Many readers have likely heard of the recent SolarWinds data breach dominating cyber headlines over the past couple months. The SolarWinds hack went viral because company was deeply involved with American government agencies, including intelligence organizations. While federal investigators suspect Russia’s Foreign Intelligence Service for the attack, a more recent and comparably unique hack took place Friday March 5th by exploiting vulnerabilities in the Microsoft Exchange Server’s email software, impacting more than 60,000 victims. Many of these victims were small businesses, as opposed to the often large, high-value targets of international cyberattacks. Preliminary investigation suggests the latter of the two attacks was spearheaded by a Chinese-based group, indicating the United States is on the precipice of a two-front cyberwar that could stretch national cyber-defense resources thin. Amidst all the uncertainty, one thing becomes fairly clear: federal and state governments are taking seriously the need to legislate around devastating data breaches. That growing body of legislation brings new changes to the litigation landscape, and two of the most noteworthy developments are tied to standing and liability.
Standing is a concept learned early in legal education and is nested in justiciability doctrine. In order for a case to be justiciable, the party bringing the action must have standing, their claim must be ripe, and the case must not be moot. The widely cited Supreme Court case Lujan v. Defenders of Wildlife, makes clear that Article III standing under the U.S. Constitution requires three things: (1) injury in fact; (2) causation between the injury and the condemned conduct; and (3) there is redressability via a favorable court decision. While such Article III standing might sometimes be sufficient to sustain a claim related to data compromise resulting from a hack, many legislatures want to do more for those whose circumstances make their injury, causation, or redress more ambiguous than what might ordinarily be sufficient.
Enter statutory-based standing. A recent dispute heard in the 7th Circuit Court of Appeal, Thornley v. Clearview AI, illustrates that states may craft statutes allowing complaints sufficient to support state claims, yet those same complaints may be insufficient to support Article III standing in federal court. In Thornley, the plaintiffs allege that Clearview AI’s mining of picture-related data from public social media profiles to create a searchable database was contrary to the Illinois Biometric Information Privacy Act (“BIPA”). The Northern Federal District Court of Illinois and the 7th Circuit Court of Appeals agreed that the BIPA standing for state court claims were not sufficient to also support Article III standing. As the 7th Circuit states in Thornley, “[plaintiffs] may rely exclusively on state law and avoid federal-question jurisdiction. . . . [T]hey may take advantage of the fact that Illinois permits BIPA cases that allege bare statutory violations, without any further need to allege or show injury.” Other states have passed statutes similar to BIPA, but some have yet to include the same private right of action for prospective plaintiffs. Nevertheless, the list will likely continue to grow both geographically and substantively to include more types of cyberc rimes and adopt broader private rights of action. But in instances of cyberattacks, as opposed to data‑privacy laws generally, there is a countervailing pressure against “victimizing victim” companies targeted by hacks. This countervailing pressure serves to offset this expansion of standing by restricting liability.
In 2015 Congress passed the Cybersecurity Information Sharing Act (“CISA”) that allows businesses protection from liability under CISA § 106 when the entity is fulfilling the information-sharing purposes identified in CISA § 104. Although all fifty states, Washington D.C., and several U.S. territories have enacted data breach notification laws, requiring businesses and governments to notify effected parties when a breach occurs, CISA is unique in encouraging vulnerability identification by exchanging liability protection. In contrast, New York is considering a move in the opposite direction; New York Assembly Bill A8169 would make companies strictly liable for attendant damages after falling victim to data breaches that result in compromised personal information.
In a cyberwar inherently based on information, it is vital that information sharing be encouraged as opposed to discouraged.
The dust clearly has yet to settle as to whom companies will be liable when data breaches occur; however, there are compelling reasons why corporations should not be double victims. First of all, they are facing formidable, international government actors with vast resources to wage cyber war. In a conventional war, suing a neighbor whose gas station exploded after a mortar strike and damaged your property would make no practical sense. This collateral damage realization should be adopted in instances of cyberwarfare. Ordinary negligence principals operate sufficiently to provide remedy when inadequate security measure invites data compromise. For this reason, New York’s A8169 likely goes too far, particularly in light of increased statutory standing. Finally, punishing corporations identifying vulnerabilities will simply decrease business willingness to volunteer information. For example, ransomware attacks could be paid and never disclosed. This is a terrible outcome. Communication should be protected, as it is in DISA. In a cyberwar inherently based on information, it is vital that information sharing be encouraged as opposed to discouraged.
As standing appears to grow in data-privacy statutes, states fall on different sides of the line for liability. Unfortunately, increased liability might work against the mounting defense our country needs moving forward. State legislatures should consider the risk posed by increased liability and creating double victimization.