Hack may be first major test of Spokeo ruling

Even for attorneys who regularly advise clients on information privacy and data security issues, the Equifax breach is extraordinary. This single event affects more than half of the adult population in the United States. It remains to be seen exactly how bad the effects will be on individual consumers, but Equifax is going to draw a lot of attention from consumer advocates, state attorneys general and federal regulators.

Unlike the extraordinary extent of the breach and its potential impact on consumers, the cause of the breach was mundane. In March, security researchers published a warning that they had found a vulnerability in Apache — freely available software commonly used for web development — that allowed unauthorized persons to gain unfettered access to web servers. Soon after, Apache updated the software to fix the problem. According to Equifax, it was this vulnerability, which it had failed to fix, that hackers exploited starting in mid-May of this year. Over a period of 70 days, until the end of July, unknown hackers used the vulnerability to infiltrate an Equifax web server, resulting in the exfiltration of the Social Security numbers, names and other personal information of over 140 million individuals in the United States, the United Kingdom and Canada. Once the breach was discovered, it took Equifax an additional 40 days to investigate the scope of the breach, identify its cause, and notify the public. Less than 24 hours later, the first class actions were filed. Over the next week, over 100 more complaints were filed in federal courts across the United States.

The unsophisticated and preventable nature of the breach, combined with the extensive numbers of persons affected, could lead to a poignant test case on constitutional standing that federal courts have struggled to answer in the face of data breach cases. Short of evidence of actual identity theft, courts have been hesitant to find that a party had suffered an injury sufficient to confer standing or allow affected individuals to recover the costs associated with taking remedial steps. But a few of the unique circumstances of Equifax, both legally and factually, may put this on different ground. The uniquely damaging nature of these consumer records may lead a court to conclude that risk of injury is so great as to get it past the usual hurdles of standing that one might see in other cases. Unlike credit card numbers or the personal information acquired in other data breaches, the consumer information taken here could be used to fraudulently apply for loans or credit at the expense of the affected person, who would be forced to deal with serious long term financial and personal harms that may be impossible to fully recover from once it has happened.

Also significant is the relatively straightforward nature of preventing the breach. Both the security vulnerability in the software and the way to fix it had been available for over a month before the exfiltration started, and over three months before the intrusion was detected. It will be a challenge Equifax may have to address as it makes its case, especially in defending negligence causes of action, that its efforts to protect the data were reasonable.

But perhaps the most important factor is that this will be the first major data breach case to address the implications of standing that resulted from the Supreme Court’s decision in Spokeo, Inc. v. Robins, which held that certain types of intangible injuries can be a sufficiently concrete harm for standing purposes in the face of congressional intent. In addition, Equifax as a consumer reporting agency is subject to the Fair Credit Reporting Act, which requires it to take reasonable steps to limit the disclosure of consumer reports for improper purposes. All of this together may convince a court that the plaintiffs have a theory of injury sufficient to confer standing without waiting for identity theft to occur.

The Equifax breach may also prompt state attorneys general and the Federal Trade Commission into action, exercising their consumer protection mandates to bring cases that set an example for better data security practices. This could easily become a test case for a number of government agencies as they try to encourage businesses to take seriously the need to protect the personal information in their possession. The Federal Trade Commission has shown a willingness to bring administrative and court actions against businesses with poor data security practices under both the unfair business practices and its deceptive business practices in cases like In re LabMD and FTC v. Wyndham Worldwide Corporation.

The California attorney general has taken a particular interest in raising data security standards for businesses. In its 2016 data breach report, the attorney general adopted the Center for Internet Security’s Critical Security Controls as and the minimum steps California law requires business to take to reasonably secure the personal information in its care. Those standards include assessing and remediating significant system vulnerabilities, such as the one used in the Equifax breach. This may prompt California, as well as other states, to take action against Equifax to continue to develop legally enforceable data security standards that it will expect other businesses to follow.

From the legal perspective, how courts address the Equifax data breach may be more interesting than the breach itself. Federal courts have struggled on how data breaches fit into the law, and whether or not the harms from a data breach are real enough to seek redress in court. But an increasing recognition of the impact a data breach has on an individual and an increasing focus on data security from state and federal regulators have changed how the law approaches these cases. The Equifax lawsuits may bring certain aspects of data privacy law, such as the potential harms and the expectations of businesses to provide reasonably data security into sharp focus in a way that data breaches in the past have failed to do.