Courts are finding it difficult to detect any damage as a result of cyber-attacks, incredible as that may seem. They are shackled by their interpretation that a "case or controversy" under Article III of the U.S. Constitution carries with it something that is not written there: an "injury-in-fact" requirement. It seems that the people who are the victims of any cyber-breach have difficulty proving in a courtroom what everyone in the world outside of the courtroom knows: that they were injured or harmed as a result of the massive release of their personally identifiable information, things such as Social Security numbers, computer passwords, names and addresses, among many other things.
The blogosphere populated by large law firms is heated at the moment. Their heat is related directly to the judge-imposed requirement that people prove that they have been injured as a result of their personally identifiable information being disclosed to everyone in the world. (The "injury-in-fact" requirement is required by the Constitution, and binds the Courts of the United States, they say!) These law firms are generally incensed by the action taken by the Consumer Financial Protection Board against one Dwolla, Inc.
Dwolla, Inc. "operates an online payment system." Its operations grew to "more than 650,000 users and [it] had transferred as much as $5 million per day." This was as of May, 2015.
For the immediately preceding four years -- from December, 2010 through 2014 -- Dwolla advertised its "safe" and "secure" services. These advertisements included displays on Dwolla' s website "and in communications with consumers," in all of which Dwolla further claimed that "its data security practices exceeded industry standards," including among other things that all the personally identifiable information of Dwolla's customers was safely encrypted.
The reality of Dwolla's practices is that its security practices "fell far short of its claims." It failed to use "reasonable and appropriate measures to protect data obtained from consumers from unauthorized access" and it did not encrypt all of the personally identifiable information of its customers as Dwolla claimed it did. (These facts were recited by the CFPB in a press release announcing why the CFPB took action against Dwolla.)
In what the CFPB announced was its "first data security action," the CFPB required Dwolla to "stop misrepresenting its data security practices." The CFPB also required Dwolla to train employees in data security, to fix security flaws, and to "securely store and transmit consumer data."
The CFPB also imposed a civil penalty of $100,000.00.
It seems that the penalty in particular has made the blogosphere of large law firms hot with denunciations that the CFPB did not follow the "injury-in-fact" requirement (even though the "injury-in-fact" limitation has apparently not been interpreted to apply to administrative agencies like the CFPB, even in the wildest imagination of the fevered blogosphere). The heat is particularly intense when lawyers must inform a client whether large or small that it has to pay a lot of money.
That states the controversy. How would you decide a case of misrepresented practices (assuming misrepresentation for the sake of discussion here)? Would you wait for a data breach to take place? A data breach because of a failure to use security practices in defiance of legal obligations, a breach that involves the personally identifiable information of, say, hundreds of thousands of people?
If you decide that there is no harm from dangerously misrepresented security practices, why then do you and does your business use security measures if security measures actually have no value?
Would you wait until a data breach takes place before you would allow action against the misrepresenter and purveyor of the dangerously leaky security practices, which by that time would have allowed the world or a large part of it to trade in your personally identifiable information?
Would you impose a requirement that negates the obvious harm suffered by those people?
What if one of those people is you? Or one or both of your parents? Or your children? Does your answer change depending on who suffered the obvious harm but who may find it hard to prove that in fact they have been injured in some way that lawyers and judges can recognize, despite the fact -- known everywhere except perhaps inside of courtrooms and large law firms -- that clearly these people have been injured?
Please Read The Disclaimer. ©2016 by Dennis J. Wall, author of "Insurance Claims and Issues" including issues confronting Cyberinsurance (forthcoming Thomson Reuters 2016). All rights reserved.
Comments