Over the past 15 years, federal agencies and state governments have been imposing new obligations and requirements for handling personally identifiable information. Many of these regulatory and statutory regimes center on what has to happen if a company's database is breached.
The regulatory and statutory schemes mainly deal with requirements to report to government agencies and sometimes to the possible victims of a data breach.
Over that same time horizon, numerous cases have been filed against companies by customers who have been the object of a data breach. Most of these are class actions.
Until recently, practically all of these cases have gone nowhere because the courts have largely ruled that to collect damages, the plaintiffs had to prove actual damages. For class action cases, this becomes practically impossible. At the personal level, it is also doubtful.
The reason damages are difficult to prove is a combination of two factors.
First, in most data breach instances, the company only knows that a particular database has been accessed. Knowing exactly what data has been copied from the database is not frequently knowable. When someone accesses a database with 1,000,000 customer records, it's difficult to know whether they took a particular credit card number from the database.
Secondly, it is practically impossible to know that the theft of a piece of data from a particular database caused a particular later theft or loss.
Two new cases are starting to change that.
The US Court of Appeals for the First Circuit recently ruled that if someone is subject to a database breach and shows that a fraudulent tax return was filed using their identification, actual damage has been proven even though there was no direct evidence of a connection between the two incidents.
The Supreme Court of Illinois has ruled that under their Biometric Information Privacy Act, any misuse of biometric data is punishable by a fine per instance under the law. No proof of damages is necessary.
These two decisions exhibit a growing movement to find that breaches of personal information will lead to financial liability.