Data Theft Today Poses Indefinite Threat of “Future Harm”

With each week seemingly bringing news of vast new breaches, victims are anxious and debate is raging about how to calculate the long-term costs -- and who should pay.

Benjamin Nuss was one of the nearly 80 million people whose social security number and personal information were compromised in this year’s Anthem data breach. He seems to have taken things in stride, continuing his daily routine of sharing computer time with his brother, eating healthy snacks and making crafts. Benjamin is four years old.

While it may seem trivial to think about the harm a preschooler will suffer from a data breach, the question is not what happens to him now, but what will happen years from now. Data theft poses an indefinite threat of future harm, as birthdate, full name and social security number remain a skeleton key of identity in many systems.

Benjamin’s mother, Jennifer Nuss, gave birth while the family had Blue Cross insurance, which was linked to Anthem’s databases. “They sent us a letter saying that Benjamin’s information may have been compromised. All they offered is, ‘We can watch Ben’s credit for you,’” she says. “But you can check that yourself for free.” A stay-at-home mother of two and an accounting student, Nuss is disciplined about family finances and checks her and her husband’s credit records and accounts regularly. “With Benjamin,” she adds, “well, we’re going to have to watch his information forever.”

While data breach victims like Nuss and his adult counterparts face open-ended questions about what lies ahead, the data wars are running hot, with each week seemingly bringing news of vast new breaches, victims and potential victims gripped with anxiety, and debate raging about the vulnerability of companies and government. All the uncertainty is raising thorny legal questions. The Supreme Court is readying to hear a case that could set new precedent on whether data breach lawsuits can be based on future harm. And, as the 2016 presidential race heats up, Republican White House contenders are pushing President Barack Obama to retaliate against China for its alleged role in hacking Anthem and federal databases.

When Anthem announced its breach in early February, government officials indicated it was the work of Chinese, state-funded hackers, possibly seeking the health records of employees at defense contractors like Northrop Grumman and federal workers. But most of the attention remained on the scale of the attacks. Last week, when the government revealed that a breach at the Office of Personnel Management (OPM) had compromised the records of 4.1 million current and former federal employees, the focus turned sharply to whether Chinese hackers were seeking U.S. intelligence targets.

Brandon Valeriano, a global security professor at the University of Glasgow, is the co-author of Cyber War versus Cyber Realities. He believes the hackers are likely a “contracted-out group that’s not exactly run by the [Chinese] government, but a free-hand insider” given latitude to run the operation. Some security firms have attributed the attack to what’s believed to be a state-linked hacker group known as Deep Panda, a viral but slightly ludicrous name bestowed by the firm CrowdStrike. U.S. officials are speaking about China publicly but only on background, says Valeriano, because, “Once they come out and [formally] attribute the attacks, it makes it harder to monitor and prevent them in the future. It’s a conundrum, because there’s a lot of mistrust of government right now,” people are clamoring for answers.

The Obama administration’s usual sparring partners certainly aren’t letting this opportunity pass. South Carolina Sen. Lindsey Graham posted on Facebook that “the massive data breach at the Office of Personnel Management may turn out to be yet another example of America being walked over by rivals and adversaries,” citing the potential for a “cyber ‘Pearl Harbor.’” Former Arkansas governor Mike Huckabee blogged that the U.S. should “hack the cell phones of some prominent Communist party leaders … publicly humiliate Chinese families for political corruption, or wipe-out a few critical Chinese computer systems.” Both Republicans are seen as presidential contenders.

Jockeying aside, the concerns are real. If the hackers pursue next steps in cyberespionage, they are likely to use the records they’ve acquired, cross-hatched with information from credit databases and even social media, to see who is vulnerable to blackmail or bribery for financial or personal reasons. In addition, they could use the email technique known as spear-phishing. Personalized missives putatively from friends, family or familiar companies install spyware or other malware if the recipient clicks on a link or opens an attachment.

A first-person article by William Gerrity published two years ago by Slate and the website Zócalo Public Square gives a vivid picture of what may lie ahead for those targeted. In 2007, Gerrity was checking his email after a long day working as a real estate developer in Shanghai. “The message greeted me by a nickname known only to family and close friends,” he wrote, “and it contained a proposal: I could pay 1 million renminbi (about $150,000 at the time), in exchange for which the sender would not forward the attachments to my business partners or competitors.”

In this case, the hackers had obtained confidential business documents, as well as personal correspondence about the death of his mother. The FBI advised him to refuse the request, which he did. But imagine that the request was not for payment in cash, but in federal information. And imagine the trade was not in business documents, but evidence of misconduct or criminal behavior on or off the job. That’s bait, if acquired and used, that could be harder for some to refuse.

UPDATE: In fact, federal officials later acknowledged that the OPM breach included what’s called a Standard Form-86, on which new hires (including military and intelligence officials) must reveal details that could make them vulnerable to blackmail or influence, including prior drug use, financial woes, and criminal convictions. The form also asks for ties to citizens of other countries; thus the hackers, if they are Chinese, would quickly be able to determine who has friends and family in their country.

Valeriano believes there’s still a gap between Chinese hackers acquiring the information and using it, particularly mining such a vast trove of data quickly. And they are under some time pressure. Unlike other breaches, in this case the hackers may have been seeking intelligence value, rather than monetary value, which creates more urgency. “I don’t see this as something they can store for use in five to ten years,” says Valeriano. “There’s so much turnover in the intelligence community.”

There may be a faint silver lining in this for Joe and Jane Everycitizen. “[The hackers] are really doing this for a very specific purpose. That means the everyday citizen, the everyday employee in the Department of Transportation, they’re not really seen as the target,” Valeriano says. “They shouldn’t be worried so much.” That said, there’s no guarantee that the “free-hand insiders” might not decide to sell information down the line, or that their own system might not be breached from without or within.

The impossibility of forecasting what will happen to stolen data has intensified legal wrangling over the rights of data breach victims. The ability of consumers to sue for future harm has, in many cases, been limited by a Supreme Court ruling that on its face had little to do with big commercial breaches. The journalists and human rights advocates who were plaintiffs in Clapper v. Amnesty International USA alleged they incurred additional cost and inconvenience protecting themselves against likely warrantless electronic surveillance of their international communications as a result of the FISA Amendments Act of 2008.

In 2013 the Supreme Court ruled 5-4 against them, concluding that the fear of future harm from surveillance wasn’t enough for plaintiffs to have standing to sue. The national security ruling has had implications for consumers: most lawsuits based on future harm from data breaches incurred while, say, shopping online have subsequently been ruled against in lower courts.

But there are exceptions, and not all courts have interpreted the Supremes’ ruling in Clapper as controlling in data breach claims, as with a 2014 District Court ruling against Sony, which found that plaintiffs faced a “credible threat of impending harm” from a game system data breach.

And a new case pending before the Supreme Court called Spokeo, Inc. v. Robins could change the game again. It centers around whether an unemployed Virginia man named Thomas Robins has legal standing to sue the search site Spokeo because it allegedly got details about his education, wealth and age wrong, which he says hurt his employment prospects. One sign of the interest in the case is the range of amicus (“friend of the court”) briefs filed, from companies including Facebook, eBay and Google, and credit monitors Experian and TransUnion. These companies house and often trade in data, and could potentially be open to huge class-action lawsuits.

For example, in 2013, Google agreed to pay $7 million to a coalition of state attorneys general for collecting private data from Wi-Fi networks while shooting images for Street View. Private individuals were not part of the suit — but if precedent changes, that may too.

Spokeo argues Robins hasn’t suffered concrete harm. And although his case is based on whether the company violated the Fair Credit Reporting Act, the ruling may have a broad impact on what standards companies are held to when it comes to protecting consumer data, and when consumers can sue.

Corporate lawyers and some legal scholars are hoping the court follows its logic in Clapper and decides that the plaintiffs lack standing because they have not suffered any injury yet. Dana Post, special counsel for e-discovery and data management at Freshfields Bruckhaus Deringer, says that a ruling for Robins in Spokeo could “open up the floodgate for lawsuits, in all contexts, but especially in data breach litigation. The mere allegation of a violation of a statute would allow their cases to go forward if Spokeo is affirmed.”

That prospect similarly dismays Stephen Embry of the firm Frost Brown Todd, who sees a ruling for the plaintiff as a bonanza for trial lawyers. But he understands why the legal system finds itself struggling to interpret old case law in the era of tech entrepreneurship. “As lawyers, our whole mindset involves looking back at precedents, looking back at the past to decide future questions,” he says. “The technological revolution in entrepreneurship is the opposite, very forward-looking. You have a lot of statutes enacted for different times and situations that the court has to apply in dealing with modern day problems. There’s a real tension there.” As in Clapper, courts have to decide whether legal precedent stands or is trumped by the changes in our world wrought by the digital revolution.

There’s another legal fork in the road — the question of what options victims of data breaches have if they’re offered a class action settlement. “Let’s take Target,” says Barry Goheen, a partner at King & Spalding. “There’s a pending settlement for the consumers. Notice has gone out or will go out. That brings the class member to the decision point.” And if they don’t do anything, or happen to throw the notice out or it goes to an old address, then they are included in the settlement — and precluded from filing future lawsuits.

But, says Goheen, if someone has not participated in a settlement, “There should be no statute of limitations running. Six years from now, three years from now, if that person’s information is used to open an account,” then they have grounds to pursue a civil lawsuit. In many cases, it’s worth noting, a person whose information is used for financial fraud ends up getting reimbursed by credit card companies or banks, rather than seeking compensation from the company whose data was breached.

Yet data breach victims aren’t only concerned with the financial bottom line. Many are more worried about doing the digital-era equivalent of constantly looking over their shoulder, waiting for someone to appropriate their identity, or dredge up some intimate, haunting secret they thought was long buried. It’s not likely that legislation or the courts can fix that.

Disclosure: Pierre Omidyar, founder of The Intercept’s parent company, First Look Media, is the founder and chairman of eBay.

Photo: Shutterstock

Join The Conversation