Data Privacy Day 2018: Data Breaches, Harm, and Culture

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Privacy Day 2018

Privacy Day is held every year on Jan. 28 to coincide with the day in 1981 that the Council of Europe signed the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The author discusses why events over the past year make Privacy Day feel different this year, and why more people are beginning to understand the importance of data privacy.

Lisa Hawke

By Lisa Hawke

Lisa Hawke is the director of security and compliance at Everlaw and the vice chair of Women in Security and Privacy.

By Lisa Hawke

If the first few weeks of the new year are any indication, data privacy and security are sure to be top of mind for consumers and companies in 2018. Data breaches grabbed headlines and capped off an eventful 2017, and 2018 has already brought news of far-reaching hardware vulnerabilities impacting virtually everyone. Data Privacy Day takes place every year on Jan. 28, but this year feels different. With millions of consumers impacted by the Equifax data breach and the Meltdown and Spectre CPU vulnerabilities, data privacy, and security are topics being discussed both in conference rooms and at family dinners.

Data Privacy Day began in the U.S. as an extension of Europe’s Data Protection Day. In Europe, Data Protection Day celebrates the Jan. 28, 1981 signing of the first legally-binding international treaty dealing with privacy and data protection. The U.S. is not a signatory to Convention 108, also known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data . Yet, in less than five months, the sweeping European Union General Data Protection Regulation (GDPR)—another European privacy law—is likely to directly impact many U.S. companies.

The resulting harm from data breaches is a primary focus for both consumers and companies. Consumers care about the potential or actual harm that occurs when their personal data is leaked or stolen. Identity theft, financial crime, and even fear for their own physical safety (e.g., for victims of domestic violence) are top concerns when personal data—including personally identifying information—is no longer safe. Companies tend to view actual or potential data breach harm through the lens of risk identification, assessment, and mitigation. In both cases, the harm is real.

But, as discussed in recent research by Daniel Solove and Danielle Keats Citron, harm is difficult for courts to conceptualize. Why? For one reason, the downstream effects of a data breach may not be known at the time it’s made public. Solove and Citron also point out that the resulting harm may depend on the “aggregation of disparate sources of personal data.” In other words, in order for harm to occur, criminals must be savvy enough to collate it before putting it to use.

In practice, this means that it can take months or years for victims of a data breach to realize harm. Solove and Citron point out that, unlike a credit card number, you can’t change your personal data. In some cases—and with a lot of spare time—it’s possible to change Social Security numbers. But we are all (mostly) stuck with our names, birthdays, addresses, and other identifying information. In a separate article, Solove also discussed the difficulty of linking harm to a data breach when the theft or hack can’t be tied back to a specific perpetrator. He points out, “[i]ronically, the very factors that make identity theft so harmful … are what impede victims’ ability to obtain redress….”

Harm is an important factor in a world of constant data breaches, and proves to be at the same time both real and elusive. Ryan Calo, a professor and privacy expert at the University of Washington School of Law, published research discussing why “privacy harm often operates as a hurdle to reform or redress.” This matters for two reasons. First, when a data breach happens, harm is central to establishing legal standing for plaintiffs—usually consumers—to sue. Second, harm is critical for obtaining recourse post-breach even when the standing hurdle is cleared. Calo, Solove, and Citron all discuss the legal challenges specific to establishing harm for purposes of standing and recourse in their research.

These challenges manifest for consumers when they seek to sue after a data breach. The authors noted above point out that most breach harm cases end in dismissal. A recent example regarding standing is the class action brought by victims of the VTech Holdings Ltd. data breach. The case was dismissed by a federal court in July 2017. This breach made national news in 2015 due to the IOT toy at issue and public sensitivity around personal data belonging to children and their parents. In their press release announcing the breach, VTech announced that an “unauthorized party” accessed their servers and obtained the personal data for more than 2.8 million children and parents.

In the subsequent lawsuit, the plaintiffs argued that VTech’s statement in their privacy policy—that the company encrypted customer data during transmission and securely stored the data—was not followed in practice, resulting in the data breach. VTech countered that the plaintiffs did not meet the threshold for standing because they failed to allege any resulting “identity theft, fraudulent activity, misuse of [PII], or actual or imminent injury of any sort.” The judge agreed, noting that the plaintiffs didn’t explain how the breach resulted in actual or a substantial risk of harm. In other words, they were not able to establish the “downstream use” of the ill-gotten data, as forewarned by Solove and Citron.

Even though the federal court dismissed the class action brought by consumers, VTech was not off the hook. Earlier this month, the company entered into a settlement with the FTC and agreed to pay a $650,000 civil penalty. In addition to the fine, the settlement requires VTech to establish, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected directly or indirectly by the company. This program will be subject to biennial assessments for the next 20 years.

What about harm and the FTC’s case? Unlike the consumers impacted by the data breach, the FTC didn’t need to establish harm to get recourse from the company. First, the FTC was able to establish that VTech’s privacy and security claims documented in their privacy policy were false under the Federal Trade Commission Act. Next, they charged VTech with violating the Children’s Online Privacy Protection Act (COPPA) by failing to take reasonable steps to protective sensitive data. The FTC prevailed on both counts and achieved a settlement with VTech.

Examples like this suggest an apparent inequity in the government’s ability to get recourse from companies after a data breach, as well as the consistent challenges faced by consumers to achieve the same goal. That said, legal claims based on harm occurring as a result of data breaches are not going away. On January 17, 2018, Aetna Inc. agreed to a $17 million settlement with victims of a data breach. In that case, Aetna revealed the HIV status of as many as 12,000 people via use of a clear envelope window. The complaint detailed the foreseeable harms associated with the exposure of confidential medical information regarding use of HIV medication.

Solove and Citron argue persuasively that there is a basis in current legal doctrine to recognize data breach harms. In their paper, the authors detail examples of other bodies of law that recognize similar types of harm typically resulting from data breaches. They discuss anxiety as a source of harm noting that courts are reluctant to recognize emotional distress as an injury arising out of data breaches. Unlike the VTech case, where the court didn’t accept the plaintiffs’ description of harm, the Aetna victims were able to rely on decades of research related to HIV and AIDS stigma.

On this Data Privacy Day, what can companies commit to doing in 2018 to reduce the possibility of a data breach and avoid causing harm to clients and consumers? First and foremost, recognize that a culture change (or refresher) regarding privacy and security in the organization is likely needed. The far-reaching impacts of the EU’s GDPR on companies in the U.S. enshrines in law the cultural differences in privacy and use of personal data.

In the U.S., the rights to free speech and against warrantless search and seizure are part of our Bill of Rights and ethos. In Europe, respect for private and family life is part of the European Convention on Human Rights and their ethos. Ann Cavoukian, former Information and Privacy Commissioner for the Canadian province of Ontario, described this concept of privacy as “informational self-determination.” She recalled the first use of this term in a 1983 German constitutional ruling concerning personal information in Privacy and Security by Design, published in 2013.

As U.S. companies prepare to meet the standards laid out in the GDPR, it is worth taking the time to explain its purpose to your teams—giving people control of their personal data in line with the right to respect for privacy, and ensuring that personal data is secure. This would also be a useful exercise for companies that are not impacted by the long-arm of the GDPR but are committed to cultivating an organizational culture in support of data protection and breach avoidance.In a recent post about creating a culture of privacy and security for October’s National Cyber Security Awareness Month, Bill Rosenthal wrote about the importance of social norms. Establishing an informal but shared understanding about the importance of privacy and security will aid in cultural adoption by your organization. As Bill stated, our community at work keeps us in line, and therefore accepted norms go a long way to helping a company protect data and assets.

Harm resulting from data breaches is real. As 2018 unfolds, there will surely be more widely-publicized breaches and more consumers working to legally establish harm in novel ways in order to get recourse. Last week, the FTC published its annual report summarizing its privacy and data security work in 2017, including its work with foreign privacy authorities, international organizations, and global privacy authority networks “to develop robust mutual enforcement cooperation on privacy and data security investigations.”

Data Privacy Day is a great time to renew commitments to protect and secure personal data and provides motivation to create a shared understanding of the importance of privacy and security in your organization.

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security