A Method for Establishing Liability for Data Breaches

Last month, the First American Financial Corporation—which provides title insurance for millions of Americans—acknowledged a cybersecurity vulnerability that potentially exposed 885 million private financial records related to mortgage deals to unauthorized viewers. These records might have revealed bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images to such viewers. If history is any guide, not much will happen and companies holding sensitive personal information on individuals will have little incentive to improve their cybersecurity postures. Congress needs to act to provide such incentives.

The story is all too familiar, as news reports of data breaches involving the release of personal information for tens of millions of, or even a hundred million, Americans have become routine. A company (or a government agency) pays insufficient attention to cybersecurity matters despite warnings that the cybersecurity measures it takes are inadequate and therefore fails to prevent a breach that could be remediated by proper attention to such warnings. In the aftermath of such incidents, errant companies are required by law to report breaches to the individuals whose personal information has been potentially compromised. Frequently, these companies also offer free credit monitoring services to affected individuals for a year or two.

What happens afterward? The companies incur some expenses in the notification of the breach and in providing credit monitoring for the fraction of individuals who sign up, and they usually approve spending money to take additional cybersecurity measures. Their insurance rates may increase as well. However, those whose sensitive personal information was compromised are still left out in the cold. Companies responsible for breaches often assert that the mere compromise of personal information is not an injury—the individual must suffer actual loss, financial or otherwise, for the compromise to be considered an injury. Indeed, in a January 2019 motion to dismiss a consumer lawsuit against Equifax for a massive 2017 data breach, the company made exactly this claim.

This argument is, on its face, ridiculous. An individual who receives a letter saying that his or her sensitive personal information has been compromised does not jump for joy—worry and concern are far more likely reactions. And such concerns are likely to be magnified when he or she is informed that credit monitoring may be necessary to forestall any harm that might occur as a result of the compromise. Worry and concern are real harms, even if intangible ones.

Still, the law has difficulty assigning dollar values to intangible harms. One frequently useful technique for ascertaining the value of a quantity about which little is known is to start with the extremes and see if it is possible to narrow the range within which that value is likely to be found. This technique does not yield precise values, but having a range within which the quantity’s value is found is better than assigning a value of zero to that quantity because “nothing is known.”

In the case at hand, we have established that the worried individual suffers a harm that an unworried individual does not. If the worry is caused by the data breach, then the party whose inadequate security led to the breach has some responsibility for that harm. I propose that the appropriate valuation of such harm be assessed by a determination of how much a reasonable individual of reasonable means would pay not to have to worry about the consequences of a data breach.

How should that amount be estimated? Given that it is more than zero, what might it be? A penny or a dime seems very low—after all, pennies and dimes are worth little enough that people often don’t bother to bend over to pick them up on the street, but if picking up a coin off the street would forestall worry over identity theft, most people would probably be happy to do so. How about a cup of coffee? That is, would they forego one cup of coffee—which might cost a few dollars—to avoid worrying? Almost certainly—so a few dollars also seems a bit low.

Now let’s consider the high end. I suggest that for most people a few hundred dollars is a large amount of money; that is, most people would think twice before spending a few hundred dollars. Some might well do it, but most of those affected will not actually suffer from identity theft—and for them a few hundred dollars might well be too much to pay to relieve themselves from worrying about a hypothetical harm. These comments are clearly much more true for an amount of a few thousand dollars.

According to this analysis, the value of not worrying is probably higher than a few dollars and lower than a few hundred dollars. Thus, the analysis suggests that an amount of a few tens of dollars is about right. I’ll peg it at $30, and if someone wants to argue for $10 or $50, I won’t argue very much.

In the future, appropriate legislation could require that with every data breach notification letter sent to individuals, the company responsible must include in the envelope a $30 check payable to the addressee—and as a quid pro quo, the legislation could also explicitly rule out class-action lawsuits. Multiplying $30 per person by a hundred million people implies billion-dollar penalties, a threat that will have a real and substantial impact on incentivizing companies handling sensitive personal information to pay better attention to cybersecurity.