EPIC - Storm v. Paytime, Inc.

Storm v. Paytime, Inc.

Concerning Whether Victims of Data Breaches Must Suffer Identity Theft or Financial Fraud In Order to Sue

Background|
EPIC's Interest|
Legal Documents|
News|
Resources|

Summary

Storm, et al. v. Paytime, Inc., currently before the U.S. Court of Appeals for the Third Circuit, concerns whether victims of data breaches have standing to sue if they have not suffered actual misuse of their personal information.

Top News

Supreme Court Won’t Disturb Data Breach Decision: The Supreme Court today declined to review Zappos.com, v. Stevens, a decision that allowed consumers to sue the online retailer following a breach of their personal data. More than 24 million Zappos customers were affected by the breach, which included account numbers and passwords. Zappos tried to block the lawsuit, claiming that consumers had to show additional damages. The Ninth Circuit rejected that argument, and the Supreme Court left the decision of the appeals court in place. EPIC has filed amicus briefs in similar data breach cases, including Attias v. Carefirst, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” EPIC regularly files amicus briefs defending consumer privacy and addressing emerging privacy challenges. (Mar. 25, 2019)
Federal Appeals Court Dismisses Privacy Case Against Connected Car Makers: A federal appeals court has ruled that consumers don't have the right to seek legal relief from automakers whose connected cars endanger their privacy because the risk of remote hacking is "speculative." EPIC filed an amicus brief in the case warning that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury." EPIC urged the court to allow consumers to "the opportunity to present legal claims stemming from the defendants' sale of vehicles that place them at risk." But the court wrongly downplayed the consumers' privacy injuries and dismissed the case. EPIC recently urged the Supreme Court to reject warrantless searches of rental cars, which today collect vast troves of personal data. EPIC has filed numerous other amicus briefs defending consumer privacy rights, and EPIC has repeatedly warned the National Highway Traffic Safety Administration, the Federal Trade Commission, and the U.S. Congress about the privacy and consumer safety risks posed by connected vehicles. (Dec. 21, 2017)

More top news »

Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million » (Sep. 20, 2017)

A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm.

Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey » (May. 16, 2016)

A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC Defends Right of Data Breach Victims to Bring Suit » (Apr. 19, 2016)

EPIC has filed an amicus brief urging a federal appeals court to overturn a decision that limits the ability of data breach victims to sue. The plaintiffs sued a payroll company after their Social Security Numbers and other identifying information were exposed. A lower court dismissed the case because fraudulent transactions had not yet occurred. EPIC argued that data breach victims can sue without having to wait for specific damages. EPIC cataloged the epidemic of data breaches in the US, and explained why companies should be liable when they fail to protect the consumer data they collect. EPIC regularly files briefs defending consumer privacy.

California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable » (Feb. 18, 2016)

A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC Testifies Before Senate on Risks of SSN on Medicare Cards » (Oct. 6, 2015)

EPIC will testify before the Senate Committee on Aging about "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" A law enacted earlier this year prohibits the inclusion of SSNs on Medicare cards, but the federal agency tasked with implementing the change has said it will take years. In a prepared statement, EPIC President Marc Rotenberg warns about the growing risk of SSN-related identity theft. Mr. Rotenberg said, "Given the growing risk of identity theft coupled to the SSN and the fact that other federal agencies have already removed the SSN from identity cards, there is simply no excuse for further delay." EPIC has long urged Congress and state legislators not to use the SSN on identity documents.

EPIC Defends Privacy Laws in Supreme Court Brief » (Sep. 8, 2015)

In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board.

Federal Appeals Court Revives Driver Privacy Claims » (Aug. 20, 2015)

In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period."

Data Breach Bill Would Preempt State Law, Weaken FCC Authority » (Mar. 13, 2015)

Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks.

Obama Issues Executive Order to Strengthen Consumer Privacy » (Oct. 17, 2014)

President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft.

Home Depot Data Breach Exposes Millions of Credit Card Records » (Sep. 4, 2014)

A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft.

Report - Half of American Adults Data Hacked So far This Year » (May. 29, 2014)

A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint.

FTC Chair Ramirez Urges Senate to Act on Data Security Legislation » (Feb. 5, 2014)

The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission.

Senator Leahy Proposes Consumer Privacy Legislation » (Jan. 9, 2014)

Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft.

Identity Theft Remains Top Concern of US Consumers » (Feb. 29, 2012)

According to the Federal Trade Commission, identity theft was the top source of consumer complaints in 2011 comprising 15 percent of the 1.8 million total complaints filed. This is the 12th year in a row in which identity theft has occupied the top position. The report contains data on 30 complaint categories, which are broken down by metropolitan areas and provided to state and local law enforcement offices. For more information, see EPIC: FTC and EPIC: Identity Theft.

California Passes Updated Data Breach Legislation » (Sep. 1, 2011)

California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft.

House Subcommittee Approves Weak Data Breach Bill » (Jul. 21, 2011)

A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast.

In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act » (Jun. 21, 2011)

EPIC Executive Director Marc Rotenberg testified before the Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing, "Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously testified before the House concerning data breach legislation. For more, see EPIC: Identity Theft and EPIC Testifies in Congress on Data Breach Legislation.

Senator Leahy Introduces Data Privacy Bill » (Jun. 8, 2011)

Senator Leahy introduced the Data Privacy Bill of 2011, which is aimed at increasing protection for Americans' personal information and privacy. The bill establishes a national breach notification standard, and requires businesses to safeguard consumer information and allow consumers to correct inaccurate information. Leahy previously sponsored the Personal Data Privacy and Security Act in 2005 and has introduced similar legislation in the last three Congresses. For more information, see EPIC: Identity Theft and Summary of Legislation.

EPIC Tells FTC To Step Up Enforcement Against Debt Collectors » (May. 27, 2011)

EPIC submitted a statement to the Federal Trade Commission in response to a public request for feedback about new trends in technology, consumer protection, and the debt collection industry. EPIC argued that Congress has authorized the FTC to bring much stronger regulations to bare on the debt collection industry. The Federal Debt Collection Practices Act prohibits debt collectors from publicizing consumers' debts to any third party. Section 5 of The FTC Act bars unfair and deceptive trade practices. The Gramm-Leach-Bliley Act gives debt collectors an affirmative legal duty to protect the sensitive information they collect. Congress gave the FTC authority to enforce all three of these laws. EPIC cited the sharp rise in complaints to the agency about debt collectors and a recent criminal case against debt collectors who coordinated with an identity theft scheme in Buffalo, New York as compelling reasons for the agency to introduce meaningful enforcement actions. For more information, see EPIC: Identity Theft.

Senator Leahy Calls for Updates to Federal Privacy Law, Attorney General Confirms Sony Investigation » (May. 4, 2011)

At a Justice Department oversight hearing, Senate Judiciary Chairman Patrick Leahy today urged Congress to enact the bipartisan Personal Data Privacy and Security Act. He also said that the "collection, use and storage of Americans’ sensitive personal information, including by mobile technologies, is an important privacy issue." He asked the Attorney General to work with the Congress on updates to the Electronic Communications Privacy Act and other Federal laws implicating Americans’ privacy. During the hearing, the Attorney General confirmed an investigation into the Sony network attack, considered the most serious data breach to date. For more information, see EPIC - Wiretapping, EPIC - Identity Theft.

Senator Blumenthal Asks Justice Department to Investigate PlayStation Breach » (Apr. 29, 2011)

Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.

Privacy Watchdog Receives Broad Protection for Publishing Public Records » (Apr. 15, 2011)

A federal judge has issued a final order in favor of privacy advocate Betty Ostergren, who challenged a state law designed to prosecute her for drawing attention to the state's poor security practices. Ostegren had posted public records on her website that included Social Security Numbers made available by the state of Virginia. A district court held that Virginia may not prosecute her for re-publishing the Social Security Numbers of state officials. On appeal, a federal appeals court ruled that the court’s holding was too limited, and on remand the court said that Ostergren can re-publish any publicly available documents. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC: Ostergren v. McDonnell, EPIC: Social Security Numbers, and EPIC: Identity Theft.

Epsilon Data Breach Threatens E-mail Privacy of Millions » (Apr. 7, 2011)

Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see EPIC: Identity Theft.

Social Security Protection Act of 2010 Becomes Law » (Dec. 23, 2010)

President Obama signed a bill aimed at reducing identity theft by limiting the Government's use of and access to social security numbers. The bill, which passed the House and Senate, prohibits government agencies from printing social security numbers on checks and from allowing prison inmates access to social security numbers. "Social Security numbers are among Americans' most valuable but vulnerable assets," said Sen. Feinstein, a sponsor of the bill. "Identity theft is a serious concern for all consumers, and we should make every effort to protect personal information." EPIC has testified many times before Congress on the need to safeguard the SSN, including House hearings in 2000, 2001, 2006, 2007 and EPIC has also litigated important cases on SSN privacy. For more information, see EPIC: Social Security Numbers, EPIC: Identity Theft, and EPIC: Doe v. Chao.

Web Companies Defend Data Collection Practices, Google Absent » (Oct. 12, 2010)

Eleven internet companies responded to Rep. Markey and Rep. Barton's request for information regarding their data collection practices. However, the companies said that it is "impossible" for them to eliminate online tracking of consumer behavior. Google refused to respond to the survey questions. At the same time, Microsoft, Intel Corp. and E-bay announced support for Rep. Rush's "Best Practices Act." This bill contains a private right of action as well as a safe harbor for companies that comply with a self-regulatory "Choice Program" approved by the Federal Trade Commission. EPIC recently testified before Chairman Rush's committee " and recommended new safeguards for Internet users. For more information, see EPIC: Identity Theft.

Senate Holds Hearing on Data Security and Breach Notification Bill » (Sep. 24, 2010)

The Senate Commerce Committee held a hearing on S. 3742, The Data Security and Breach Notification Act of 2010. This bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. EPIC director Marc Rotenberg testified on a similar bill in the House recommending support but also urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. The Senate thus far has not addressed these concerns. For more information, see EPIC: Identity Theft.

Appeals Court Protects Free Speech for Privacy Advocate » (Jul. 26, 2010)

Privacy Advocate Betty Ostergren has won in federal appeals court in her challenge to a state law designed to prosecute her for drawing attention to the state's online publication of SSNs. In Ostergren v. Cuccinelli, the court ruled that the Commonwealth of Virginia may not prosecute Ostergren for publishing the SSNs of state officials available in public land records until the Commonwealth itself stops making these unredacted documents available. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.

FTC Delays Identity Theft Rule Yet Again » (Jun. 2, 2010)

The Federal Trade Commission is delaying, for the fourth time, its enforcement of the "Red Flags Rule." This rule requires creditors and financial institutions to implement programs to identify, detect and respond to the warning signs, or “red flags,” that could indicate identity theft. The FTC has decided to delay enforcement through the end of the year in order to give Congress time to enact legislation that could clarify what kind of entities would be considered "creditors" under the rule. For more information, see EPIC: Identity Theft.

Inspector General: ID Theft Not a Priority at Justice Department » (Mar. 31, 2010)

The Inspector General's Office released a new report on the Department of Justice's Efforts to Combat Identity Theft. The report states that identity theft is a growing problem, but the Justice Department's efforts to combat the crime have "faded as priorities." The Inspector General concludes that the Department has failed to develop a coordinated plan to combat identity theft since a 2007 task force report. In 2007, EPIC proposed a comprehensive strategy to "address the root causes of identity theft: excessive data collection and lax security practices." For more information, see EPIC: Identity Theft.

Massachusetts Data Protection Law Goes into Effect » (Mar. 10, 2010)

Massachusetts’s new data protection law went into effect at the beginning of March. The law applies to all companies that own or license the personal information of Massachusetts residents. According to the new regulations, companies are now required to create a comprehensive security program that details how personal information will be safeguarded. Governor Deval Patrick stated, “Consumers should feel confident that their personal information is protected, and not exposed to loss or theft. These regulations improve the safety of personal information, while giving businesses the flexibility to secure that information without undue burden.” For more information on privacy and identity theft, see EPIC: Identity Theft.

House Passes Data Breach Bill » (Dec. 11, 2009)

Today, legislators passed the Data Accountability and Trust Act, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. TFor more, see EPIC Identity Theft.

EPIC Urges Court to Protect Speech of Privacy Advocate » (Oct. 19, 2009)

Today, EPIC filed a "friend of the court" brief with the Fourth Circuit Court of Appeals, urging the court to hold that the First Amendment protects the speech of Betty Ostergren, a privacy advocate. Ostergren runs a Website that republishes Social Security Numbers, collected from public records, to persuade Virginia lawmakers to stop releasing documents that reveal Social Security Numbers. Under Virginia law, Ostergren could be prosecuted for publishing SSNs, even though Virginia makes the numbers widely available. A lower court held that the law violated Ostergren's First Amendment rights. Virginia appealed. EPIC's brief urges the appeals court to uphold the lower court's ruling. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.

House Committee to Consider Data Breach Bill » (Sep. 29, 2009)

On September 30, the House Energy and Commerce Committee will consider a proposed federal law that would establish national standards for data breaches notifications. The Data Accountability and Trust Act (DATA) also regulates information brokers and requires companies to adopt security policies. The Senate is considering a similar bill that protects additional categories of consumer information. In May, EPIC testified before Congress on the DATA bill, highlighting the importance of regulating data brokers, but warning of the dangers posed by federal laws that preempt stronger state privacy safeguards. In May, President Obama stated that "executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values." For more information, see EPIC Identity Theft.

FTC Issues Final Breach Notification Rule for Electronic Health Information » (Aug. 21, 2009)

The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. In June, EPIC submitted comments recommending that all entities handling electronic health records be subject to the regulation and that the FTC should establish a central location to track and announce breaches. The FTC modified the rule accordingly. EPIC had also recommended that information "accessed" be treated as "acquired", substitute media notices be used as supplemental notification, verification of data breach notices be required, minimum security standards be created, penalties for violations be assessed, and the creation of "safe-harbors" for de-identified data be opposed. The rule was mandated under the American Recovery and Reinvestment Act. See EPIC Medical Privacy and EPIC Identity Theft.

New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)

Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.

EPIC Urges Comprehensive Strategy for ID Theft » (Jun. 17, 2009)

With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft.

Congress Holds Open Markup Session on Data Breach Bill » (Jun. 3, 2009)

The Committee on Energy and Commerce held an open markup session on the Data Breach Bill. The Chairman of the subcommittee intends to have a law that is strong and adequately protects consumers. EPIC testified before Congress on this bill, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. For more information, see EPIC's page on Identity Theft.

EPIC Testifies Before Congress on Data Breach Bill, Urges Changes to Strengthen Act » (May. 5, 2009)

EPIC Director Marc Rotenberg testified before Congress on the Data Accountability and Trust Act, which would require security policies for consumer information, regulate the information broker industry, and establish a national breach notification law. Rotenberg said "companies need to know that they will be expected to protect the data they collect and that, when they fail to do so, there will be consequences." The EPIC Director opposed the preemption of stronger state laws, and recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that "identifies or could identify a particular person." To learn more about Identity Theft, see EPIC's Identity Theft page.

For Identity Theft Law, Supreme Court Rules that the Government Must Prove Intent to Impersonate » (May. 4, 2009)

In a critical case for the emerging field of identity management, the Supreme Court today reversed a lower court opinion and ruled unanimously in favor of the petitioner. The Court held that individuals who provide identification numbers that are not their own, but don’t intentionally impersonate others, cannot be subject to harsh criminal punishments under federal law. The case involved a mandatory 2-year prison term, added on to a prior conviction, for presenting a fake Social Security Number to an employer. EPIC filed an amicus brief in support of the petitioner, arguing that the "unknowing use of inaccurate credentials does not constitute identity theft." For more information, see EPIC, Flores-Figueroa v. United States.

Supreme Court to Hear Argument in "Identity Theft" Case, EPIC Urges Justices to Protect Privacy Enhancing Technologies » (Feb. 23, 2009)

On Wednesday, the Supreme Court will hear arguments in a case that will determine whether individuals who include identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsh criminal punishments under federal law. In Flores-Figueroa v. United States, the petitioner challenged his conviction for "aggravated identity theft." EPIC filed a "friend of the court" brief, on behalf of 17 legal scholars and technical experts, urging the Justices to protect techniques that allow individuals to safeguard privacy. EPIC explained that the crime of "identity theft" should require an intent to impersonate another. The EPIC brief urges the Court to avoid "a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful." For more, see EPIC's Flores-Figueroa v. United States page.

Data Breaches on the Rise in the US » (Jan. 6, 2009)

A new report from the Identity Theft Resource Center found a 47 percent increase in data breaches in the United States over 2007. Noting 656 reported breaches at the end of 2008, the report identified the company, the category of breach and the number of records exposed. The Center concluded that most breached data was unprotected by either encryption or even passwords. According to the FTC, data breaches are the leading cause of identity theft. For more information, see EPIC's page on Identity Theft.

Question Presented

Does a data breach victim have standing to sue if she hasn't actually suffered financial fraud or identity theft?

Background

Factual History and Procedural Background

Paytime is a “national payroll service company” whose services include “human resource management services, time and attendance systems, and web-based payroll submission.” Employees “were required to provide to their employers confidential personal and financial information, including their full legal names, addresses, bank account data, Social Security numbers, and dates of birth.” Employers then sent this information to Paytime.

On April 7, 2014, “unknown third parties gained unauthorized access to Paytime’s computer systems” and stole the personal and financial information of more than 233,000 individuals. Paytime didn’t discover the breach until April 30, 2014, then waited until May 12, 2014 to disclose the breach to affected parties. Paytime offered to provide a year of “free credit monitoring and identity restoration services” for anyone affected by the breach.

Current or former employees of companies that used Paytime as their payroll processing service brought two lawsuits against Paytime following the breach: In Storm, et al. v. Paytime, Plaintiffs filed a class action complaint alleging negligence and breach of contract. Paytime moved to dismiss the amended complaint for failure to state a claim and for lack of jurisdiction. In Holt et al. v. Paytime, Plaintiffs filed a class action complaint alleging breach of contract and violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. Paytime moved to dismiss the complaint for lack of subject matter jurisdiction and for failure to state a claim. Holt was transferred to the Middle District of Pennsylvania and the cases were consolidated.

The Plaintiffs in both cases allege injury from the increased risk of identity theft, and from the time and money spent protecting themselves from identity theft and fraud, “such as costs of monitoring their financial accounts, the opportunity cost of the time spent monitoring their accounts for identity theft, and costs of obtaining replacement checks and/or credit and debit cards.” The Storm Plaintiffs also allege actual damages, such as a plaintiff named Wilkinson whose government contractor job requires him to have security clearance, but whose clearance has been suspended due to the data breach, resulting in an additional four hour daily commute to a different job site. The Holt Plaintiffs also allege “the significant possibility of monetary losses arising from unauthorized bank account withdrawals, fraudulent payments, and/or related bank fees charged to their accounts.”

Lower Court Opinion

The lower court found that all Plaintiffs lacked Article III standing and granted Paytime’s motions to dismiss. Relying on Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), the court noted that “the Third Circuit requires its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending.”

In reviewing the Plaintiffs’ allegations, the court found “no factual allegation of misuse or that such misuse is certainly impending.” Plaintiffs had not alleged that “that they have actually suffered any form of identity theft as a result of the data breach—to wit, they have not alleged that their bank accounts have been accessed, that credit cards have been opened in their names, or that unknown third parties have used their Social Security numbers to impersonate them and gain access to their accounts.”

In addition, the court followed Reilly by finding that the increased risk of identity theft “does not suffice to allege an imminent injury.” The court noted that more than a year has passed since the data breach, which “undermine[s] the notion that identity theft would happen in the near future.” The court also dismissed as irrelevant the fact that the “breach was done by skilled hackers working from ‘foreign’ IP addresses.”

The court also dismissed the actual damages proffered by Plaintiff Wilkinson in Storm as a “preventative measure” insufficient to grant standing. The court noted that “[h]is supposed damages, in the form of increased commute time and related expenses . . . are merely a form of prophylactic costs the Supreme Court has warned cannot be used to ‘manufacture’ standing, even if those costs are reasonable.” The court didn’t address the Plaintiffs’ claim of injury from he costs of credit monitoring, but it noted in passing that here, the Plaintiffs would not need to foot the bill for preventive measures because Paytime had arranged to provide a year of free credit monitoring.

The court celebrated the “stringent standard for standing” as logical and wise in data breach cases. Because there are so many data breaches, “[m]illions of people, out of reasonable fear and prudence, may decide to incur credit monitoring costs and take other preventive steps.” But requiring companies to “pay damages to thousands of customers, when there is yet to be a single case of identity theft proven,” is “overzealous and unduly burdensome to business.”

Finally, the court dismissed Plaintiffs’ claim that the data breach harmed their privacy interest because “their confidential personal information” was accessed by an unauthorized third party. Because Plaintiffs “do not allege that the unidentified hacker was actually able to view, read, or otherwise understand the data is accessed” or that “their information was exposed in such a way as to make it easily viewed,” there is no actual or imminent harm to privacy.

EPIC's Interest

EPIC has a long history of advocating for consumers against the risks of identity theft and financial fraud.

In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.

In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012.

In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.

EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.