Georgetown Law
Technology Review

Your personal information has already been stolen. Statistically speaking, that is.1In Spring 2016, the Pew Research Center study found that 64% of Americans had experienced a breach of their personal information. Given this information, combined with the almost half of Americans’ data compromised in the Equifax hack in 2017, it is more likely than not that an American’s data has been breached. Kenneth Olmstead & Aaron Smith, Americans and Cybersecurity, PEW RESEARCH CTR. (Jan. 26, 2017), http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity [https://perma.cc/R9TZ-CT5EDE2E-RW5J]. From 2005 to 2017, 7,674 data breaches exposed over one billion U.S. consumer records.2Robert Farrington, Calm Down! Your Identity Has Already Been Stolen, THE COLL. INV’R (Sept. 14, 2017), https://thecollegeinvestor.com/20167/identity-stolen [https://perma.cc/V2WK-CNJG]. Global statistics are even more alarming. Over 4 billion records were stolen in 2016 in over 4000 hacking incidents. Herb Weisbaum, More Than 4 Billion Data Records Were Stolen Globally in 2016, NBC NEWS (Jan. 30, 2017, 7:31 AM), https://www.nbcnews.com/storyline/hacking-in-america/more-4-billion-datarecords-were-stolen-globally-2016-n714066 [https://perma.cc/5G8Y-XEAN]. For further information, Breach Level Index presents a chilling real-time count of records stolen in data breaches worldwide as well as a detailed list of those security incidents. Data Breach Statistics, BREACH LEVEL INDEX, http://www.breachlevelindex.com [https://perma.cc/B8BY-72VH]. While this statistic includes the eighty million Social Security numbers stolen in Anthem’s 2015 hack,3 In 2015, health insurance company Anthem suffered a data breach of 80 million customer records. Farrington, supra note 2. it does not account for the 145.5 million Social Security numbers that were compromised in the 2017 Equifax hack.4Id. Nor does this statistic include the recent estimates by Yahoo that 3 billion user accounts, rather than its earlier estimates of 1 billion, were compromised in the company’s 2013 data breach. Lily Hay Newman, Yahoo’s 2013 Email Hack Actually Compromised Three Billion Accounts, WIRED (Oct. 3, 2017, 7:29 PM), https://www.wired.com/story/yahoo-breach-three-billion-accounts [https://perma.cc/86CG-UUTR]. These hacks are not idle threats to consumers: $16.8 billion was stolen from U.S. consumers through identity theft in 2017.5

The reality is that data storage on the Internet is more interconnected than ever. Hackers may only gain access to a person’s email address and password—a problem with a seemingly simple solution: just change the password. But those hackers may have gained access to more than someone’s innocent email conversations. One survey estimates that thirty-five percent of adults keep sensitive medical and financial information in their email, including bank statements, tax returns, and health records.6 A significant percentage of adults also store loan and mortgage information, pin numbers and passwords, and other personal records both in their email accounts and through cloud-based storage platforms, like Dropbox and Google Drive.5Id. These accounts, once compromised, can be a treasure trove of data for hackers, warranting years of credit monitoring, cancellation, and reestablishment of accounts, often causing anxiety for victims.6See Adam Shell, Equifax Data Breach Could Create Lifelong Identity Theft Threat, USA TODAY (Sept. 9, 2017), https://www.usatoday.com/story/money/2017/09/09/equifax-data-breach-could-createlife-long-identity-theft-threat/646765001 [https://perma.cc/UB8C-9XVK].

Yet courts presented with data breach claims still assert that “plaintiffs do not explain how the stolen data would be used to perpetrate identity theft”7In re VTech Data Breach Litig., No. 15 CV 10889, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017) (refusing to confer standing, the court stated that the stolen information, including VTech usernames, passwords, birthdates, secret questions, and other account information, could not be used to open a credit card or other bank account so therefore it could not be used for identity theft). or “[a]ppellants have alleged no misuse, and therefore, no injury.”8Reilly v. Ceridian Corp., 664 F.3d 38, 44 (3d Cir. 2011) (reasoning that without actual misuse of the breached data, because there was no evidence that the data breach was “intentional or malicious” or that hackers intended to misuse the information, the plaintiff had not shown injury). Similarly, courts have been disinclined to accept that hackers can cause damage with nontraditional identifying information: “[w]ithout a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”9Antman v. Uber Techs., Inc., No. 3:15-cv-01175-LB, 2015 WL 6123054, at *10–11 (N.D. Cal. Oct. 19, 2015) (explaining that because the only data that had been stolen in Uber’s breach was names and driver’s license numbers, there was no risk that the information could be misused to cause the injury necessary to confer standing). The U.S. judicial system has yet to reconcile the threat of data theft with the reality of its compounding impact.

Continue Reading