A company harvested your personal data, but failed to take basic steps to secure it. So thieves stole it. Now you’ve lost control of your data, and you’re at greater risk of identity theft. But when you sue the negligent company, they say you haven’t really been injured, so you don’t belong in court – not unless you can prove a specific economic harm on top of the obvious privacy harm.
We say “no way.” Along with our friends at EPIC, and with assistance from Morgan & Morgan, EFF recently filed an amicus brief arguing that negligent data breaches inflict grievous privacy harms in and of themselves, and so the victims have “standing” to sue in federal court – without the need to prove more. The case, In re Marriott Customer Data Breach, arises from the 2018 breach of more than 130 million records from the hotel company’s reservation system. This included guests’ names, phone numbers, payment card information, travel destinations, and more. We filed our brief in the federal appeals court for the Fourth Circuit, which will decide whether the plaintiff class certified by the lower court shares a class-wide injury.
Our brief explains that once personal data is stolen, it can be used against the breach victims for identity theft, ransomware attacks, and to send unwanted spam. The risk of these attacks causes psychological injury, including anxiety, depression, and PTSD. To avoid these attacks, breach victims must spend time and money to freeze and unfreeze their credit reports, to monitor their credit reports, and to obtain identity theft prevention services.
Courts have long granted standing to sue over harms like these. Intrusion upon seclusion and other privacy torts are more than a century old. As the U.S. Supreme Court has recognized: “both the common law and literal understanding of privacy encompass the individual’s control of information concerning [their] person.”
Further, the harms from a single data breach must be understood in the context of the larger data broker ecology. As we explain in our amicus brief:
Data breaches like the Marriott data breach cannot be considered individually. Once data has been disclosed from databases such as Marriott’s, it is often pooled with other information, some gathered consensually and legally and some gathered from other data breaches or through other illicit means. That pooled information is then used to create inferences about the affected individuals for purposes of targeted advertising, various kinds of risk evaluation, identity theft, and more. Thus, once individuals lose control over personal data that they have entrusted to entities like Marriott, the kinds of harms can grow and change in ways that are difficult to predict. Also, it can be onerous, if not impossible, for an ordinary individual to trace these harms and find appropriate redress.
Standing doctrine gone wrong
Under the current standing doctrine, your privacy is violated – and so you have standing to sue – when your data leaves the custody of a company that is supposed to protect it. So In re Marriott is an easy case for the Fourth Circuit.
But make no mistake, the U.S. Supreme Court has wrongly narrowed the standing doctrine in recent data privacy cases, and it should reverse course. These cases are Spokeo v. Robins (2016) and TransUnion v. Ramirez (2021). They hold that to have standing, a person seeking to enforce a data privacy law must show a “concrete” injury. This includes “intangible harms” that have “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.”
In TransUnion, the credit reporting company violated the Fair Credit Reporting Act by negligently and falsely labeling some 8,000 people as potential terrorists. The Court held that some 2,000 of them suffered concrete injury, and thus had standing, because the company disclosed this dangerous information to others. Unfortunately, the Court also held that the remaining people lacked standing, because the company unlawfully made this dangerous information available to employers and other businesses, but did not actually disclose it to them.
We disagree. As we argued in amicus briefs in TransUnion and Spokeo (and have argued elsewhere), we need broader standing for private enforcement of data protection laws, not narrower. Our personal data, and the ways private companies harvest and monetize it, play an increasingly powerful role in modern life. Corporate databases are vast, interconnected, and opaque. The movement and use of our data is difficult to understand, let alone trace. Yet companies use it to reach inferences about us, leading to lost employment, credit, and other opportunities. In this data ecosystem, all of us are increasingly at risk from wrong, outdated, or incomplete information, yet it is increasingly hard to trace the causation from bad data to bad outcomes.
Congress made a sound judgment in the Fair Credit Reporting Act that a person should be able to sue a data broker that negligently compiled a dossier about them containing dangerously false information, and then made that dossier available to others. Four Justices in TransUnion would have deferred to Congress, but the majority thought it knew better.
So, even though TransUnion provides standing to the many millions of people harmed by data breaches, including Marriott’s, the Court still must revisit and overrule TransUnion.
You can read our In re Marriott amicus brief here.