Accountability is the Best (Privacy) Policy: Improving Remedies for Data Breach Victims Through Recognition of Privacy Policies as Enforceable Agreements
Your personal information has already been stolen. Statistically speaking, that is.1 From 2005 to 2017, 7,674 data breaches exposed over one billion U.S. consumer records.2 While this statistic includes the eighty million Social Security numbers stolen in Anthem’s 2015 hack,3 it does not account for the 145.5 million Social Security numbers that were compromised in the 2017 Equifax hack.4 These hacks are not idle threats to consumers: $16.8 billion was stolen from U.S. consumers through identity theft in 2017.5
The reality is that data storage on the Internet is more interconnected than ever. Hackers may only gain access to a person’s email address and password—a problem with a seemingly simple solution: just change the password. But those hackers may have gained access to more than someone’s innocent email conversations. One survey estimates that thirty-five percent of adults keep sensitive medical and financial information in their email, including bank statements, tax returns, and health records.6 A significant percentage of adults also store loan and mortgage information, pin numbers and passwords, and other personal records both in their email accounts and through cloud-based storage platforms, like Dropbox and Google Drive.5 These accounts, once compromised, can be a treasure trove of data for hackers, warranting years of credit monitoring, cancellation, and reestablishment of accounts, often causing anxiety for victims.6
Yet courts presented with data breach claims still assert that “plaintiffs do not explain how the stolen data would be used to perpetrate identity theft”7 or “[a]ppellants have alleged no misuse, and therefore, no injury.”8 Similarly, courts have been disinclined to accept that hackers can cause damage with nontraditional identifying information: “[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”9 The U.S. judicial system has yet to reconcile the threat of data theft with the reality of its compounding impact.
Duke University School of Law, J.D./LL.M in Law and Entrepreneurship, 2018. I would like to thank Professor Rebecca Rich and the members of her Fall 2017 Scholarly Writing Workshop for their invaluable guidance and feedback during the planning and drafting stages of this article.