Although this story is from the U.S., we keep a close eye on American data protection affairs as our laws can be similar, and cases and challenges can reflect on how we may see the law here.
In this big news story from the States, a recent federal appeals court in the U.S. have said that claimants can sue defendants who breach their data protection obligations for ‘fear of damage’, even if no actual damage has occurred. This can make sense, as the damage could be done at any point in the future; but this decision moves away from one Supreme Court case that said claimants needed to prove a risk of “imminent” and “concrete” injury to bring a claim.
The course of the case
The appeals court in this case heard how an intruder managed to access CareFirst Inc.’s computers and databases that contained customers’ personal information. The District Court – as the court of first instance – dismissed the case with the view that claimants couldn’t prove real injury “nor a high enough likelihood of future injury.”
However, the appeals court reinstated the case, noting that the district court failed to consider the risk of harm through fear.
The panel of three judges also noted the impact breaches involving medical data theft can have on the victim’s health and life through inaccurate data belonging to one being merged with another on the same file. Without accurate records, patients may “receive improper medical care, have their insurance depleted, become ineligible for health or life insurance or become disqualified for some jobs.”
Recognising substantial risks of identity theft
In passing this judgment, the appeals court also recognised that it’s not just stolen social security numbers that can put individuals at risk. Whilst the social security number is often deemed the most important identifying data for an individual, medical and other personal records can prove a “substantial risk of identity fraud”.
Other personal data can be misused and lead to psychological harm, loss of earnings and even direct financial loss.
Verdict is out there…
However, not all courts are unanimous in this viewpoint.
A second U.S. Circuit Court of Appeal in New York dismissed one claim because she could not prove a “cognizable injury” after her credit card information was exposed during a data breach. Similar courts are reportedly of the view that data protection claims must prove that some “real” injury occurred.
Initially, a lower judge followed the first position of dismissing claims for ‘fear of future fraud and identity theft’. The case was later reinstated on the basis that ‘fear of what hackers may do with exposed personal data’ is a legitimate cause for a claim.
Right to be concerned for future harm
Chief Judge Diane Wood believes data victims have a right to be scared of potential harm:
“…why else would hacker[s] break into a store’s database and steal consumer’ private information?”
In the U.K., Data Protection laws are still developing. Individuals whose data protection rights are breached can be eligible to recover compensation from a breaching party, but the position on whether concrete evidence in terms of harm is always required remains uncertain. U.K. laws recognise that individuals can suffer great harm – usually psychologically – when a serious data breach has occurred, but claimants being able to sue for simply having their personal data exposed could mean thousands of claims against companies and organisations whose databases are hacked.
In English law, you normally have to have suffered a loss in order to be able to quantify a claim, but the cases for compensation are yet to yield any solid guidance for more widespread use.