Posted by: Chase Millea
April 20, 2015
As nearly every analog form of communication transfers to a digital format, we input our personal data (e.g. credit card numbers, contact information) on a host of devices in an even greater number of settings. Do employers, retailers, and other users of the Internet have duties to protect personal information? In light of recent data breaches (including Target and Sony), many consumers are rightfully concerned that existing protections are insufficient.
Many states and the federal government are actively trying to combat breaches of personal privacy. For example, a U.S. House of Representatives bill seeks to improve responses to a data breach, including enhancing notice requirements for those whose data was compromised.
Interestingly, the bill also seeks to preempt state laws on the topic. If the proposed legislation becomes law, states would be prohibited form enacting supplemental legislation, which some argue would place consumers at similar or greater risk. In any event, companies have a strong incentive to ensure adequate privacy protections for employees and customers alike.
A primary statutory protection of personal data is the Consumer Fraud and Abuse Act (“CFAA”). Some provisions of the CFAA include:
Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer;
Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value;
Knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
Intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss
Is criminally liable and may be subject to both fine and imprisonment.
Conveniently, these protections extend beyond our borders as well, thanks to the holding in United States v. Ivanov. In that case, a Federal District Court in New Jersey found that a Russian residing in Russia with no additional contacts with the United States (a traditional requirement to attach personal jurisdiction) was still within the Court’s jurisdiction because the harm occurred in the United States.
Another thing to keep in mind is the scienter requirement in the statute. Scienter is a state of mind necessary to hold a personal legally culpable for their actions. The CFAA requires that a person know or intend to cause the described harm. This is beneficial to the consumer because it prevents claims against individuals whose computers may have also been compromised (but are unknowingly participating in an attack). However, it also requires the government to demonstrate the requisite mental state of an alleged suspect (if they can even find the suspect) in order to convict.
Problems with the CFAA
Though the CFAA might allow a person to feel like their personal security was avenged if someone was substantially fined or put behind bars, it is unlikely to address the core problem – that the hack occurred in the first place. Furthermore, a criminal conviction is likely to do little to satisfy a person whose social security and credit card numbers are popping up in inboxes around the globe.
The reality is, personal data security must aim to prevent the breach in the first place. Similar to trade secrets, once data hits the masses, it’s hard to keep it from the public. Therefore, consumers and companies alike must take measures to prevent unauthorized access to personal information.
As mentioned above, some states require that companies take “reasonable measures” to ensure personal data protection. Failure to take such measures could result in substantial liability to consumers. Sony, for example, is currently grappling with the issue. Following a data breach in late 2014, plaintiffs filed a class action against the media mogul for failure to institute adequate protections for employee data.
One of the primary arguments for the employees is that the executive director of information security “had been told by an external auditor that Sony had insufficiently strong access controls and that passwords used by Sony employees did not meet best practice standards.” (Variety).
The employees argue that the audit put Sony on notice that their safeguards were inadequate, and could lead to invasions of employees’ personal data. So how did Sony respond? More protections weren’t worth it.
How Far Should Companies Go?
While companies have a significant incentive to institute “reasonable measures” to ensure employee data protection, the reality is that it comes down to a cost calculation. As the Sony IT director reasoned “I will not invest $10 million to avoid a possible $1 million loss.”
Huge companies like Sony have an interest in protecting data (even if only to retain existing employees). However, there is a certain point where additional safeguards become too expensive to justify.
This imbalance of interests could be dangerous for both the employee and the consumer. Without additional legislation, companies will likely make the most cost-effective decision regarding data privacy. This could mean either substantial protection of personal data (if a company sees this as a lucrative investment) or very few meaningful safeguards (if a company just doesn’t think it’s worth the cost).
So what should companies do? What is reasonable of course.
The unfortunate reality of data storage systems is that they are never totally protected from unauthorized access. Despite legal and technological safeguards, personal data is constantly under threat of exposure.
To employees and consumers: to ensure adequate protection of your data, it never hurts to be familiar with an employer or retailer’s data security policy. Furthermore, it’s probably best to keep your exposure to a minimum. In other words, don’t sign up for a three-minute survey to win $50,000 guaranteed.
To companies: it’s probably best to implement fairly strong safeguards for personal data. Though it would be impossible to require incredibly expensive protections, companies are better off with over-protective security systems than to face substantial tort liability in the event of a breach for which it should have prepared. But I guess that’s a business calculation.