Should it matter why personal data is stolen in a breach?

Facebook is in the news again for a data breach, but this time it happened in a low-tech way. An old fashioned thief stole hard drives in a bag left in an employee's car. According to a Bloomberg report, the hard drives had unencrypted, highly sensitive, payroll information, including employee names, bank account numbers, the last four digits of employees' social security numbers, salary, bonus and stock ownership for 29,000 current and former employees in 2018.

Facebook downplayed the importance of the break-in, saying that the theft appeared to be a routine "smash and grab crime" and that there was no indication the thief was trying to steal employee information. Some experts publicly agreed, pointing to statistics that equipment thefts are typically not about getting data, but about reselling the device. It isn't clear whether the car was parked in the Facebook parking lot when the theft occurred, but if so, the thief might have been hoping to get more than spare change in the cup holder.

Facebook's solution was to announce it would offer the affected employees two years of free identity theft and credit monitoring services. But that probably won't make those 29,000 employees worry any less. They know that some of their most sensitive data is floating around in unknown hands forever. The thieves may well figure out what they have, and sell or use the unencrypted data for all sorts of nefarious purposes like filing fake tax returns, taking out loans in the employees' names, opening credit cards, etc. Unlike stolen credit cards, it is virtually impossible to change social security number and actually impossible to change other characteristics such as date of birth, which was likely in the stolen personnel data.

Possible lawsuits have been mentioned.

From a legal liability perspective, should it matter why personal data is stolen? Not if courts follow the reasoning in a recent ruling from U.S. District Judge William Alsup issued in an ongoing class action against Facebook for a different data breach involving 29 million users worldwide. Stephen Adkins v. Facebook, 18-05982-WHA (N.D. Cal.). In that data breach, no Social Security or credit-card numbers were taken, but the plaintiff's name, date of birth, phone number, gender, and hometown were.

Judge Alsup ruled that the plaintiff has alleged an injury-in-fact sufficient to confer standing to sue even though there is no evidence that the personal data has been misused. Alsup noted that the plaintiffs' identity "remains at peril theft-wise" because the stolen data "will abide, sensitive, long-term." Echoing what the Facebook employees be feeling, Alsup held that "information such as this will never go bad, and so, hackers can warehouse this stolen data for years before using it." Alsup relied, in part, on a prior 9th U.S. Circuit Court of Appeals case that also found that future identity theft risk may confer standing. In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018). The Zappos court noted that "a person whose [personal information] has been obtained and compromised may not see the full extent of identity theft or identity fraud for years."

Alsup's ruling in the Adkins case is consistent with precedent in a decision from the 9th Circuit in a strikingly similar case. A class action was filed alleging negligence against Starbucks after a laptop with unencrypted employee personal data was stolen. Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). After the theft, Starbucks sent a letter to affected employees stating that there was no indication that their private information had been misused. The class plaintiffs alleged generalized anxiety and stress about future identity theft as a result of the disclosure of their personal information on the stolen laptop, but no financial losses. Starbucks provided free identity theft services and one of the plaintiffs had a bank account opened in his name but the bank closed the account before he suffered any financial loss.

Despite the lack of financial harm, the 9th Circuit ruled that a future threat of harm was sufficient to confer standing because the plaintiffs had alleged a credible threat of future harm because the information was sensitive and had been stolen. It should be noted that the plaintiffs were ultimately unable to prove their claims of negligence. In an unpublished opinion, the Ninth Circuit confirmed a subsequent dismissal from the district court, which found that the plaintiffs failed to prove negligence under Washington law because actual loss or damage is an essential element negligence cause of action, and the plaintiffs did not have a financial harm. Krottner v. Starbucks Corp., 406 F.App'x 129 (9th Cir. 2010). Interestingly, however, the court left open the possibility that anxiety over future identity theft after a data breach might be enough to constitute an actionable injury for negligence. The 9th Circuit noted the plaintiff's claims about anxiety, but ruled that the plaintiffs did not properly raise it in their opening brief.

Given this precedent in California, Facebook's statements that the employee data hasn't been misused likely won't be enough to prevent viable claims from its employees if they do decide to file a lawsuit. 