The Privacy/ Security Clash's Unexpected Consequence

As a general rule, plaintiffs must have suffered a legally cognizable injury to have standing to sue in federal court. Plaintiffs must demonstrate: 1) that they suffered an injury in fact; 2) that is fairly traceable to the defendant's actions; and 3) that will likely be redressed with a favorable decision. This has become a contentious issue in privacy cases where stolen financial or health information is never used.

Recent cases demonstrate the disparity in the way courts are deciding that issue. See, Polanco v. Omnicell, 2013 WL 6823265 (D.N.J. 2013) (plaintiff lacked standing because her self-imposed increased costs following a data breach constituted speculative and manufactured damages where there was no misuse of her information) and In re: Sony Gaming Networks and Customer Data Security Breach Litigation, MDL No. 11md2258 AJB (S.D. Cal. 2014) (court reaffirmed prior ruling that the plaintiffs had standing based on allegations that personal information was wrongfully disseminated, thereby increasing risk of future harm, regardless of whether actual harm had yet occurred.)

“Harm is the big issue in class action litigation, and plaintiff lawyers are likely to explore every innovative argument they can think of to satisfy the 'injury' requirement,” says Hughes. “I expect that plaintiff's lawyers will attempt to quantify some harm from a data breach by utilizing economists and other experts in an effort to identify marketplace cost differentials to demonstrate premiums paid by consumers for protection of their personal information.”

Hughes also predicts a focus on deceptive trade practice cases, such as where private information is improperly collected or used in a manner inconsistent with what was represented at the time of collection. Lawyers should anticipate “enormous activity” in cases where statutory damages are at issue, such as alleged violations of the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. '227, he asserts. Despite the formidable injury hurdle imposed by most courts in data breach cases, Hughes warns that breaches resulting from “egregious fact patterns” will have a big effect on judicial outcomes and political and legislative agendas.

Governmental and Enterprise Tracking

Recent events ' such as the Edward Snowden affair, disclosures of data sharing between private corporations and the U.S. government, and international corporate espionage incidents ' have created “enormous international issues,” observes Hughes. The effect of this current environment, he says, is that “overseas consumers are demanding that their data be held overseas, and European cloud providers are leveraging the EU's stricter data privacy laws to promote service offerings over their U.S. competitors.” The resultant “balkanization of data caused by this phenomenon, which serves to prohibit the free flow of data, is inconsistent with the advancement of a global economy and optimal utilization of the Internet, and will take us further into uncharted territory,” says Hughes. “As regulations and laws continue to evolve in this uncharted territory, it is becoming increasingly important to stay current on new privacy and security developments to better protect companies and individuals.”

Proposed European Union Regulations

U.S. regulators are not the only ones confronting cutting edge privacy issues. The European Union currently is engaged in debate concerning the replacement of Data Protection Directive 95/46/EC, which was enacted before widespread use of the Internet and substantially prior to the advent of smartphones, social media and Big Data.

Among other things, the new regulation will require some businesses to have a data protection officer. Some nations, particularly the United Kingdom and Germany, have expressed significant concerns over the proposed “one-stop shop” principle included in the proposed regulation. Persuant to that principle, a regulator in the country in which a multinational corporation is based would be responsible for monitoring the corporation's activities throughout the E.U. and for taking any necessary enforcement actions. Despite these difficulties, Hughes thinks that we may now be seeing what the finish line might be. “Regarding E.U. regulations, this year we are likely to a continued effort to define and provide clarity around the privacy and security practices.”

Opportunities for Information Economy Professionals

Threats to privacy, from whatever source, are becoming increasingly destabilizing and less predictable, observes Hughes. This situation, however, is creating tremendous opportunities for well-rounded privacy professionals. Hughes argues that today's environment has led to a demand for trained “information economy professionals” who bring a comprehensive approach to pressing privacy issues. “We need professionals, a new breed of people, who can look at risk from a legal, corporate and societal perspective. Information economy professionals who can lead entities through these difficult times will be in high demand.”

Judy Selby is a partner at Baker & Hostetler in New York. She can be reached at [email protected]. Follow her on Twitter @judy_selby. This article originally appeared in Law Technology News, an ALM sibling of e-Commerce Law & Strategy.

Every online enterprise today ' from the world's largest financial and retail establishments to the smallest of healthcare providers ' is struggling to manage and exploit the exploding volume of personal information that comes within their possession, while also maintaining data security and complying with privacy-related laws and regulations. They are not alone. Courts, legislators and regulators also are striving to find ways to protect legitimate privacy rights while keeping the realities of today's technology evolution and business environment in mind. The breakneck speed at which technology continues to develop, often without consideration of privacy concerns, further heightens these already difficult challenges.

Looking at privacy issues through the prism of existing laws and regulations is sometimes like putting a round peg into a square hole. Despite the current difficulties and uncertainties in today's high tech, Big Data world, J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP; www.privacyassociation.org), has identified certain trends in legal and regulatory spheres that provide important insights into where we all may be headed in the near future. He recently sat down for a conversation and outlined his observations.

Class Action Litigation

As a general rule, plaintiffs must have suffered a legally cognizable injury to have standing to sue in federal court. Plaintiffs must demonstrate: 1) that they suffered an injury in fact; 2) that is fairly traceable to the defendant's actions; and 3) that will likely be redressed with a favorable decision. This has become a contentious issue in privacy cases where stolen financial or health information is never used.

Recent cases demonstrate the disparity in the way courts are deciding that issue. See, Polanco v. Omnicell, 2013 WL 6823265 (D.N.J. 2013) (plaintiff lacked standing because her self-imposed increased costs following a data breach constituted speculative and manufactured damages where there was no misuse of her information) and In re: Sony Gaming Networks and Customer Data Security Breach Litigation, MDL No. 11md2258 AJB (S.D. Cal. 2014) (court reaffirmed prior ruling that the plaintiffs had standing based on allegations that personal information was wrongfully disseminated, thereby increasing risk of future harm, regardless of whether actual harm had yet occurred.)

“Harm is the big issue in class action litigation, and plaintiff lawyers are likely to explore every innovative argument they can think of to satisfy the 'injury' requirement,” says Hughes. “I expect that plaintiff's lawyers will attempt to quantify some harm from a data breach by utilizing economists and other experts in an effort to identify marketplace cost differentials to demonstrate premiums paid by consumers for protection of their personal information.”

Hughes also predicts a focus on deceptive trade practice cases, such as where private information is improperly collected or used in a manner inconsistent with what was represented at the time of collection. Lawyers should anticipate “enormous activity” in cases where statutory damages are at issue, such as alleged violations of the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. '227, he asserts. Despite the formidable injury hurdle imposed by most courts in data breach cases, Hughes warns that breaches resulting from “egregious fact patterns” will have a big effect on judicial outcomes and political and legislative agendas.

Governmental and Enterprise Tracking

Recent events ' such as the Edward Snowden affair, disclosures of data sharing between private corporations and the U.S. government, and international corporate espionage incidents ' have created “enormous international issues,” observes Hughes. The effect of this current environment, he says, is that “overseas consumers are demanding that their data be held overseas, and European cloud providers are leveraging the EU's stricter data privacy laws to promote service offerings over their U.S. competitors.” The resultant “balkanization of data caused by this phenomenon, which serves to prohibit the free flow of data, is inconsistent with the advancement of a global economy and optimal utilization of the Internet, and will take us further into uncharted territory,” says Hughes. “As regulations and laws continue to evolve in this uncharted territory, it is becoming increasingly important to stay current on new privacy and security developments to better protect companies and individuals.”

Proposed European Union Regulations

U.S. regulators are not the only ones confronting cutting edge privacy issues. The European Union currently is engaged in debate concerning the replacement of Data Protection Directive 95/46/EC, which was enacted before widespread use of the Internet and substantially prior to the advent of smartphones, social media and Big Data.

Among other things, the new regulation will require some businesses to have a data protection officer. Some nations, particularly the United Kingdom and Germany, have expressed significant concerns over the proposed “one-stop shop” principle included in the proposed regulation. Persuant to that principle, a regulator in the country in which a multinational corporation is based would be responsible for monitoring the corporation's activities throughout the E.U. and for taking any necessary enforcement actions. Despite these difficulties, Hughes thinks that we may now be seeing what the finish line might be. “Regarding E.U. regulations, this year we are likely to a continued effort to define and provide clarity around the privacy and security practices.”

Opportunities for Information Economy Professionals

Threats to privacy, from whatever source, are becoming increasingly destabilizing and less predictable, observes Hughes. This situation, however, is creating tremendous opportunities for well-rounded privacy professionals. Hughes argues that today's environment has led to a demand for trained “information economy professionals” who bring a comprehensive approach to pressing privacy issues. “We need professionals, a new breed of people, who can look at risk from a legal, corporate and societal perspective. Information economy professionals who can lead entities through these difficult times will be in high demand.”

Judy Selby is a partner at Baker & Hostetler in New York. She can be reached at [email protected]. Follow her on Twitter @judy_selby. This article originally appeared in Law Technology News, an ALM sibling of e-Commerce Law & Strategy.