Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

KickerFeaturesTopicsCommercial LawRegulationTechnology Media and TelecomSectionsNewsLJN Newsletterse-Commerce Law & Strategy

Privacy v. Data Security

By John Hutchins
February 29, 2016

The year 2005 really marked the beginning of the “era of data breaches,” and with it, the “era of data breach lawsuits.” The ChoicePoint data breach in late 2004, which first became newsworthy in early 2005, was the catalyst. See, “The ChoicePoint Data Security Breach (Feb. '05): What It Means for You,” Privacy Rights Clearinghouse. That breach involved approximately 163,000 records, which by 2005 standards was a “major” data breach, and ChoicePoint was the first organization to notify the data subjects of the breach under the first (and only) data breach notification law in the country ' the California law known back then by privacy experts simply as SB 1386. The media floodgates that opened in the aftermath of ChoicePoint's notification set off a chain reaction that ultimately resulted in similar data breach notification statutes being passed in 47 states, the District of Columbia, and three U.S. Territories, as well as under various federal statutes, including the Gramm-Leach Bliley Act and HIPAA (Health Insurance Portability and Accountability Act). It also resulted in what is now commonplace in the wake of major data breaches ' class action “privacy” litigation on behalf of data subjects, seeking millions of dollars in damages, under a dizzying array of legal theories.

What's perhaps not widely realized is that, more than 10 years later, significant obstacles to would-be class action plaintiffs still exist. In fact, there is still a divide among various U.S. circuit courts as to what is necessary to even establish standing by data subjects in these cases. Many pundits have been theorizing for years that this issue of standing is finally about to be resolved in favor of plaintiffs. But even in the few courts where plaintiffs have achieved favorable decisions on standing, there still has never been a single jury verdict in a consumer class action data breach case. One reason for that is because not a single court in the country has ever even certified a class in such a case. Not one ' in more than 10 years.

There have been many settlements, and many of them have been quite large. But the settlements have been driven mostly by the non-legal risks of data breaches ' the public relations nightmare, the customer churn, the glare of the regulatory spotlight, and the mounting legal fees.

Still, what gets lost in all of this is that none of the underlying claims included by plaintiffs' lawyers in the consumer class actions has been successfully litigated to a conclusion on the merits. Many of these underlying claims are based on so-called “rights to privacy.” But, in most consumer data breach cases, “private” information is not really what's at issue.

What Do We Mean By ' Privacy ' ?

Legally, when we have traditionally discussed rights of “privacy” in the U.S., what we mean has been heavily influenced by two important law review articles. The first article was written by Samuel Warren and Louis Brandeis (who ultimately became Justice Brandeis) ' “The Right to Privacy” ' published in the Harvard Law Review in 1890. The second article is entitled, merely, “Privacy,” penned by Dean William R. Prosser of Berkeley Law School and published in that school's Law Review in 1960.

In regard to a definition of privacy, Warren and Brandeis famously coined the phrase ' “the right to be let alone.” They wrote:

It is like the right not be assaulted or beaten, the right not be imprisoned, the right not to be maliciously prosecuted, the right not to be defamed.

In Dean Prosser's article, he dealt with the recognized causes of action related to privacy:

  1. Intrusion of solitude and seclusion;
  2. Public disclosure of private facts;
  3. False publicity; and
  4. Misappropriation of name or likeness.

The difference in these concepts of “privacy” and what we are commonly dealing with in consumer data breach cases is obvious. Consumer data breach cases commonly involve information that is not truly “private,” but what we have come to refer to as “personally identifiable information” or “PII.” This includes, among other things, information such as payment card data, Social Security numbers, physical and e-mail addresses.

But most of this information is not, in any sense conceived by Warren, Brandeis or Prosser, “private” at all. Payment card information is not private. It's freely exchanged in merchant transactions and is, in fact, information that is intended to be shared. Name and address are not private. There was a time not long ago when everyone had a large book in their home that had the name and address of almost everyone in their city! E-mail addresses aren't really private. They are commonly included on business cards, websites, Facebook pages, and more. Even a Social Security number is not truly private. It's used ' or “published” by the owner ' for all kinds of purposes. For example, it's shared freely when applying for credit, and every employer is privy to the Social Security number of every employee in their workforce. It's notable that Warren and Brandeis argued: “The right to privacy ceases upon the publication of the facts by the individual, or with his consent.”

Thus, it's a fair conclusion that much of the information commonly at issue in a consumer data breach class action is not really subject to a “right of privacy,” as we have traditionally thought about such rights in the U.S. What we are really talking about in data breach cases is not “privacy” at all. Rather, it's data security. What is being litigated is not “the right to privacy,” but an expectation of data security. And data security is defined quite differently from privacy. Data security may be defined as: “the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.”

The problem for plaintiffs in consumer data breach class actions is that, if one of these cases ever gets to the merits, there are very few, if any, laws in the U.S. that grant an individual a private right of action to challenge the practices employed by organizations to defend information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. And, moreover, the standards for what constitutes the correct set of practices are subject to interpretation. The answer is often “it depends.” Certainly, with respect to consumer data breaches of PII, there is, as of yet, no case law ' from which the “common law” develops ' that establishes which practices are correct and which practices are insufficient. And with more than 10 years of litigation and not a single case that has even gotten past the class certification stage, the first case establishing such precedent is likely still far off.

Which means that plaintiffs in consumer data breach cases still have a long way to go.

John Hutchins is a Shareholder in the Atlanta office of LeClairRyan. He represents businesses in all types of commercial litigation and various types of transactions involving information technology, intellectual property and privacy and data security.'He has particular experience in matters involving privacy and data security, computer hardware and software development projects, government procurement, protection of trade secrets and proprietary business information, the Internet and e-commerce, cloud computing, trademark and copyright infringement, restrictive covenants and breach of fiduciary duty.'He can be reached at [email protected].

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.