Over the sleepy holiday-interstitial week  a District court ruling (Whalen v. Michaels)  came down for a class-action lawsuit arising from the major 2014 Michael’s Stores breach, throwing the suit out.  In my view, the ruling itself was major, not in the sense that it forged any new ground, but precisely because it didn’t: despite growing public opprobrium about commercial mega-breaches, the court maintained precedent (and effectively, contemporary American judicial “tradition”), and held that the plaintiffs didn’t have standing to sue because they couldn’t prove any harm.  This was despite plenty of consumer angst, wasted follow-up hours, cancelled credit cards, and even attempts of third parties to make fraudulent charges.   But because no fraudulent pecuniary charge stemming from the breach actually succeeded, thus directly impacting the plaintiff(s) monetarily, the court said there was no standing and the suit had to be dismissed.

DigitalGuardian.com has a nice news and editorial piece reacting to the decision.

The plaintiffs, of course, could still appeal, but they are fighting an overwhelming uphill battle.  While we lack any clear legal doctrine on the topic of civil/commercial privacy rights in the United States (or any doctrine at all, really), it seems that courts around the country have “held the line” on consumer privacy class action suits, requiring strong proof of harm as a basis for standing (as just one recent example, in the Sutter Health breach in 2014).  This is great news for big companies and other organizations worried about potentially unlimited liability for data breaches, but it leaves consumers cold: with the hassle and risks (to say nothing of the risk of eventual fraudulent charges) breaches expose them to, they understandably feel they are “owed something.”

The DG post linked above rightfully notes that it is odd that the court is not denying that there was harm at all, but seems to be arbitrarily requiring direct, pecuniary harm.  This is further strange given that it is difficult if not impossible to definitively prove that fraudulent charges were not the consequence of a particular breach, and that such fraud could very well occur in the distant future, long after the case is dismissed.   As the post points out, Michael’s offered in its defense citation of the infamous 2013 decision in Clapper v. Amnesty Int’l, where the plaintiff’s suit was thrown out because the alleged NSA surveillance (later confirmed by the Snowden leaks) could not be absolutely-proven at the time.  The Michael’s court went with that precedent and rationale, extending it to the facts of the Michael’s case.

But the application of the proof-of-harm standard from Clapper to seems extremely loose to this writer: here we know the bad underlying event occurred, as did real subsequent consumer harm (yeah, the plaintiffs cancelled their own credit cards as a precaution, but how is that not harmful, if only in time and inconvenience?).  If this is a case of “bad facts making bad law” into a strict precedent, then it is also being badly applied.  Instead, what is likely going on here is that the courts are effectively carrying the water of corporate America, serving as a backstop against potentially-huge class action privacy suit risk.  Clearly, companies genuinely need to protect themselves from such risk, though that would seem to be a more natural job for the insurance industry than the courts.  At any rate, consumers come up utterly empty-handed in this calculus — which seems somehow “wrong” to me, given the very real impacts on them (even if few are direct and monetary — which one can always say as long as the credit card companies and banks ultimately make the fraud victims whole).

The other queer thing is that one might expect from recent 4th amendment jurisprudence that civil privacy-harm rulings would have started to go the other way; it was just in 2014 in the Riley v. California case that the Supreme Court held that police cannot snoop into cell phones and other electronic devices found on the person of an arrestee (a reduced-rights situation) without a separate warrant.  The implicit stance is that such snooping would be (1) an invasion of privacy, and that (2) such a privacy violation would be a per se harm to citizens, which is why the government needs targeted probable cause and a warrant.  Yet, if the cell phone network provider for the same person negligently allowed the device (or account) to be breached, and personal information leaked, courts like the one in Michael’s would say there is “no harm”, and therefore no standing.   That seems to be an ideological disconnect to me.

But one can see the difficulty courts face here: if such consumer suits were allowed to proceed, and the only types of “harms” provable were squishy ones like hassle, wasted time and mental anguish (with perhaps mostly punitive damages cognizable) then how do you value the damages?  One can certainly “take a stab” and pull numbers out of a hat, but then you have a rather glaring scenario of “legislating from the bench.”

In the end, it’s pretty clear this situation will only be resolved by national privacy legislation. Such could at least set uniform legal standards, if not specific rules.  In the absence of new legislation, the FTC has attempted to step into the breach to a limited extent, utilizing its “unfair or deceptive” Section 5 mandate (see, e.g, cases like FTC v. Wyndham and FTC v. LabMD).  But not every privacy complaint can be shoehorned into this rubric, and further, this model leaves consumers without their own cause of action (though, in Europe, where they do have a national and supra-national privacy regime with the EU-DPD, there’s still no private right of action — But hey, that’s just un-American).

In the meantime, it seems U.S. courts are likely to continue their modus operandi, summarily punting every consumer privacy class action right back out the front courtroom doors.