Just how do victims of a massive data breach prove they were harmed — and how is that harm calculated so the victims might be compensated through a lawsuit? That’s been one of the central legal questions facing the millions of consumers who have their privacy violated every year through data loss or theft. It’s far from settled law. For years, companies have argued that data breach victims can’t prove they were harmed by the incident, so they aren’t owed compensation. ID theft victims often can’t really prove how imposters stole their data; and when critical personal information like Social Security numbers are stolen, ID theft that might happen in the future is merely “speculative.”
Those positions frustrate victims, who often spend months dealing with the fallout from a hack, and end with only a vague offer of free credit monitoring to show for it.
That might change soon. Lawsuits filed against credit bureau Equifax after its massive 2017 hacking incident might finally provide some real guidance, and perhaps offer victims real justice.
Consumers should have the chance to ask a jury whether they were genuinely harmed by the massive Equifax hack, a federal judge in Atlanta ruled this week. In the ruling, Judge Thomas Thrash Jr. denied Equifax’s motion for dismissal against plaintiffs who’ve joined together in a class action lawsuit against the firm.
The judge had harsh words for Equifax, warning at one point “that Equifax’s cybersecurity systems remain inadequate, and another breach is imminent,” according to Law.com.
Equifax has argued that victim consumers have suffered no harm as a result of the hack, and contend that their claims amount to “speculative future harm.” According to Law.com:
Thrash disagreed. “The plaintiffs here have alleged that they have been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the data breach,” Thrash said.
Thrash also was unimpressed by defense arguments that the plaintiffs could not demonstrate that allegations of identity theft or credit or debit card fraud could be traced back to Equifax, which was one of more than 1,500 data breaches the company’s attorneys said occurred in 2017 alone.
“The plaintiffs plausibly allege that Equifax had custody of their personally identifiable information, that Equifax’s systems were hacked, that these hackers obtained this personal information, and that as a result of this breach, they have become the victims of identity theft and other fraudulent activity,” the judge determined.
There’s still a long way to go for Equifax to be forced to pay consumers for the unnecessary time and energy they expended as the result of the hack, and any future harm that may result from it. But at least there’s a chance the arguments will be heard in a court of law — though many companies decide to settle such cases after they lose at the motion to dismiss round. Given the sheer size of this hack, and the size of a potential settlement, perhaps this one has a chance to make it to trial. That would be positive Digital harm is real harm, and precedent-setting case law affirming that would be good.