Three Recent Cases Send Mixed Privacy Messages
PDFThree significant cases decided in the final weeks of 2009 have sent mixed messages about privacy. Two of the decisions dismissed claims arising from data security breaches, emphasizing how difficult it is to recover damages, while the third took a strong position in favor of protecting the identity of online commentators.
Damages for Data Breaches
Any company that holds personally identifiable information of its customers should be aware that there will be costs if that information is disclosed without permission. At a minimum, the company is subject to reputational risks and the potential costs of notification. The significant but unresolved question has been the extent to which a company that is responsible for a data breach would owe damages to third parties who are injured as a result of the data breach. Two recent cases continue the trend of judicial resistance to imposing such damages.
In a Dec. 11, 2009, decision in Ocumis Insurance Society, Inc. v. BJ’s Wholesale Club, Inc., the Massachusetts Supreme Judicial Court upheld the dismissal of a suit brought by 107 credit unions against BJ’s. The dispute related to an incident in 2004 when hackers obtained access to magnetic stripe data from approximately 9.2 million credit cards used by cardholders to purchase merchandise at BJ’s stores. Using the stolen data, the thieves were able to engage in fraudulent credit card transactions at other stores, causing significant losses to the credit unions that had issued the cards. The problem for the credit unions was that they did not have any contract with BJ’s that required it to exercise any particular standard of care in processing its own credit card purchases. In their lawsuit, the credit unions tried to finesse this problem by claiming that BJ’s had failed to live up to security standards established by its contract with Fifth Third Bank, which was responsible for processing BJ’s credit card transactions. The Massachusetts court rejected this claim, holding that the credit unions could claim neither that they were intended third-party beneficiaries of the BJ’s-Fifth Third contract, nor that BJ’s owed any duty to them under the law of negligence.
When a suit is brought by the parties whose personal data was disclosed, they have to contend with a different problem: proving that their claimed damages are more than mere speculation about what might happen in the future. On NoV. 23, 2009, in Amburgy v. Express Scripts, Inc., a federal trial court in Missouri dismissed a consumer class action against the pharmacy benefits company Express Scripts. The consumers’ complaint alleged that “inadequate security measures in relation to its computerized database system allowed unauthorized persons to gain access to confidential information of Express Scripts members contained in the database, with such information including names, dates of birth, Social Security numbers and prescription information.” The class plaintiffs charged Express Scripts with violating numerous state and federal data breach laws, as well as Missouri’s Merchandising Practices Act. The federal judge ruled that to have standing to sue – a highly technical litigation requirement – the plaintiffs had to show an injury that was “actual or imminent.” These plaintiffs, however, alleged only “an increased risk of identity theft at an unknown point in the future,” which was not enough.
Taken together, these two cases are a reminder that the price for allowing a security breach to occur can be meaningful but, under existing law, is still not likely to be catastrophic. In addition to the reputational risk and the possible cost of notices, the responsible party faces the real possibility of fines and other sanctions imposed by the Federal Trade Commission and other regulatory agencies. However, it remains very difficult for private parties to recover damages for data security breaches.
Protection for Posters
The third decision leans in a more pro-privacy direction. In Sedersten v. Taylor, another federal judge in Missouri rejected a request for a court order requiring a newspaper to unmask an anonymous online poster. The plaintiff, Sedersten, had a civil lawsuit pending against Taylor, a private party, and public officials who declined to prosecute Taylor. The post – on the newspaper’s website – commented on an article about the lawsuit. Sedersten demanded the identity of the poster, since he believed the poster had information that could be helpful to his case.
The court held that, while an author’s anonymity is not absolutely protected under the First Amendment, Sedersten would have to – and was unable to – show that information the poster possessed was directly relevant to his lawsuit and unavailable from any other source. In a particularly interesting aspect of the opinion, the court also ruled that the poster did not waive his First Amendment right to anonymity by agreeing to the newspaper’s privacy policy, which provides that information furnished by a poster may be used for commercial purposes: “Nothing on the face of the privacy policy even hints a user may be waiving his or her constitutional right to anonymous free speech by posting comments.” Sedersten thus sends a clear message that privacy policies are intended to benefit the parties that agree to them and that waivers will be closely scrutinized in contexts where fundamental rights are at risk. If you are interested in more detail, here is a link to the decision.