In re SuperValu Customer Data Security Breach Litigation

Concerning Whether Victims of Data Breaches Must Suffer Certainly Impending or Actual Concrete Harms (i.e., Damages) In Order to Sue

Summary

This case concerns a proposed class action against SuperValu after the grocery store chain was hacked, placing at risk the personal data of SuperValu customers. At issue is whether plaintiffs must demonstrate actual damages to satisfy the “injury-in-fact” requirement of Article III standing. The trial court dismissed the complaint, finding the plaintiffs failed to demonstrate they suffered an “injury-in-fact” because the risk of future damages was not imminent. But the trial court confused injury-in fact, which is a legal injury, with actual damages, which are the consequential harm. This confusion is widespread among federal courts since the Supreme Court’s recent decision in Spokeo v. Robbins.

On August 1, 2017, the U.S. Court of Appeals for the Eighth Circuit affirmed in part and reversed in part the district Court’s decision. Though the court held that consumers need to allege actual identity fraud in order to establish an "injury in fact" for data breach claims, the court also concluded that one of the named plaintiffs met that test. The court therefore allowed the suit to move forward.

Top News

  • Federal Student Aid Office Not Protecting Student Privacy, GAO Audit Finds: The Federal Student Aid office (FSA) at the Department of Education is not doing enough to protect student privacy, according to an audit by the Government Accountability Office. The GAO found that FSA has failed to hold schools accountable for their lax data security practices that have resulted in numerous data breaches, and has not assessed the privacy risks for its own electronic records system. FSA collects personal information on students and their families to evaluate schools that receive federal student aid. The FSA claims that the FTC can manage privacy protection. EPIC has done extensive work to protect student privacy including a 2014 complaint to the FTC about a massive data breach that impacted students in Maricopa County. The FTC failed to act even though Maricopa county violated the FTC Safeguards Rule by failing to protect students' financial information. EPIC also urged Congress to strengthen student privacy protections following a FAFSA data breach. In 2012 EPIC sued the Department of Education for weakening student privacy protections. EPIC has proposed a Student Privacy Bill of Rights. (Dec. 6, 2017)
  • EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing': The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Nov. 29, 2017)
  • More top news »
  • Senator Warner Questions Uber CEO On Why It Hid Data Breach » (Nov. 28, 2017)
    Senator Mark Warner sent a letter to the Uber CEO, Dara Khosrowshahi, questioning him about why the company covered up a data breach that affected 57 million consumers last year. Uber recently admitted that it hid a massive data breach from the public and paid the hackers $100,000 to delete the data. The stolen data included names, e-mail addresses, phone numbers, and drivers' licenses. Senator Warner told the Uber CEO that he had "grave concerns about your handling of a breach," including the fact that the company disclosed the breach to investors but not the public. Senator Warner has co-sponsored bipartisan legislation that would provide consumers with one free credit freeze per year and protect the credit ratings of veterans wrongly penalized by medical bills. EPIC's 2015 complaint with the FTC regarding Uber's abuse of personal data led to an FTC settlement in August, 2017. EPIC has also proposed a privacy law for Uber and other ride-sharing companies.
  • EPIC Provides U.S. Report for Privacy Experts Meeting » (Nov. 27, 2017)
    EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy to the International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of automated vehicles, pending Supreme Court case concerning cell phone location tracking Carpenter v. United States, U.S. investigation of the Russian interference in the 2016 election, the Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.
  • Uber Hid Massive Data Breach For Over A Year And Paid Hackers » (Nov. 21, 2017)
    Uber just admitted that hackers stole the personal data of 57 million Uber customers and drivers in October 2016. The data included names, e-mail addresses, phone numbers, and the license numbers of 600,000 drivers. Rather than disclose the data breach to the public, as required by law, Uber paid the hackers $100,000 to delete the information. Uber has a well-documented history of abusing consumer privacy. EPIC recently testified in the Senate for strong data breach legislation that would require companies to immediately notify affected consumers of data breaches. EPIC filed a complaint with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement with Uber in August, 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies.
  • Senator Leahy Introduces Legislation To Protect Consumer Privacy » (Nov. 15, 2017)
    Senator Patrick Leahy (D-VT), joined by six other Senators, introduced comprehensive legislation to protect consumers from data breach and identity theft. The Consumer Privacy Protection Act of 2017 requires companies to provide notice to consumers after a data breach and meet certain baseline privacy and data security standards. The Consumer Privacy Act also prohibits companies from using a data breach to force consumers into individual arbitration, and would punish companies for concealing security breaches. Senator Leahy stated, "Companies that profit from our personal information should be obligated to take steps to keep it safe." Senator Leahy added, "In today's world, data security is no longer just about protecting our identities and our bank accounts; it is about protecting our privacy and even our national security." EPIC recently testified before the Senate Banking Committee in the wake of Equifax breach calling for consumer control over their personal data. EPIC President Marc Rotenberg also outlined several steps for Congress to reform the credit reporting industry in the Harvard Business Review.
  • Equifax, Yahoo Testify Before Senate on Data Breaches » (Nov. 9, 2017)
    The Senate Commerce Committee heard testimony this week from Equifax, Yahoo, and Verizon executives in a hearing on "Protecting Consumers in the Era of Major Data Breaches." A witness for a company selling identification systems recommended an "identity framework," with fingerprints and facial recognition to replace the Social Security Number. EPIC President Marc Rotenberg recently warned against replacing the SSN with a national biometric identifier in testimony before the Senate Banking Committee. Rotenberg has detailed how the credit reporting industry is broken and the steps Congress should take to give consumers greater control over their personal data. EPIC has urged the Senate Judiciary Committee, the House Financial Services Committee, and the House Energy Committee to establish new safeguards for consumers following the Equifax data breach.
  • Senate Restores Forced Arbitration, Undermines Data Protection » (Oct. 26, 2017)
    The Senate voted 51-50 (with Vice President Pence breaking the tie) to repeal the CFPB rule that prevented financial companies from forcing consumers into individual arbitration. Fine-print arbitration clauses in consumer contracts have proliferated ever since a pair of Supreme Court rulings held that courts must enforce these clauses. Equifax generated public outrage after its breach when it lured consumers into signing away their rights to sue the company. As the CFPB found, arbitration clauses that ban class actions inhibit consumers from obtaining meaningful relief and holding financial institutions like Equifax and Wells Fargo accountable when they break the law. Senators Franken (D-MN) and Leahy (D-VT) have introduced legislation that would prohibit companies from denying individuals their right to go to court. EPIC President recently testified before the Senate Banking Committee on the Equifax data breach. Rotenberg said, the "company tried to trick consumer into an arbitration agreement, guaranteeing that there would be few legal remedies for consumers following the breach."
  • In Senate Testimony, EPIC Calls for Reform of Credit Reporting Industry » (Oct. 16, 2017)
    EPIC's President Marc Rotenberg will testify this week before the Senate Banking Committee on reform of the credit reporting industry following the Equifax breach. The hearing, "Consumer Data Security and the Credit Bureaus," follows several Congressional hearings with Equifax CEO Richard Smith. Rotenberg will emphasize the need to limit the use of the Social Security number in the private sector and to give consumers control over their personal data. EPIC will recommend a national credit "freeze" and free life-term credit monitoring services for all U.S. consumers. Rotenberg detailed how the credit reporting industry is broken in a recent article in the Harvard Business Review. He also warned that the failure to update U.S. privacy law has placed the digital economy at risk and may lead to the suspension of trans-border data flows. EPIC has previously testified before the House and Senate on the need for Congress to address data breach and identity theft.
  • EPIC Urges Congress To Hold Equifax Accountable, Update Data Protection Law » (Oct. 3, 2017)
    EPIC has sent statements to Congress ahead of hearings in the House and Senate on the Equifax data breach. EPIC underscored the risk to American consumers of data breaches which are increasingly severe. EPIC urged Congress to require prompt data breach notification, data minimization, and privacy enhancing techniques. In 2011 EPIC testified in the House and Senate on data breaches in the financial services sector. EPIC President Marc Rotenberg recently outlined in the Harvard Business Review steps Congress should now take to protect American consumers.
  • Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million » (Sep. 20, 2017)
    A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm.
  • Senators Introduce Data Breach Legislation In The Wake Of Equifax Breach » (Sep. 15, 2017)
    Senator Markey (D-MA) and several other Senators have introduced legislation that would provide consumers with more control over their personal data. The Data Broker Accountability and Transparency Act would allow consumers to access and correct their personal data and stop data brokers from using, disclosing, or selling their information for marketing purposes. The bill also requires data brokers to develop comprehensive privacy and data security measures and provide "reasonable notice" in the event of a breach. For years, EPIC has supported stronger data breach notification laws, and EPIC has testified before the Senate and House in support of a federal law. EPIC supports consumer control over personal data, and EPIC recommends mandatory breach notification procedures to ensure the consumers are aware when their personal data is wrongly obtained by others. Additionally, last year EPIC created http://www.dataprotection2016.org/ to promote the adoption of stronger privacy safeguards in the U.S.
  • 143 Million US Consumers Suffer Massive Data Breach, Equifax at Fault » (Sep. 8, 2017)

    In one of the most serious data breaches in U.S. history, the credit records of more than 140 million consumers, maintained by Equifax, have been compromised. Credit reports typically include social security numbers, drivers license infomation, and other personal data that make possible identity theft and financial fraud. Senator Warner said the breach, “represents a real threat to the economic security of Americans." For years, EPIC has urged Congress to strengthen privacy laws and to require Privacy Enhancing Techniques that minimize or eliminate the collection of personal data. In 2011, EPIC testified before the House and the Senate on the specific risk of data breaches in the financial services sector. Equifax has set up www.equifaxsecurity2017.com to help consumers. But last year EPIC created www.dataprotection2016.org to promote the adoption of stronger privacy safeguards in the U.S.

  • Federal Appeals Court Rules Data Breach Case May Proceed » (Aug. 30, 2017)
    A federal appeals court has ruled that a major data breach case concerning Supervalu can move forward, rejecting the grocery chain's attempt to have the lawsuit dismissed. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The appeals court agreed with EPIC that the lower court was wrong to dismiss the case. However, the court held that only a consumer who could demonstrate actual financial fraud could proceed with legal claims. EPIC regularly files amicus briefs defending consumers' right to sue companies that violate their privacy, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and Spokeo v. Robins.
  • EPIC Backs Privacy Act Protections for "Insider Threat" Database » (Jul. 5, 2017)
    EPIC has sent comments to the Department of Justice criticizing a proposed "insider threat" database. This database replaces a similar database that was proposed and later rescinded by the FBI last fall and would allow the DOJ to collect virtually unlimited amounts of personal data from employees, contractors, interns, and visitors to DOJ facilities. Citing the size and scope of the database combined with recent government data breaches, EPIC warned that the database was putting federal employees and contractors at risk. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases.
  • EPIC to Congress: Protect Student Privacy » (May. 2, 2017)
    EPIC has sent a statement to the House Committee on Oversight for the upcoming hearing on the FAFSA ("Free Application for Federal Student Aid") data breach, which compromised more than 100,000 taxpayer records. EPIC urged the Committee to protect student privacy. EPIC's testimony: (1) explained how the U.S. Education Department weakened key safeguards for student records, (2) described the privacy risks that students today face, (3) underscored the need for data security safeguards for student information, and (4) recommended that Congress adopt EPIC's Student Privacy Bill of Rights. EPIC has previously urged Congress, the Education Department, and the Federal Trade Commission to strengthen student privacy.
  • D.C. Circuit Hears Arguments in Data Breach Case » (Mar. 31, 2017)
    A federal appeals court in Washington, D.C. heard arguments today in a major data breach suit. The faulty security practices of Carefirst, a health insurer, allowed hackers to obtain the personal information of more than 1,100,000 customers. But a lower court dismissed the case because the judge believed that consumers must suffer actual identity theft before before filing a lawsuit. EPIC's amicus brief explained that the judge misunderstood the law and confused the harm consumers eventually suffer with the failure of companies to uphold obligations to safeguard the data they choose to collect. The appellate judges today voiced similar doubts about the lower court's decision, suggesting that consumers don't have to wait until their identity is stolen to bring a lawsuit. One judge compared the case to a person putting down her driver's license to rent a Segway, only to have it stolen from the rental company. EPIC regularly files briefs defending the privacy rights of consumers.
  • Yahoo Responds to Senators About Data Breach » (Feb. 24, 2017)
    Yahoo has responded to a letter from Senators John Thune (R-SD) and Jerry Moran (R-KS) inquiring into data breaches that exposed over a billion user records in 2013 and 2014. Yahoo said in its response that it has notified users affected by the breaches, required users who had not changed their passwords since 2014 to do so, and encouraged all users to review their passwords and security questions. Yahoo's letter also discussed the steps the company has taken to improve its security program. EPIC testified in support of strong data breach notification laws in 2009 and 2011, launched "Data Protection 2016" to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
  • Trump Order Threatens Consumer Protection, Public Safety » (Jan. 31, 2017)
    The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.
  • White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office » (Jan. 19, 2017)
    As one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency.
  • EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jan. 18, 2017)
    EPIC has filed a "friend-of-the-court" brief urging a federal appeals court to protect consumers' ability to sue companies that fail to safeguard personal information. A group of consumers sued health insurer Carefirst after the company's faulty security practices allowed hackers to obtain the personal information of 1,100,000 customers. A lower court wrongly dismissed the case because the judge believed that consumers must suffer identity theft before a court can consider violations of legal obligations. In the amicus brief, EPIC explained that the court misunderstood the relevant law, and confused the legal responsibility of companies to maintain good security with the harms that consumers eventually suffer. EPIC said courts should focus on whether companies have breached a legal obligation to safeguard personal data. EPIC regularly files briefs defending consumer privacy.
  • EPIC Urges TSA to Drop REAL ID Data Collection Plan » (Jan. 10, 2017)
    In comments to the TSA, EPIC urged the agency to abandon a proposed information collection plan under the REAL ID Act. REAL ID is a federal to turn the state driver's license into a national identity statement. Many states have opposed REAL ID. The TSA now plans to subject Americans, without a TSA "compliant" ID, to broad information collection requirements. EPIC, supported by a broad coalition, opposed REAL ID because it compromised privacy and enabled government surveillance. EPIC provided detailed comments to DHS later issued a report. Since adoption of REAL ID, many states have suffered data breaches of DMVs because of criminals seeking REAL ID mandated documents.
  • White House Issues Data Breach Guidance for Federal Agencies » (Jan. 4, 2017)
    The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
  • Data Stolen from Over One Billion User Accounts in Second Yahoo Data Breach » (Dec. 15, 2016)
    Yahoo announced this week that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. More than 150,000 U.S. government and military employees are among the victims. Yahoo's earlier breach drew wide-ranging concern from U.S. Senators to European privacy officials. EPIC testified in support of strong data breach notification laws in 2009 and 2011 (urging Congress to establish a short timeline for notification to users of breaches), launched the Data Protection 2016 campaign to make privacy a campaign issue, and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
  • EPIC Scrutinizes FBI "Insider Threat" Database » (Oct. 20, 2016)
    In comments to the FBI, EPIC criticized a proposed "Insider Threat" database that would gather virtually unlimited amounts of personal data outside the protections of the federal Privacy Act. EPIC urged the FBI to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that FBI data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. Earlier this year, EPIC filed comments with DOD and DHS regarding similarly flawed proposals to expand data collection without adequate privacy safeguards.
  • Senators Seek Answers About Yahoo's Massive Data Breach » (Sep. 27, 2016)
    Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.
  • Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach » (Sep. 22, 2016)
    Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
  • House Report Criticizes OPM Handling of Massive Data Breach Last Year » (Sep. 7, 2016)

    In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

  • Data Protection 2016: Nationwide Hotel Data Breach » (Aug. 15, 2016)
    Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has  a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.
  • EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jul. 20, 2016)
    EPIC has filed an amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers sued a grocery chain after faulty security practices left  their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly files briefs defending consumer privacy.
  • Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey » (May. 16, 2016)
    A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.
  • NY Attorney General Reports 40% Increase in Data Breaches » (May. 5, 2016)

    New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

  • California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable » (Feb. 18, 2016)
    A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.
  • Hackers Breach US Government Database, No Recourse for Non-Americans » (Feb. 9, 2016)
    Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States.
  • Markey and Barton Pursue VTech Data Breach » (Dec. 2, 2015)
    Senator Edward Markey (D-Mass.) and Congressman Joe Barton (R-Tex) have asked VTech, "How do you protect children's information?" The electronic toy produced,recently exposed the personal profiles of millions of children in a cyber hack. The personal date included names, mailing addresses, email addresses, download history, birthdates, and genders. Senator Markey and Congressman Barton asked about VTech's data and security practices, including compliance with the Children's Online Privacy Protection Act, data the company collects about children, and security standards. EPIC has testified several times before Congress on protecting children's data and supported the updates to the Childrens Online Privacy Protection Act.
  • Administrative Decision Tosses LabMD Data Security Case » (Nov. 21, 2015)
    An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."
  • EPIC Testifies Before Senate on Risks of SSN on Medicare Cards » (Oct. 6, 2015)
    EPIC will testify before the Senate Committee on Aging about "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" A law enacted earlier this year prohibits the inclusion of SSNs on Medicare cards, but the federal agency tasked with implementing the change has said it will take years. In a prepared statement, EPIC President Marc Rotenberg warns about the growing risk of SSN-related identity theft. Mr. Rotenberg said, "Given the growing risk of identity theft coupled to the SSN and the fact that other federal agencies have already removed the SSN from identity cards, there is simply no excuse for further delay." EPIC has long urged Congress and state legislators not to use the SSN on identity documents.
  • Appeals Court Upholds FTC's Data Security Authority » (Aug. 24, 2015)
    A federal appeals court ruled that the Federal Trade Commission can enforce data security standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The company argued that the FTC lacked authority to enforce security standards, but the court disagreed. EPIC filed an amicus brief, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.
  • Federal Appeals Court Revives Driver Privacy Claims » (Aug. 20, 2015)
    In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period."
  • Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015)
    In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers.
  • Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015)
    A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.
  • California AG Urges Congress to Reform Data Breach Notification Bill » (May. 21, 2015)
    California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's Constitution guarantees the right to privacy, and California passed the first ever state data breach notification law. EPIC has also warned that the House bill would preempt stronger state laws and strip the FCC of its authority to defend consumer privacy.
  • EPIC Launches State Policy Project » (May. 5, 2015)
    EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes.
  • House Reconsiders Data Breach Bill » (Apr. 15, 2015)
    Members of the Energy and Commerce Committee have convened to rework the Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumer privacy. Rep. Frank Pallone and others have raised concerns. EPIC previously urged Congress to adopt baseline federal law that would allow states to develop innovative legislative responses to privacy risks.
  • Massive AT&T Consumer Privacy Violation Results in $25 Million FCC Penalty » (Apr. 8, 2015)
    The Federal Communications Commission has settled an enforcement action against AT&T for the company's massive consumer privacy violations. According to the Commission, employees at AT&T call centers around the world accessed the "CPNI" (call record information) of nearly 280,000 U.S. customers without their permission. Then AT&T distributed that information to traffickers of stolen cell phones. As a condition of settlement, AT&T will pay a $25 million penalty, eclipsing the 2014 Verizon settlement as the FCC's largest ever data security action. EPIC has long supported the robust defense of CPNI privacy.
  • Data Breach Bill Would Preempt State Law, Weaken FCC Authority » (Mar. 13, 2015)
    Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks.
  • Federal Courts Considers FTC's Data Protection Authority » (Mar. 3, 2015)
    A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC's authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that the damage caused by data breaches - more than $500 million last year - makes data security one of the top concerns of American consumers. EPIC warned the court that "removing the FTC's authority to regulate data security would be to bring dynamite to the dam."
  • Anthem breach Shows Risks of "Big Data" » (Feb. 5, 2015)
    One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the FTC to establish data minimization procedures for companies limit the risks of data breaches.
  • EPIC Urges House to Safeguard Consumer Privacy » (Jan. 26, 2015)
    EPIC has sent a statement to the House Commerce Committee for the hearing, "What are the Elements of Sound Data Breach Legislation?". EPIC had testified before the House Committee in 2011 on data breach notification, urging Congress to set a national baseline standard. EPIC also supports enactment of the Consumer Privacy Bill of Rights. EPIC also urged the House Committee to promote "algorithmic transparency." EPIC has warned that “[t]he ongoing collection of personal information in the United States without sufficient privacy safeguards has led to staggering increases in identity theft,security breaches, and financial fraud.”
  • Obama Issues Executive Order to Strengthen Consumer Privacy » (Oct. 17, 2014)
    President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft.
  • Home Depot Data Breach Exposes Millions of Credit Card Records » (Sep. 4, 2014)
    A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft.
  • Report - Half of American Adults Data Hacked So far This Year » (May. 29, 2014)
    A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint.
  • FTC Chair Ramirez Urges Senate to Act on Data Security Legislation » (Feb. 5, 2014)
    The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission.
  • Senator Leahy Proposes Consumer Privacy Legislation » (Jan. 9, 2014)
    Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft.
  • Identity Theft Remains Top Concern of US Consumers » (Feb. 29, 2012)
    According to the Federal Trade Commission, identity theft was the top source of consumer complaints in 2011 comprising 15 percent of the 1.8 million total complaints filed. This is the 12th year in a row in which identity theft has occupied the top position. The report contains data on 30 complaint categories, which are broken down by metropolitan areas and provided to state and local law enforcement offices. For more information, see EPIC: FTC and EPIC: Identity Theft.
  • Data Breach Legislation Moves Forward in the Senate » (Sep. 26, 2011)
    Three data breach bills are headed to the Senate floor after a favorable vote in the Senate Judiciary Committee. The bills [S. 1151, S. 1535, S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the Senate and the House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws.
  • California Passes Updated Data Breach Legislation » (Sep. 1, 2011)
    California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft.
  • House Subcommittee Approves Weak Data Breach Bill » (Jul. 21, 2011)
    A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast.
  • In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act » (Jun. 21, 2011)
    EPIC Executive Director Marc Rotenberg testified before the Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing, "Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously testified before the House concerning data breach legislation. For more, see EPIC: Identity Theft and EPIC Testifies in Congress on Data Breach Legislation.
  • EPIC Testifies in Congress on Data Breach Legislation » (Jun. 15, 2011)
    EPIC Executive Director Marc Rotenberg testified today before the House Commerce Committee on the SAFE Data Act, a bill introduced by Rep. Bono-Mack to require greater protection for sensitive consumer data and timely notification in case of breach. EPIC emphasised the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC supported recent changes in the bill that would require companies to act more quickly in case of breach and encourage minimization of data collection. EPIC recommended changes in the bill to strengthen enforcement, require notification, protect identifiers linked to individuals, and ensure that state governments are able to respond on behalf of consumers as new problems emerge. Webcast
  • Senator Leahy Introduces Data Privacy Bill » (Jun. 8, 2011)
    Senator Leahy introduced the Data Privacy Bill of 2011, which is aimed at increasing protection for Americans' personal information and privacy. The bill establishes a national breach notification standard, and requires businesses to safeguard consumer information and allow consumers to correct inaccurate information. Leahy previously sponsored the Personal Data Privacy and Security Act in 2005 and has introduced similar legislation in the last three Congresses. For more information, see EPIC: Identity Theft and Summary of Legislation.
  • EPIC Tells FTC To Step Up Enforcement Against Debt Collectors » (May. 27, 2011)
    EPIC submitted a statement to the Federal Trade Commission in response to a public request for feedback about new trends in technology, consumer protection, and the debt collection industry. EPIC argued that Congress has authorized the FTC to bring much stronger regulations to bare on the debt collection industry. The Federal Debt Collection Practices Act prohibits debt collectors from publicizing consumers' debts to any third party. Section 5 of The FTC Act bars unfair and deceptive trade practices. The Gramm-Leach-Bliley Act gives debt collectors an affirmative legal duty to protect the sensitive information they collect. Congress gave the FTC authority to enforce all three of these laws. EPIC cited the sharp rise in complaints to the agency about debt collectors and a recent criminal case against debt collectors who coordinated with an identity theft scheme in Buffalo, New York as compelling reasons for the agency to introduce meaningful enforcement actions. For more information, see EPIC: Identity Theft.
  • Senator Leahy Calls for Updates to Federal Privacy Law, Attorney General Confirms Sony Investigation » (May. 4, 2011)
    At a Justice Department oversight hearing, Senate Judiciary Chairman Patrick Leahy today urged Congress to enact the bipartisan Personal Data Privacy and Security Act. He also said that the "collection, use and storage of Americans’ sensitive personal information, including by mobile technologies, is an important privacy issue." He asked the Attorney General to work with the Congress on updates to the Electronic Communications Privacy Act and other Federal laws implicating Americans’ privacy. During the hearing, the Attorney General confirmed an investigation into the Sony network attack, considered the most serious data breach to date. For more information, see EPIC - Wiretapping, EPIC - Identity Theft.
  • Senator Blumenthal Asks Justice Department to Investigate PlayStation Breach » (Apr. 29, 2011)
    Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.
  • Privacy Watchdog Receives Broad Protection for Publishing Public Records » (Apr. 15, 2011)
    A federal judge has issued a final order in favor of privacy advocate Betty Ostergren, who challenged a state law designed to prosecute her for drawing attention to the state's poor security practices. Ostegren had posted public records on her website that included Social Security Numbers made available by the state of Virginia. A district court held that Virginia may not prosecute her for re-publishing the Social Security Numbers of state officials. On appeal, a federal appeals court ruled that the court’s holding was too limited, and on remand the court said that Ostergren can re-publish any publicly available documents. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC: Ostergren v. McDonnell, EPIC: Social Security Numbers, and EPIC: Identity Theft.
  • Epsilon Data Breach Threatens E-mail Privacy of Millions » (Apr. 7, 2011)
    Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see EPIC: Identity Theft.
  • Social Security Protection Act of 2010 Becomes Law » (Dec. 23, 2010)
    President Obama signed a bill aimed at reducing identity theft by limiting the Government's use of and access to social security numbers. The bill, which passed the House and Senate, prohibits government agencies from printing social security numbers on checks and from allowing prison inmates access to social security numbers. "Social Security numbers are among Americans' most valuable but vulnerable assets," said Sen. Feinstein, a sponsor of the bill. "Identity theft is a serious concern for all consumers, and we should make every effort to protect personal information." EPIC has testified many times before Congress on the need to safeguard the SSN, including House hearings in 2000, 2001, 2006, 2007 and EPIC has also litigated important cases on SSN privacy.  For more information, see EPIC: Social Security Numbers, EPIC: Identity Theft, and EPIC: Doe v. Chao.
  • Web Companies Defend Data Collection Practices, Google Absent » (Oct. 12, 2010)
    Eleven internet companies responded to Rep. Markey and Rep. Barton's request for information regarding their data collection practices. However, the companies said that it is "impossible" for them to eliminate online tracking of consumer behavior. Google refused to respond to the survey questions. At the same time, Microsoft, Intel Corp. and E-bay announced support for Rep. Rush's "Best Practices Act." This bill contains a private right of action as well as a safe harbor for companies that comply with a self-regulatory "Choice Program" approved by the Federal Trade Commission. EPIC recently testified before Chairman Rush's committee " and recommended new safeguards for Internet users. For more information, see EPIC: Identity Theft.
  • Senate Holds Hearing on Data Security and Breach Notification Bill » (Sep. 24, 2010)
    The Senate Commerce Committee held a hearing on S. 3742, The Data Security and Breach Notification Act of 2010. This bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. EPIC director Marc Rotenberg testified on a similar bill in the House recommending support but also urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. The Senate thus far has not addressed these concerns. For more information, see EPIC: Identity Theft.
  • Appeals Court Protects Free Speech for Privacy Advocate » (Jul. 26, 2010)
    Privacy Advocate Betty Ostergren has won in federal appeals court in her challenge to a state law designed to prosecute her for drawing attention to the state's online publication of SSNs. In Ostergren v. Cuccinelli, the court ruled that the Commonwealth of Virginia may not prosecute Ostergren for publishing the SSNs of state officials available in public land records until the Commonwealth itself stops making these unredacted documents available. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.
  • FTC Delays Identity Theft Rule Yet Again » (Jun. 2, 2010)
    The Federal Trade Commission is delaying, for the fourth time, its enforcement of the "Red Flags Rule." This rule requires creditors and financial institutions to implement programs to identify, detect and respond to the warning signs, or “red flags,” that could indicate identity theft. The FTC has decided to delay enforcement through the end of the year in order to give Congress time to enact legislation that could clarify what kind of entities would be considered "creditors" under the rule. For more information, see EPIC: Identity Theft.
  • Inspector General: ID Theft Not a Priority at Justice Department » (Mar. 31, 2010)
    The Inspector General's Office released a new report on the Department of Justice's Efforts to Combat Identity Theft. The report states that identity theft is a growing problem, but the Justice Department's efforts to combat the crime have "faded as priorities." The Inspector General concludes that the Department has failed to develop a coordinated plan to combat identity theft since a 2007 task force report. In 2007, EPIC proposed  a comprehensive strategy to "address the root causes of identity theft: excessive data collection and lax security practices." For more information, see EPIC: Identity Theft.
  • Massachusetts Data Protection Law Goes into Effect » (Mar. 10, 2010)
    Massachusetts’s new data protection law went into effect at the beginning of March. The law applies to all companies that own or license the personal information of Massachusetts residents. According to the new regulations, companies are now required to create a comprehensive security program that details how personal information will be safeguarded. Governor Deval Patrick stated, “Consumers should feel confident that their personal information is protected, and not exposed to loss or theft. These regulations improve the safety of personal information, while giving businesses the flexibility to secure that information without undue burden.” For more information on privacy and identity theft, see EPIC: Identity Theft.
  • House Passes Data Breach Bill » (Dec. 11, 2009)
    Today, legislators passed the Data Accountability and Trust Act, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. TFor more, see EPIC Identity Theft.
  • EPIC Urges Court to Protect Speech of Privacy Advocate » (Oct. 19, 2009)
    Today, EPIC filed a "friend of the court" brief with the Fourth Circuit Court of Appeals, urging the court to hold that the First Amendment protects the speech of Betty Ostergren, a privacy advocate. Ostergren runs a Website that republishes Social Security Numbers, collected from public records, to persuade Virginia lawmakers to stop releasing documents that reveal Social Security Numbers. Under Virginia law, Ostergren could be prosecuted for publishing SSNs, even though Virginia makes the numbers widely available. A lower court held that the law violated Ostergren's First Amendment rights. Virginia appealed. EPIC's brief urges the appeals court to uphold the lower court's ruling. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.
  • California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy » (Oct. 16, 2009)
    Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection.
  • House Committee to Consider Data Breach Bill » (Sep. 29, 2009)
    On September 30, the House Energy and Commerce Committee will consider a proposed federal law that would establish national standards for data breaches notifications. The Data Accountability and Trust Act (DATA) also regulates information brokers and requires companies to adopt security policies. The Senate is considering a similar bill that protects additional categories of consumer information. In May, EPIC testified before Congress on the DATA bill, highlighting the importance of regulating data brokers, but warning of the dangers posed by federal laws that preempt stronger state privacy safeguards. In May, President Obama stated that "executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values." For more information, see EPIC Identity Theft.
  • FTC Issues Final Breach Notification Rule for Electronic Health Information » (Aug. 21, 2009)
    The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. In June, EPIC submitted comments recommending that all entities handling electronic health records be subject to the regulation and that the FTC should establish a central location to track and announce breaches. The FTC modified the rule accordingly. EPIC had also recommended that information "accessed" be treated as "acquired", substitute media notices be used as supplemental notification, verification of data breach notices be required, minimum security standards be created, penalties for violations be assessed, and the creation of "safe-harbors" for de-identified data be opposed. The rule was mandated under the American Recovery and Reinvestment Act. See EPIC Medical Privacy and EPIC Identity Theft.
  • New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)
    Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.
  • EPIC Urges Comprehensive Strategy for ID Theft » (Jun. 17, 2009)
    With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft.
  • Congress Holds Open Markup Session on Data Breach Bill » (Jun. 3, 2009)
    The Committee on Energy and Commerce held an open markup session on the Data Breach Bill. The Chairman of the subcommittee intends to have a law that is strong and adequately protects consumers. EPIC testified before Congress on this bill, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. For more information, see EPIC's page on Identity Theft.
  • EPIC Submits Comments on Health Breach Notification to the FTC » (Jun. 1, 2009)
    The Federal Trade Commission proposed a rule requiring notification when the security of medical information is compromised. EPIC recommends that all entities handling health records be subject to standard security; tightening exemptions for de-identified data, enhancing media notification of health data breaches, ensuring additional breach notification through means such as text messages and social networking sites, and verification of receipt of notifications. See also EPIC's Page on Medical Privacy.
  • EPIC Testifies Before Congress on Data Breach Bill, Urges Changes to Strengthen Act » (May. 5, 2009)
    EPIC Director Marc Rotenberg testified before Congress on the Data Accountability and Trust Act, which would require security policies for consumer information, regulate the information broker industry, and establish a national breach notification law. Rotenberg said "companies need to know that they will be expected to protect the data they collect and that, when they fail to do so, there will be consequences." The EPIC Director opposed the preemption of stronger state laws, and recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that "identifies or could identify a particular person." To learn more about Identity Theft, see EPIC's Identity Theft page.
  • For Identity Theft Law, Supreme Court Rules that the Government Must Prove Intent to Impersonate » (May. 4, 2009)
    In a critical case for the emerging field of identity management, the Supreme Court today reversed a lower court opinion and ruled unanimously in favor of the petitioner. The Court held that individuals who provide identification numbers that are not their own, but don’t intentionally impersonate others, cannot be subject to harsh criminal punishments under federal law. The case involved a mandatory 2-year prison term, added on to a prior conviction, for presenting a fake Social Security Number to an employer. EPIC filed an amicus brief in support of the petitioner, arguing that the "unknowing use of inaccurate credentials does not constitute identity theft." For more information, see EPIC, Flores-Figueroa v. United States.
  • Supreme Court to Hear Argument in "Identity Theft" Case, EPIC Urges Justices to Protect Privacy Enhancing Technologies » (Feb. 23, 2009)
    On Wednesday, the Supreme Court will hear arguments in a case that will determine whether individuals who include identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsh criminal punishments under federal law. In Flores-Figueroa v. United States, the petitioner challenged his conviction for "aggravated identity theft." EPIC filed a "friend of the court" brief, on behalf of 17 legal scholars and technical experts, urging the Justices to protect techniques that allow individuals to safeguard privacy. EPIC explained that the crime of "identity theft" should require an intent to impersonate another. The EPIC brief urges the Court to avoid "a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful." For more, see EPIC's Flores-Figueroa v. United States page.
  • Data Breaches on the Rise in the US » (Jan. 6, 2009)
    A new report from the Identity Theft Resource Center found a 47 percent increase in data breaches in the United States over 2007. Noting 656 reported breaches at the end of 2008, the report identified the company, the category of breach and the number of records exposed. The Center concluded that most breached data was unprotected by either encryption or even passwords. According to the FTC, data breaches are the leading cause of identity theft. For more information, see EPIC's page on Identity Theft.

Questions Presented

Must a plaintiff suffer a concrete harm (i.e., damages) in order to satisfy the injury-in-fact requirement of Article III standing?

Background

Factual History

SuperValu “owns and operates retail grocery stores in the United States. SuperValu controls the payment processing at its stores and also provides payment processing services to AB Acquisition and Albertson’s stores.” Processing payments involves collecting and storing consumers’ personally identifiable information that is embedded in the magnetic strips of their debt and credit cards. The PII collected includes “cardholder names, account numbers, expiration dates, and PINS.”

According to an August 14, 2014 press release, hackers installed malware on SuperValu’s network which processed card transactions. The intrusion “resulted in potential theft of information embedded in the magnetic strip of payment cards for sales transacted at 209 SuperValu stores and 836 AB Acquisition stores” between June 22, 2014 and July 17, 2014.

On September 29, 2014, SuperValu indicated a second data breach occurred in “late August or early September,” in which hackers installed a different malware onto the network processing card transactions for some AB Acquisition and some Albertson’s stores. Following these press released, four putative class actions were filed on behalf of twelve named plaintiffs. These cases were consolidated by the Judicial Panel on Multidistrict Litigation in December 2014.

Procedural Background and Lower Court Opinion

The consolidated action alleges six claims against the defendants (SuperValu, AB Acquisition, and Albertson’s): violation of eight state consumer protection statutes and six state breach notification statutes, negligence, negligence per se, unjust enrichment, and breach of implied contract. The trial court dismissed without prejudice finding the plaintiffs lacked standing to invoke federal subject matter jurisdiction.

The lower court determined the alleged risk of future harms (i.e., damages) are not imminent. Relying on Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011), the court found that the threatened harms (i.e., damages) are speculative in both whether and when the harms will come to pass. Specifically, the allegations rely on whether the hacker: “(1) read, copied, and understood Plaintiffs’ personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names.” According to the court, the single alleged instance of an unauthorized charge that occurred a year after the data breach is not fairly traceable to the defendant.

To dismiss statutory claims, the court relied on In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013), which stated “plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.”

Additionally, the court reiterated mitigation costs cannot establish standing according to Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013). The court finally said the facts failed to support allegations of diminished value of the plaintiff’s PII, lost benefit of the bargain, or a concrete injury from loss of privacy and confidentiality.

Legal Background

Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.

EPIC's Interest

EPIC has a long history of advocating for consumers against the risks of identity theft and financial fraud.

In April 2016, EPIC filed an amicus brief in the Third Circuit case Storm v. Paytime, Inc., which involved a very similar question as In Re SuperValu. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.

In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.

In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court.

In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.

EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.

Legal Documents

U.S. Court of Appeals for the Eighth Circuit, Nos. 16-2378 and 16-2528

U.S. District Court for the District of Minnesota, No. 14-MD-2586

News

Resources

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy