The Equifax data breach has sent shock waves like we’ve never seen before. Some consumers are only now starting to realize the lasting damage and harm that this breach will have on their lives. Thank you for all of your calls and emails. Please continue to send concerned family, friends, co-workers to us at Equifax@Stritmatter.com. Yes – we have heard from folks from New York, Florida, Virginia, Arizona, California, etc.– a former employee of Equifax, data privacy experts, and reporters who are trying to separate fact from fiction.
I promise to write more soon, as I continue to try to respond personally to as many emails/calls as I can. But please let me address one pesky fiction that occasionally rears its head on corporate-leaning media outlets and individual’s social media posts: A class action against Equifax will address a deep-rooted systemic problem that puts all of us at risk. I cannot speak for all lawyers. But please think twice before rushing to judgement against those of us who are committed to advancing consumer rights. I will point to our work in the massive Anthem data breach litigation: Significantly, as a result of the Anthem settlement, they have helped all affected from the breach by holding Anthem accountable. The agreement includes a court enforced term that will hold Anthem to a more rigorous standard in its safeguarding of Personally Identifiable Information (PII). Anthem will have to spend at least $90 million annually on beefing up its cybersecurity practices for the coming years. At minimum, my clients will get awarded between $5K -$15K each. Then, there are dozens of attorneys like myself who have invested countless hours and dollars (yes – pursuing class actions costs money) and we will not want to retire anytime soon. BTW: note that federal law has a strict limit on attorneys’ fees.
Thanks to all of you who have contacted us with your stories, questions and concerns. As with our many other clients, we want to help give you a voice and make sure that you recover from this historic data breach.
For the last several months, I have gone mostly dark on this website. Not purposely. But I’ll admit that the absence of posts here was in large part a reaction to two events–one involving my personal life and the other involving our body politic.
All of us should not give up in the face of the breathtaking insolence of leaders beholden to corporations. I refer not only to Congress’ onslaught against consumer privacy and consumer class actions, but also to the daily (sometimes hourly) blitz on individual rights. Admittedly, it’s difficult to keep track as the battles grow more frequent.
In the end, I urge all of you to tune out the immediate noise. Please know that there are attorneys such as myself who are dedicated to the long-term fight for each consumer’s privacy rights. Always remember that our privacy rights are inextricably entwined with my fight to protect the consumer. Yes, each of us love the convenience that Google, Amazon, Apple, and other major corporations offer us. And, some of these corporations are doing a decent job to protect individual privacy rights. But each of us must remain diligent.
Please stay tuned for the following new blog posts:
- Think that a data breach won’t hurt you? Thank again. – I will share with you some eye opening stories of a client, whose personal data was compromised as the result of a massive healthcare data breach. To this day, she continues to deal with identity fraud.
- Experian rubs salt in the wounds of 143+ million breach victims – Don’t accept offers for “free credit monitoring,” from Equifax. In addition to giving up your valuable Personal Information, you will also give you your right to sue Equifax. If you think that arbitration sounds fair enough, you are in for a rude awakening.
In Joan Longenecker-Wells v. Benecard Services, Inc., plaintiffs were employees who learned that their personal information, including date of birth, social security number, addresses, etc. which resulted in fraudulently filed tax returns. The Third Circuit dismissed the Plaintiff’s claims, stating that their negligence claims were barred by the economic loss doctrine. The Third Circuit explains:
The District Court held that because Plaintiffs’ negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim. We agree.
Food for thought. Can we say that a plaintiff, who experiences this grave injustice of losing the benefit of a 5 figure tax return is only sustaining economic loss? The real harm and the risk of ongoing identity fraud is more than economically and emotionally harmful. We must focus on the deeper rooted issue that lies at the heart of data intrusion cases. The fundamental right to privacy that has deep roots in our history now extends to our digital privacy.
In contrast, we have Taylor v. Spherion Staffing LLC, et al. No. 3:15-cv-2299 (N.D. Ohio 2015), Ernst v. Dish Network, LLC, et al. No. 1:12-cv-8794 (S.D.N.Y May 27, 2016); Hillson et al. v. Kelly Services, No. 2:15-cv-10803 (E.D. Mich. June 8, 2016). These cases settled and involved allegations of statutory violations. Keep in mind that Spokeo left open the possibility that a statutory violation may involve a real risk of harm to satisfy the concreteness requirement. Thus, settlement may have presented a more attractive alternative than extended litigation about the sufficiency of alleged harms.
Why do people not care about Privacy? Some will offhandedly claim, “I have nothing to hide.” Others will say that big data and government surveillance should not concern those who are law abiding and innocent of wrongdoing. But the problem with this response is that it reveals a lack of understanding regarding the value of privacy. Privacy is not a mere shield or wall to hide certain details about us from others. The concept is not reducible to single acts of intrusion or violation of one’s personal sphere. To think about Privacy in terms of someone peering into your window to watch you with your family is to focus on only one tiny strand of tapestry or one grain of sand in a beach.
Think of the value of Privacy this way: If you drank one glass of lead-laden water from Flint, would you see a quick path to cancer or any other potentially deadly disease? Probably not. But the problem for those in Flint was that they drank water contaminated with lead for years. The cumulative effect, the acts taken in the aggregate were what caused so many in Flint to suffer irreversible health problems.
This is the same way the Privacy violations harm each of us and our society as a whole. The information collection, aggregation, insecurity, increased accessibility and decisional inferences/interference (“decisional interference” was coined by Prof. Daniel Solove).
While nebulous, Privacy is important because it affords individuals a basic amount of autonomy and control over facts and details that make each unique. In the aggregate, “big data” seems harmless. But as we have seen, there are many ways to hack and identify personally identifiable information (PII). When the PII and/or valuable data sets of individuals get in the wrong hands, one loses control over their finances and their digital existence. One of my data breach clients suffered and continues to see fraudsters obtain lines of credit, obtain a Washington State driver’s license, and so on. Folks: This is NOT Privacy Paranoia. It is a well informed fact that we need to care about how our PII is disclosed and safeguarded.
Most people do not realize how their data is getting sold in myriad forms either legally or illegally. I will talk about this more in future posts. That private data has value in virtually every imaginable industry. If it matters to others, it certainly should matter to you. At the very least, to value your Privacy is to value control over the information that is accessible about you. If you don’t care about having that minimal amount of control, then feel free to broadcast your SSN along with all of your family’s SSNs and dates of birth.
Consumer class action lawsuits are not a company’s worst nightmare, when they experience a massive data breach. Nope. It’s the lawsuits that Walmart, Home Depot and Wendy’s are filing for data breaches that can result in more massive losses for the breached company.
Headlines about the latest data breach continue to surface on the news about as frequently as we hear about Trump’s campaign travails. Interestingly, when Walmart,Home Depot or Wendy’s sues Visa and MasterCard for their data breach issues, those lawsuits don’t make the front pages. Did you know that banks got together and filed a class action lawsuit against Target for the much publicized data breach? The consumer class action lawsuits against the health insurance behemoths like Anthem and Premera have garnered a lot of attention. In the meanwhile, some of the Goliaths are suing the other Goliaths for their class action was certified late last year.
A takeaway from all of these class action is that the victims and plaintiffs in data breach lawsuits are not only everyday consumers, they are also retail giants, banks, employees, etc. When an organization fails to exercise due care in safeguarding personal information, it had better get ready to face the wrath of someone…
An increasingly common and relatively easy way for hackers to access sensitive data is through “phishing,” where unwitting recipients of email or texts (SMS phishing or “smishing”) trust the sender with the sought after information. According to Verizon’s new 2016 Data Breach Investigations Report, about 90% of security incidents stem from some form of phishing. Verizon reports that phishing continues to trend upward and is found in the most opportunistic attacks as well as “sophisticated nation-state tomfoolery.” But president of the Olympia School District chuckles (yes, that’s right, chuckles) at its recent breach resulting from phishing because, according to what he told MyNorthwest reporter, Sara Lerner:
“It happens…it’s an opportunity to have that conversation and move forward with it. You could call it a teachable moment if you want to,” he said, with a chuckle.
That kind of cavalier attitude is exactly the problem that we have with so many school districts and government agencies. One cannot be careless, when it comes to sensitive data, whether it is at a school district or at the Health Care Authority/Apple Health Data Breach, where an employee’s mishandling and HCA’s insufficient privacy protocols allowed the medical records of 91,000 individuals to get sent to an unauthorized recipient
As we continue our class action litigation regarding the Anthem data breach as well as the Amerigroup Washington data breach, I learn more about how stolen protected health information (PHI) is marketed on the dark net. To those who want to toss caution to the wind, feel free to do so with your own data. Just not everyone else’s.
BTW: If you were one of those who received a data breach notification from HCA or the Olympia School District, please contact me at Catherine@Stritmatter.com or 206.448.1777. I would like to learn your perspective and story, as well as share the details of how we’re trying to hold these organizations accountable to prevent future data breaches.
Bravo Apple for standing up for privacy and data security.
I usually avoid discussing September 11, 2001. But this is relevant. Since 9/11, so many private citizens in this country think it’s ok to give up privacy in the name of homeland security. They will say, “I have nothing to hide,” only those like the terrorists have anything to hide. But valuing our privacy is not about wanting to hide information. It is about having control over what we disclose to whom at the time when we choose. When a governing body has easy access to the minute details of each of us, we have given away so much of ourselves without anything in return (except the sweet promise of catching the bad guys). We have already made it so easy with government surveillance programs.
Trust me: Just thinking about 9/11 still gets me spitting mad at the radicals who claimed to kill in the name of their god. In one of the most horrific ways imaginable (burning innocent people to death, who were trapped in the towers) they stole my brother and best friend from me on his first day at his new job at the 96th floor of the WTC North tower. Many other brothers, sisters, fathers, and mothers were robbed from their families that day as well. If anyone has an inextinguishable desire to rid our world of terrorists, it is me.
But ramming down iPhone security is not the way to go about fighting terrorism. Weakening security that protects each of us from bad actors for the sake of getting a discrete set of information is not the answer.
Each of us need to understand why our personal data and privacy is worth fighting for. If we are ready to throw our privacy out the window for the sake of an investigation, we give in to all that we have fought for since 9/11.
Tomorrow, January 28, 2016, is Data Privacy Day. Big deal? It actually is: The first Data Privacy Day that occurred in the United States and Canada was in 2008, which was observed as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981 signing of Convention 108, which was the first legally binding international treaty dealing with privacy and data protection.
Now led by the National Cyber Security Alliance (NCSA), Data Privacy Day has become the signature event promoting privacy awareness. Without committed defenders of privacy, like the Electronics Frontier Foundation, we would not have seen a complaint filed with the FTC against Google for unauthorized collection of school aged children’s information, when they are using Google Apps and Chromebooks in their schools. Google’s unauthorized collection of personal information from school children via Chromebooks and Google Apps for Education (GAFE)—caught the attention of Senator Al Franken, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. Franken responded by writing a letter to Google CEO Sundar Pichai asking for information about GAFE’s privacy practices.
The first step to ensure that our student privacy campaign succeeds, is to educate ourselves as parents. This way, we can direct our energy and knowledge effectively. On this Data Privacy Day, take the time to check out the resources that the Electronic Frontier Foundation compiled to regain control of your children’s privacy. Please spread the word about student privacy by sharing these and similar resources with other parents!
I can’t emphasize enough how important it is that parents understand their and their children’s rights. We live in a world where parents may be asked by schools to waive those rights before their youngsters are permitted to use technology in the classroom. Third parties will too often encourage parents to give schools consent to release their children’s information to those very third parties.
Interested in becoming part of the “privacy defender team?” There are many ways in which you can get involved.
- Create a culture of privacy at your organization.
- Own your personal online presence.
- Share your privacy knowledge with your local communities.
- Attend a Data Privacy Day event.
- Become a Data Privacy Day Champion.
I wanted to share the above infographic from The Economist. which illustrates the spike in data breaches since 2005. Most notable: Medical records data breaches rose over 40% last year. Subcontractor and Employee negligence are also on the rise. A couple of positive takeaways is that there is apparently less insider theft and a decreasing percentage of breaches that include social security numbers.
I read an interesting post earlier today on one of WSJ’s blogs. It admitted that the pendulum has swung in favor of consumers in data breach cases. While defendant companies continue to get cases bounced on the flawed premise that no its data breach victims have not suffered any “actual harm,” more courts are sympathetic to the consumers.
Two big cases come to mind. One is the Wyndham data breach case (FTC brought the action). This past August, the Third U.S. Federal Circuit Court ruled against Wyndham, finding that the FTC can take action against organizations that adhered to poor IT security practices.
Several weeks before Wyndham was decided, the U.S. Court of Appeals for the Seventh Circuit reinstated a data breach case against Neiman Marcus. Why? It found that the risk of harm was enough to establish standing. The 350,000 affected customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing,” the court ruled.
The Seventh Circuit, however, reinstated both types of claims – those who had incurred expenses tied to the Neiman Marcus hack, and those who feared identity theft in the future. Chief Judge Diane Wood pointed out that a breach victim’s fear of hackers in the future is not too “speculative” for a day in court.
Wood asks: “Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?”