals, for instance, cannot function without vast stores of information about their patients. If a doctor doesn’t know what other medicines a patient is taking, she runs the risk of prescribing a lethal cocktail of medications. Likewise, a doctor that is unaware of a patient’s medical history might misdiagnose a condition, accidentally delaying life-saving treatment. Hospitals must also store payment information, information on a patient’s insurance, and information on family members. In short, hospitals possess a trove of incredibly sensitive information about scores of individuals.

The past few years have seen a number of data breaches in the healthcare space, notably Anthem and Premera. These should be a call to arms. Significant players in the healthcare space, however, have not responded to these incidents with the urgency that, we believe, the situation requires. They are instead content to cast themselves as unwitting victims, even when best practices dictate more proactive measures. The failure to act appears to rest on a misperception of the consumer’s interest in data security. Ultimately, this failure of perception requires legislators and the courts to intervene before it is too late.

It is time we re-think how we assess data security and data breaches. Regulatory action, whether judicial or legislative, shouldn’t focus on the aftermath of a breach; it should focus on preventing them in the first place.

II. HEALTHCARE FIRMS ARE UNDERVALUING DATA SECURITY

We contend that actors in the healthcare space undervalue data security, so let’s begin by examining how they do value data security. One widely read study on the costs of a data breach is published annually by the Ponemon Institute. According to the Ponemon Institute, the cost of a data breach in 2016 was $221 per breached record.8 According to the Ponemon study, the largest drivers of this cost are: (1) customer turnover in the wake of a breach, (2) investigating the size of the breach, and (3) defending against resulting lawsuits.9 (These costs are greater in the healthcare space.10)

[Page 106]

The Ponemon study also identifies several ways in which firms can mitigate, reduce, or eliminate these costs: having a response team dedicated to data security, extensive use of encryption, training employees in proper data handling, among others.11 In other words, data breaches and their attendant costs can be prevented by investing in data security. The Ponemon study thus strongly suggests that the interests of firms are aligned with the interests of consumers, and that both should want to invest in data security.

So what are firms doing? If an investigation by Ars Technica is any indication, the answer is "not much." In 2016, a series of hospitals fell prey to data breaches. According to Ars Technica, in each case the same network vulnerability was an issue.12 An AP report on one such attack noted that the vulnerability had been known since 2007, and could have been fixed with a simple patch.13 The vulnerability stems from the decision to use a version of an application server that has been deemed "end of life," meaning basically, obsolete.

If, as the Ponemon study suggests, both company and consumer incentives are aligned in favor of greater data security, then the persistent decision of healthcare systems not to update their networks, and thus leave them vulnerable even to unsophisticated hackers, is irrational. The problem, of course, is that healthcare firms don’t see taking steps to bolster data security and prevent data breaches as financially beneficial. This appears to result from market inefficiency. For publicly traded companies, investors neither know nor care about a company’s data security or vulnerability to a data breach.14 And, of course, consumers (not to mention employees, whose data also is vulnerable) rarely have access to this information, and lack the means to agitate for change.

The Ponemon study also reveals a fatal blind spot in how companies value data security; the study never once includes ransom as a cost of a data breach. But a number of recent data breaches were also ransomwareattacks.15 In a ransomware attack, not only are a company’s files breached, but the intruder holds the files "hostage," denying access to them until a ransom is paid.16

[Page 107]

This blind spot may well be because most ransom demands to date have been essentially nominal. Many early ransom demands asked for 1 Bitcoin, a cryptocurrency whose value has never exceeded $5,000. More recent demands have been closer to $80,000. Still, for a large healthcare organization, that sum is a drop in the bucket. Ransomware attacks can generate a lot of press, but if the cost does not sting, then the press coverage itself won’t move the needle.

But ransomware attacks need to be seen as a new entrepreneurial front in the broader hacking economy. A normal entrepreneurial cycle begins with proof of concept. Early investments are smallā€”a product is introduced in one market or one store, just to see if it catches on. If it does, a second round of investment spurs further development or production, and then further investment is sought as needed until supply and demand reach equilibrium. At the same time, new firms, seeking to capitalize on whatever innovation has captured the market’s imagination, enter and offer their own version of the product.

Many of these same concepts are regularly applied to hacking, and apply easily to ransomware.17 As it relates to hacking, hackers often locate vulnerabilities and then release "proof of concept" source code.18 When this is done by "white hat" hackers, the idea is to fix the vulnerability before it becomes widely exploited. When done by "black hat" hackers, of course, the motives are far less pure.19

A similar framework applies easily to ransomware. Early hackers may ask only for a small ransom. The sum will grow larger as hackers try to determine what firms are willing to pay to regain access to their computer systems. Once the price reaches a certain level newer actors enter the fray. For instance, the government of North Korea has entered the ransomware game: it famously held up a bitcoin news website using a strain of malware that was previously used to cripple Britain’s National Health Service.20

Ransomware-related costs, which are attributable to lax data security, are high and getting higher. But traditional cost studies don’t account for them, and what information is available may undervalue the costs. In 2016, hospitals suffered 450 data breaches; one report suggests that 26.8% of these were the result of ransomware, hacking, or malware.21 Yet only 9 ransomware incidents were reported to the government.22 This may well be because existing law doesn’t mandate disclosure, particularly if the ransomware, though it might badly disrupt hospital operations, doesn’t compromise patient records.23

[Page 108]

Whatever the reason, this cost flies generally under the radar. Ransomware attacks might garner more press coverage than a typical data breach, but since reporting obligations are unclear and the current ransom demands are relatively low, firms don’t seem to be taking them seriously. This compounds the more general disinterest in shoring up data security, leaving patient data exposed, and imposing costs on consumers in the wake of data breaches.

The end result is bad for patients: They pay up front, because healthcare firms focus on compensating officers and directors rather than investing in data security. They pay when a breach occurs, because their sensitive data is exposed. And they pay afterwards, as the costs of remediating security vulnerabilities are inevitably passed on. Unsurprisingly, many affected patients turn to the courts for recourse. But, as we explain next, they don’t fare much better there.

III. COURTS ARE UNDERVALUING DATA SECURITY

As we note above, actors in the healthcare space recognize that there are costs, even legal costs to a data breach. And it is true that a data breach is nearly certain to precipitate litigation. But a review of these cases demonstrates that courts are barely even accounting for data security.

The first hurdle any data-breach case must clear is a motion to dismiss for lack of standing.24 The core premise of such a motion is that individuals whose data has been compromised have not been "injured" in a legal sense.25 For these purposes, an "injury" is some invasion of a legally cognizable interest.26 So a data-breach defendant asserting that a plaintiff lacks standing is necessarily asserting that the victims of a data breach have no legally cognizable interest in data security; indeed, most defendants argue that plaintiffs aren’t injured until their compromised data is used to their detriment and they’ve suffered monetary harm.27

[Page 109]

For the most part, courts have not pushed back on these premises. Most courts faced with data-breach based lawsuits agree to dismiss them for lack of any cognizable injury. The reasoning follows similar paths in most cases: (1) the risk of identity theft is too speculative;28 (2) no part of any payment is earmarked for data security, so there is no financial harm;29 (3) relatedly, even when hospitals promise to ensure the privacy of medical data, that promise does not encompass general data security, so there is no breach of contract that would support a lawsuit.30

Each of these conclusions is contestable. The second is the most defensibleā€”the underlying theory is that your insurance premiums or hospital bills could pay for better data security, but if the market would bear the same price regardless, then any claim of financial injury is implausible. The third conclusion reflects questionable assumptions about what we mean by privacy. If data privacy is promised (and under federal law it must be31), why do we assume that such promises are limited to intentional disclosures? Courts (and defendants) seem to assume that a promise of data privacy can’t be broken negligently, but that assumption is thus far unexamined in the cases.32 (This, however, is largely a question of contract law.)

The first conclusion is, we think, the most troubling. If identity theft (or other misuse of personal data) is required before a plaintiff may sue, then the legally cognizable interest in these cases appears to be a narrow financial interest. Identity theft is, of course, quite costly to the victim.33 Courts, in other words, refuse to recognize any interest in the security of personal information absent specific negotiation for that security.

[Page 110]

Some judges believe the standing problem in data-breach cases is not injury but traceability, that is, whether any injury can be attributed to the breached organization. For instance, the dissenting judge in Resnick v. AvMed, Inc. would have concluded that, despite well-pleaded allegations that the defendant failed to secure a pair of laptops chock full of unencrypted patient data, any harm to the plaintiffs could not be traced to the defendant.34 That reasoning makes plain that data security is not the focus of the court’s inquiry. If it were, the lax data security itself would be identified as an injury traceable to the defendant’s conduct. Another judge, in a case outside the healthcare space, would have reached a similar conclusion in Galaria v. Nationwide Mutual Insurance Co. The dissenting judge there reasoned that the hackers were responsible for any harm that befell the plaintiffs, not Nationwide.35 There were no allegations, the judge thought that could connect any harm back to Nationwide.36 Of course, the fact of a hack is evidence enough that a system has some vulnerability. Whether it was exploited is irrelevant to the question whether the data was properly secured in the first place. Again, this reasoning has no room for a plaintiff’s interest in have their data held securely.

Even the small minority of cases that conclude that plaintiffs have standing are problematic. In general, courts will conclude that plaintiffs may proceed with a lawsuit if some stolen data has already been misused, on the theory that any risk that a particular person’s data will be misused is no longer speculative.37 But that conclusion again focuses on the financial harms that stem from identity theft, harms that are analytically separate from any interest in data security. Other cases make clear that the dispositive point in the plaintiff’s favor is the existence of a statutory right that can plausibly be read to encompass preventing disclosure of the information at issue.38 Here again, though, the legally cognizable interest is not in data security. (No statute of which we are aware creates an entitlement to data security).

And although decisions on standing to sue exhibit a modicum of consistency, data-breach decisions on the merits are all over the place. In general, plaintiffs tend to allege several theories of liability. Given the inconsistent holdings of the courts, that approach has something to recommend it.

For instance, the Eleventh Circuit in Resnick v. AvMed39 concluded that an unjust enrichment claim under Florida law could proceed in the wake of a data breach, on the theory that the defendant used a portion of the plaintiff’s monthly premium to "pay for the administrative costs of data management and security," and that, given the breach, it was inequitable to allow the defendant to retain those funds.40 Resnick also permitted contract and negligence claims to proceed, on the theory that the theft of the plaintiffs’ identities was potentially connected to the breach of the defendant’s systems, though the court did not address whether any element other than causation was adequately alleged in that case.41

[Page 111]

By contrast the court in In re Anthem, Inc. Data Breach Litigation dismissed negligence, contract, and unjust enrichment claims.42 Regarding negligence, the court concluded that the issue was better addressed to the legislature and that the common law imposed no relevant duty of care.43 The contract claims were based on the privacy policy promulgated by the insurer, but the court concluded that those policies didn’t contain any language specific enough to have been broken by a data breach.44

The Anthem court did, however, permit the plaintiffs to litigate state-law consumer protection claims. A California claim could proceed, the court held, in light of the strong California public policy in the protection of consumer data.45 A New York consumer protection claim could proceed, the court held, to recoup damages in the form of the loss in value of the plaintiffs’ personally identifiable information attributed to the Anthem breach and for benefit-of-the-bargain damages, essentially a form of overpayment theory.46

Across the country, the court in Fero v. Excellus Health Plan, Inc.47 also permitted a New York statutory consumer-protection claim regarding a healthcare data breach to proceed48 and further permitted a contract claim based on the language of the defendant’s privacy policy to go forward.49 But the court concluded that benefit-of-the-bargain damages could not be recovered in light of the filed rate doctrine.50 If the conflict between Fero and Anthem isn’t dizzying enough, Fero also conflicts with a New York state trial court decision that dismisses a similar contract claim on the ground that a privacy policy contains no actionable terms regarding data security.51 And Abdale’s conclusion is in line with Brush v. Miami Beach Healthcare Group, LLC, which dismisses a contract claim based on the theory that a data breach caused a violation of a similar privacy policy.52 Whether or not the hospitals or healthcare firms might have breached their policies, these cases hold, the policies do not create the kinds of contractual relationships that permit someone to bring suit.

[Page 112]

This brief survey suggests that even when courts can agree that data security is important, they can’t quite agree why. That kind of disagreement likely stems from both a misunderstanding of the costs of poor data security and of the value of good data security. But we don’t think the time is right to give up on the courts.

As we’ve already laid out, there are good reasons why actors of all stripes should value data security. And we think the ordinary development of the common law should ultimately encourage healthcare firms to place a premium on data security. In the next section, we lay out why. But we also recognize that there are limits to what courts can do. Legislators, therefore, also have a key role to play in this debate. What’s more, change needs to happen soon. The costs of poor data security are only going up.

IV. COURTS SHOULD RETHINK THEIR APPROACH TO DATA SECURITY

As we explained in the previous section, the approach of courts to questions of jurisdiction in data-breach cases assumes that any injury is suffered by virtue of identity theft, not the exposure of your personal information to hackers or the world at large by virtue of a vulnerable computer system. And to the extent courts address the merits, there is further disagreement about why any particular legal interest receives judicial protection. The result is wildly divergent rulings, on both jurisdictional and merits grounds.

We believe that courts would achieve some measure of harmony on these questions in data-breach cases, however, if they would focus on a plaintiff’s underlying interest in data security. Let’s begin with the foundational tort: negligence. A negligence claim asks whether the defendants failed to act with due care towards the plaintiffs. And due care is "a function of the probability and magnitude of an accident and the costs of avoiding it."53 In perhaps the most classic formulation of negligence, Judge Learned Hand reasoned that the "duty to provide against resulting injuries" is triggered when "the burden of adequate precautions" outweighs the product of the "probability" of injury and the likely "gravity" of the resulting injury.54

Seen through the lens of data security, we think it clear that negligence law should have something to say about data breaches. As we’ve already discussed, the burden on firms of taking adequate precautions is far cheaper than the costs of remediating a data breach. What’s more, only one party is even in a position to prevent the injuries that result from a data breach. Consumers and patients have no real means to force increased data security on companies.

But the real error in analysis to date comes in undervaluing the likelihood of injury and the gravity of any resulting injury. First, focus, as courts have, solely on identity theft. Anyone who watches television for long enough is bound to see an advertisement for companies like Life-Lock, which promise to help you prevent identity theft.55 These ads discuss the frequency of identity theft, but how prevalent is identity theft really? The short answer is, "its hard to know." In 2005, for instance, one think tank estimated that the crime had affected 44 million people, but the Federal Trade Commission fielded only 246,000 identity theft complaints that year, and another study pegged the number of identity theft victims in a given year at 160,000, less than one percent of the population.56 The number of victims has undoubtedly gone up, but by how much is unclear.

[Page 113]

And what is the gravity of the resulting injury? With the caveat that definitional and methodological differences color the research, consider a recent study from Javelin Strategy & Research: They estimate that in 2016, 15.4 million Americans were victims of identity theft, resulting in the theft of around $16 billion dollars.57 That means the average victim lost around $1,000.

So take this data and plug it into the Carroll Towing equation. The likelihood of identity theft is difficult to show, but some evidence suggests that it isn’t very likely at all. And while some victims of identity theft may suffer hundreds of thousands of fraudulent charges, the average victim suffers a more pedestrian $1000 in charges (many of which they might not even bear, given that credit card companies aren’t allowed to charge cardholders for charges they don’t incur). Under Carroll Towing, then, a court would only impose upon companies the burden of taking steps to avoid this harm if the costs of these preventive measures were very small.58

The calculus changes significantly if we refocus the analysis on data security. First, let’s look at the likely gravity of harm. In this analysis we, can appropriately take account of the type of data a given firm has. Exposure of healthcare information puts an individual at risk for an incredibly serious invasion of their privacy. Health records contain some of the most sensitive information we provide to businesses. While it is difficult to quantify the harm that such an invasion of privacy causes,59 the harm is undoubtedly great. What’s more, a focus on identity theft naturally lends itself to a focus on strict monetary harms, which narrows the class of people thought to be harmed in a given data breach. A more general recognition of the privacy interests at stake shows that the set of individuals injured by a data breach is much broader.

[Page 114]

The focus on identity theft also causes courts to miss the costs imposed by the breaches themselves. First, as discussed, companies have to take steps to patch vulnerabilities in their systems, retrain their employees, and anything else necessary to remediate the harm caused by the data breach. These costs are inevitably passed on to consumers. Second, there are the costs that come with ransomware. In addition to all the normal costs imposed by a data breach, a ransomware attack can impose further costs simply to regain access to a computer. We can expect these costs, too, to be passed on to consumers.

And how likely are consumers to suffer these injuries? At least in the healthcare field, the answer is "very." As we discussed above, 450 hospitals were breached in 2015. These breaches exposed the data of every patient at these hospitals.

If we revisit Carroll Towing with this new focus, it is clear that tort law already provides a solid basis to hold companies liable for failing to take steps to prevent data breaches, particularly in vulnerable fields like healthcare. At a basic level, we see that both the gravity of the harm and the likelihood of the harm are much greater if we focus on data security as a standalone interest. And both of these variables become even weightier in fields with particularly sensitive data or greater-than-normal exposure to hacking. The healthcare field fits both bills.

Carroll Towing suggests that, in these circumstances, we should be much more comfortable imposing on hospitals and health insurers liability for failing to take steps to adequately secure data. What’s more, failure to shore up a known vulnerability may be the kind of "extreme departure from the ordinary standard of care" that qualifies as gross negligence.60

But while the common law already possesses the tools necessary to take a stand against poor data security, legislation and regulation may provide a surer path to meaningful reform. The development of the common-law that we describe is unlikely to move the needle much unless it can successfully be implemented through a class action.61 A "fusillade of small-stakes claims"62 is unlikely when data security is at issueā€” the costs simply to litigate the issue are substantial, and the knowledge needed to bring the suit in the first place is a hurdle most ordinary litigants can’t clear on their own.

But this itself poses a problem: Negligence claims like those we have highlighted above have been deemed unsuitable for class-action treatment.63 Judge Posner’s opinion in Rhone-Poulenc canvases the several ways in which states can organize their laws of negligence, as well as the many "subsidiary" notions bound up in negligence doctrine.64 At bottom, his point is simple: negligence law is complicated, involves choosing between competing objectives and making trade-offs, so it should be allowed to develop on its own. A multistate class action arrests that development in unacceptable ways, Judge Posner thought.

[Page 115]

Rhone-Poulenc is approvably cited in the mass tort context.65 And it might make sense to think of data breaches as giving rise to a digital-age mass tort. Mass torts can be successfully litigated on a class basis when the harm is confined to a single jurisdiction.66 And many hospitals or insurers only serve a single state. So we may be overstating the issue of relying on the development of tort law. But many larger breaches span multiple states. The Anthem data breach, for instance, affected individuals in all 50 states.

One ordinary response to the problem of certifying mass tort cases is to rely on state consumer-protection law. As discussed above, some lawyers have taken that approach in data breach cases, and with some success. But this path, too, is limited, and for several reasons. First, several decisions reject the idea that generic consumer-protection statutes are intended to cover harms related to data breaches.67 And the remaining states’ laws reflect "diverse policy judgments" resulting in a "patchwork of rules"68 that renders certification a decidedly uphill battle.69 Perhaps a choice-of-law analysis might dictate that only a single state’s law applies to a given lawsuit related to a particular data breach, but that seems unlikely. Courts generally decline to apply consumer-protection laws outside the particular state.70

In other words, specific protections are needed. Many states do impose data breach reporting requirements, but these protections do nothing to promote ex ante the kind of data security that can prevent the breach or ransomware attack in the first place. That regulatory gap leaves consumers unprotected. In the case of hospitals or healthcare firms, the gap is especially troubling.

V. CONCLUSION

Our current approach to litigating and regulating data breaches focuses on the prevention of identity theft. But that approach ignores the serious consequences that stem simply from the exposure of sensitive personal data to bad actors. Moreover, our current account of the costs and benefits of data security omits any discussion of ransomware.

[Page 116]

Courts and legislators need to refocus. Instead of focusing on measures intended to help people prevent identity theft, regulation should focus on data security. The costs incurred in preventing a data breach are far smaller than the costs incurred in the wake of a data breach, both to company and consumer. Ex post efforts to assign blame for a data breach miss the point: True commitment to data security benefits everyone. And that lesson should inform both judicial and policymaking judgments.

[Page 117]

——–

Notes:

1. Jay Edelson is the founder of Edelson PC, a boutique plaintiffs’ class action firm that focuses on consumer privacy. He has been appointed class counsel in several cutting-edge privacy class actions. Aaron Lawson is an associate in Edelson PC’s Issues & Appeals practice group. The views expressed in this article are the authors’, and do not necessarily reflect the views of Edelson PC, its attorneys, or its clients.

2. Maciej Ceglowski, "The Internet with a Human Face," http://idlewords.com/talks/internet_ with_a_human_face.htm (accessed Sept. 12, 2017); see also Maciej Ceglowski, "Haunted by Data," http://idlewords.com/talks/haunted_by_data.htm (accessed Sept. 12, 2017).

3. Bruce Schneier, CNN, "Data is a toxic asset, so why not throw it out?," http://www.cnn.com/2016/03/01/ opinions/data-is-a-toxic-asset-opinion-schneier/index.html (Mar. 1, 2016, 7:12 a.m.).

4. See D. Daniel Sokol & Roisin Comerford, Antitrust & Regulating Big Data, 23 Geo Mason L. Rev. 1129, 1139 (2017) ("a firm needs to focus on developing both the managerial toolkit and organizational competence that allows them to turn Big Data into value to consumers in previously impossible ways").

5. See also In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 265 (3d Cir. 2016) ("Most of us understand that what we do on the Internet is not completely private. How could it be? We ask large companies to manage our email, we download directions from smartphones that can pinpoint our GPS coordinates, and we look for information online by typing our queries into search engines. We recognize, even if only intuitively, that our data has to be going somewhere.").

6. The ubiquity of data collection and aggregation creates what some call a "womb-to-tomb dossier". Daniel Solove, Access & Aggregation: Public Records, Privacy & the Constitution, 86 Minn. L. Rev. 1137, 1192-93 (2002).

7. U.S. Dep’t of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749, 765 (1989).

8. Ponemon Institute, 2016 Cost of a Data Breach Study: United States, at 1.

9. Id. at 16.

10. Id. at 7 (average cost of a breached record in the healthcare sector is $402).

11. Id. at 9.

12. Sean Gallagher, "Two more healthcare networks caught up in outbreak of hospital ransomware," Ars Technica (Mar. 29, 2016, 4:11 p.m.).

13. Tami Abdollah, "Hackers broke into hospitals despite software flaw warnings," Associated Press (Apr. 5, 2016).

14. Kevin Magee, "Why Cybersecurity is Financially Undervalued," CFO Magazine, http://ww2.cfo. com/cyber-security-technology/2017/06/cybersecurity-financially-undervalued/ (June 23, 2017).

15. See Abdollah, supra at note 12.

16. See Paul DeMuro, Keeping Internet Pirates at Bay: Ransomware Negotiation in the Healthcare Industry, 41 Nova L. Rev. 349, 353 (2017).

17. See Steven Bellovin, et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet, 12 Nw. J. Tech. & Intell. Prop. 1, 62-63 (2014); Meiring de Villiers, Reasonable Foreseeability in information Security Law, 30 Hastings Comm. & Ent. L.J. 419, 462 (2008).

18. Bellovin, supra, at 39.

19. See Gallagher, supra note 11 (noting that multiple hospitals suffering the same security vulnerability had been hacked and held for ransom).

20. See Yuji Nakamura & Sam Kim, "North Korea is Dodging Sanctions with a Secret Bitcoin Stash," Bloomberg, https://www.bloomberg.com/news/articles/2017-09-11/north-korea-hackers-step-up-bitcoin-attacks-amid-rising-tensions (Sept. 11, 2017, 1:00 p.m.).

21. Jessica Davis, "Experts: There’s no gray area with ransomware breach reporting," Healthcare IT News, http://www.healthcareitnews.com/news/experts-there%E2%80%99s-no-gray-area-ransomware-breach-reporting (June 20, 2017, 2:36 p.m.).

22. Id.

23. See Meg Bryant, "Ransomware attacks can fall below the radar via underreporting," Healthcare Dive, http://www.healthcaredive.com/news/ransomware-attacks-can-fall-below-the-radar-via-underreporting/445351/ (June 20, 2017).

24. See Fed. R. Civ. P. 12(b)(1).

25. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547-50 (discussing the "injury in fact" requirement of standing). Our discussion of standing, a federal doctrine, implies (correctly) that many of these cases proceed in federal court, under both the diversity and federal question jurisdictions. The standing problem dogs data-breach cases in state court, as well, however. In Maglio v. Advocate Health & Hospitals Corp., the Illinois Appellate Court concluded that an increased risk of identity theft was too speculative to support the plaintiff’s standing. 2015 IL App (2d) 140782, ¶ 24.

26. See Sargeant v. Dixon, 130 F.3d 1067, 1069 (D.C. Cir. 1997).

27. See, e.g., Motion to Dismiss, Khan v. Children’s Nat’l Health Sys., No. 8:15-cv-2125 (D. Md. Filed Sept. 8, 2015), 2015 WL 12804514 (arguing that victims of data breach whose personal data had not been misused could not sue based on an increased risk of identity theft, the expenses they had incurred to protect their identities in light of the breach, the invasion of privacy occasioned by the breach, or any decrease in the value of their personal information).

28. See, e.g., Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017); Chambliss v. CareFirst, Inc., 189 F. Supp. 3d 564, 570 (D. Md. 2016); Khan v. Children’s Nat’l Health System, 188 F. Supp. 3d 524, 532-33 (D. Md. 2016).

29. See, e.g., Fero v. Excellus Health Plan, Inc., 236 F. Supp. 3d 735, 754-55 (W.D.N.Y. 2017); Khan, 188 F. Supp. 3d at 533.

30. See, e.g., Khan, 188 F. Supp. 3d at 533; Case v. Miami Beach Healthcare Grp., Ltd., 166 F. Supp. 3d 1315, 1319-20 (S.D. Fla. 2016).

31. 42 U.S.C. § 1320d-2.

32. Similarly, many cases reject the idea of a "negligent invasion of privacy," i.e., a claim for invasion of privacy centered on the defendant’s negligence in permitting the invasion to occur. See, e.g., Malloy v. Sears, Roebuck & Co., No. 4:96-cv-157, 1997 WL 170313, at *3-*4 (N.D. Miss. Mar. 4, 1997). A handful of cases proceeding on a similar theory related to data security have been filed, but they are generally under seal. After all, it defeats the purpose of suing to fix a security vulnerability to publicly file suit, thus exposing the critical vulnerability to the world.

33. Holmes v. Countrywide Fin. Corp., No. 08-cv-205, 2012 WL 2873892, at *3 (W.D. Ky. July 12, 2012) ("The FTC has estimated that 5% of adults are affected by identity theft, resulting in annual losses to consumers of $53 billion. ") (citing a 2005 article).

34. Resnick v. AvMed, Inc., 693 F.3d 1317, 1331 (11th Cir. 2012) (Pryor, J., dissenting).

35. Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 392-93 (6th Cir. 2016) (Batchelder, J., dissenting).

36. Id.

37. Brush v. Miami Beach Healthcare Grp., Ltd., 238 F. Supp. 3d 1359, 1365 (S.D. Fla. 2017); Tierney v. Advocate Health & Hospitals Corp., No. 13 CV 6237, 2014 WL 5783333, at *2 (N.D. Ill. Sept. 4, 2014).

38. In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625, 635 (3d Cir. 2017); Tierney, 2014 WL 5783333, at *2.

39. 693 F.3d 1317 (11th Cir. 2012).

40. Id. at 1328.

41. Id. at 1326-27.

42. 162 F. Supp. 3d 953, 974-84 (N.D. Cal. 2016).

43. Id. at 974-78.

44. Id. at 978-81.

45. Id. at 990.

46. Id. at 993-96.

47. 236 F. Supp. 3d 735 (W.D.N.Y. 2017).

48. Id. at 774-79.

49. Id. at 759-61.

50. Id. at 789-91. This conclusion is arguably incompatible with the court’s decision not to dismiss the plaintiffs’ unjust-enrichment claim. Id. at 770.

51. Abdale v. North Shore Long Island Jewish, 49 Misc.2d 1027, 1040 (Sup. Ct. Queens Cnty. 2015).

52. 238 F. Supp. 3d 1359, 1367 (S.D. Fla. 2017).

53. In re Rhone-Poulenc Rorer, Inc., 51 F.3d 1293, 1300 (7th Cir. 1995).

54. United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947).

55. If the focus is on identity theft, services like these also factor into the burden analysis. If consumers can easily shoulder the burden of preventing identity theft, there is no reason to shift that burden to companies.

56. See Bob Sullivan, "Just how common is ID theft?" NBC News, http://www.nbcnews.com/id/8409283/ ns/technology_and_science-security/t/just-how-common-id-theft/#.Wc1JJBNSxTY (June 30, 2005, 7:55 p.m.).

57. Herb Weisbaum, "Identity Fraud Hits Record Number of Americans in 2016," NBC News, https://www.nbcnews.com/business/consumer/identity-fraud-hits-record-number-americans-2016-n715756 (Feb. 2, 2017, 7:21 a.m.).

58. Cf. In re City of New York, 522 F.3d 279, 285 (2d Cir. 2008) (imposing duty to avoid small risk of harm because burden of taking precautions was also very slight).

59. Pine v. Rust, 535 N.E.2d 1247, 1251 (Mass. 1989) ("privacy interests . . . are by their very nature lacking in clear definition and difficult to quantify")

60. 47 Am. Jur. 2d Negligence § 227.

61. See Hughes v. Kore of Ind. Enter., Inc., 731 F.3d 672, 677 (7th Cir. 2013) (highlighting the substantial deterrent effects of class actions).

62. Murray v. GMAC Mortg. Corp., 434 F.3d 948, 953 (7th Cir. 2006).

63. Rhone-Poulenc, 51 F.3d at 1300-02.

64. Id. at 1300.

65. See Castano v. American Tobacco Co., 84 F.3d 734, 746-50 (5th Cir. 1998).

66. See In re Federal Skywalk Cases, 95 F.R.D. 483 (W.D. Mo. 1982) (certifying under Rule 23(b)(3) a class proposing to litigate claims related to the collapse of two skywalks at the Hyatt Regency in Kansas City).

67. See, e.g., Hancock v. Urban Outiftters, Inc., 830 F.3d 511 (D.C. Cir. 2016).

68. BMW of N. Am., Inc. v. Gore, 517 U.S. 559, 570 (1996).

69. Siegel v. Shell Oil Co., 256 F.R.D. 580, 585 (N.D. Ill. 2008).

70. See Mazza v. Am. Honda Motor Co., Inc., 666 F.3d 581, 592 (9th Cir. 2012) ("Getting the optimal balance between protecting consumers and attracting foreign businesses, with resulting increase in commerce and jobs, is not so much a policy decision committed to our federal appellate court, or to particular district courts within our circuit, as it is a decision properly to be made by the legislatures and courts of each state.").

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment