GETTING INTO COURT WHEN THE DATA HAS GOTTEN OUT: A TWO-PART FRAMEWORK.

• Author: Aubuchon, Alyssa L.

INTRODUCTION

In the late summer of 2017, headlines announcing that the personal information of nearly 150 million American consumers had been compromised shocked the conscience of the nation. Equifax, a credit reporting agency that compiled the personal financial information of consumers and sold it to businesses, had been hacked. (1) During the seventy-six days in which the hack went unnoticed by Equifax, hackers surreptitiously made 9,000 search queries, (2) obtaining massive amounts of personal information including millions of consumers' names, addresses, birth dates, social security numbers, driver's license numbers, and even credit card numbers. (3) This stolen information, ranging from bank accounts to medical records, (4) is the key to much of consumers' financial lives. With it, the thieves could destroy consumers' credit worthiness and effectively impersonate individuals with creditors, employers, and service providers. (5)

Following the breach, a class of ninety-six consumers whose data had been exposed filed a complaint against Equifax in federal district court alleging "present, immediate, imminent, and continuing increased risk of harm" as a result of the breach. (6) The plaintiffs claimed they were harmed by the burden of taking additional measures to combat identity theft and the increased possibility that their identity would be stolen in the future. (7) Plaintiffs alleged damages in the form of wasted time, effort, and money spent monitoring their credit and identity, and by the "serious and imminent risk of fraud and identity theft" due to the breach. (8) The plaintiffs brought suit under the Fair Credit Reporting Act ("FCRA"), arguing that Equifax unlawfully "furnished" their consumer reports to hackers and "failed to maintain reasonable procedures designed to limit the furnishing of Class members' consumer reports to permitted purposes, and/or failed to take adequate security measures that would prevent disclosure of Class members' consumer reports to unauthorized entities or computer hackers." (9)

The court, finding that the plaintiffs failed to state a claim under the FCRA, granted Equifax's motion to dismiss. (10) The court reasoned that, although the FCRA does not define "furnish," courts have held that information stolen by hackers is not "furnished" within the meaning of the FCRA. (11) The plaintiffs, acknowledging this precedent, argued that Equifax should still be subject to liability because its "conduct was 'so egregious' that it should be considered akin to furnishing." (12) The court disregarded this argument, stating that the plaintiffs failed to provide discernable standards by which to determine when conduct was so egregious as to be considered furnishing. (13) The court then accepted Equifax's argument that the stolen information did not relate to consumers' credit worthiness and therefore did not constitute a "consumer report" protected by the FCRA. (14) Finally, the court held that because the failure to maintain reasonable procedures claim required Equifax to have illegally released a consumer report, that claim must necessarily be dismissed upon a finding that no consumer report had been compromised. (15)

In the end, Equifax did face some consequences for its negligence. Though consumer attempts to hold Equifax accountable were unsuccessful, the Federal Trade Commission ("FTC"), along with forty-eight states, the District of Columbia and Puerto Rico, and the Consumer Financial Protection Bureau ("CFPB") brought suit against Equifax to enforce provisions of the Federal Trade Commission Act ("FTC Act") and other federal consumer protection laws. (16) In July of 2019, Equifax and the FTC reached a settlement of nearly $700 million, whereby Equifax agreed to create a fund of up to $425 million to provide free credit monitoring services and restitution for out-of-pocket losses resulting from the breach. (17) In addition, Equifax agreed to pay $175 million in civil penalties to the states and a fine of $100 million to the CFPB. (18)

Though $700 million seems significant, it is not enough to remedy the severe and varying harms caused by the breach. (19) Nearly 150 million American consumers suffered substantial injuries including time and money spent securing personal accounts and consumer reports from future identity theft, costs of obtaining additional credit monitoring products or security freezes, and a vastly increased risk of falling victim to identity theft in the future. (20) Significantly, given the nature of the information stolen, data thieves could wait years before utilizing the stolen data, (21) causing protracted anxiety to millions of American consumers.

It is hard to swallow that Equifax faced only limited liability for such colossal negligence.

Because consumer reporting agencies ("CRAs") such as Equifax are oriented to serve businesses and financial institutions, instead of the average person whose data they compile, they lack effective incentives to treat ordinary consumers, and their data, well. (22) The FCRA purports to ensure the accuracy and privacy of information in the hands of CRAs, (23) but it is clear from the litigation surrounding the Equifax breach and the inability of consumers to recover under the Act that the FCRA is no longer enough protection from the risks posed by online threats to poorly protected financial information. (24)

Consumers' right to sue under the FCRA is limited, and often times private litigants struggle to state a cognizable claim within the confines of the Act. (25) Therefore, consumers do not have a truly effective avenue for recourse under federal law after their data has been compromised by a CRA. Congress should amend the FCRA to grant an explicit right of action to consumers seeking to vindicate data breach harms. However, such a private right contemplates complex problems of standing that must be resolved before such a private right can actually be meaningful. This Note will address the standing problems that would arise and propose two potential solutions.

Part I of this Note will examine the history of the FCRA, the basics of Article III standing, and its applications to intangible harms and data-privacy related injuries. Part II of this Note will then propose two potential solutions to the standing issues that arise when consumers are granted a right to sue CRAs for data breach harms. First, this Note will argue that, as the law currently stands, the Supreme Court should recognize that data breaches cause particularized and concrete harms sufficient to satisfy the injury-in-fact requirement of Article III. Finally, this Note will argue that because of judicial inconsistencies in applying the standing doctrine, state legislatures should adopt a uniform law, allowing Article III standing issues to be avoided altogether.

1. THE STATUTORY AND COMMON LAW FRAMEWORK

   1. The History of the FCRA

      Congress enacted the FCRA to ensure that CRAs arc fair, impartial, and respectful of consumers' rights to privacy. (26) The FCRA imposes a variety of responsibilities and compliance procedures on CRAs for the purpose of protecting consumers' financial information from inaccuracies, exposure, and identity theft. (27) Specifically, the FCRA requires CRAs to maintain "reasonable procedures" to ensure that they do not provide consumer reports to any person if there are "reasonable grounds" for believing that the report will not be used for a lawful purpose. (28) The FCRA, in providing a uniform standard of liability, serves to protect CRAs as well as consumers by insulating CRAs from unpredictable liability and establishing a set of clear guidelines to which they can conform their behavior. (29)

      The FCRA intended to incentivize CRAs to incur the necessary costs of ensuring that consumers' data is kept private and reported accurately. (30) However noble the FCRA's prerogative, it lacks sufficient bite and enforcement power to ensure that the rights of those whom it strives to protect are in fact protected. (31) Federal and state agencies entrusted with enforcement power (32) (33) often lack the resources3' to pursue all violations of the FRCA, and usually do not have sufficient familiarity of the facts underlying a claim to adequately represent consumers who have been harmed when they do decide to act. (34) Thus, the responsibility to ensure that the act is enforced falls on the shoulders of the consumers themselves. (35) As seen in the consumer litigation arising from the Equifax breach, (36) the FCRA is insufficient to vindicate consumer privacy. (37) An express private right of action will strengthen consumer protection, promote compliance with the FCRA, and incentivize CRAs to ensure that consumer data is well protected and not at risk of theft or fraud. (38) However, even if such a right were to exist, consumers would have to overcome the substantial hurdle imposed by Article III's "injury-in-fact" requirement. (39)

   2. Article III Standing and the Challenges of Data Breach Harms

      The United States federal government is one of limited and divided powers. (40) Central to that principle is the requirement that the federal judicial power extends only to "Cases" and "Controversies," (41) justiciable within the limits of the United States Constitution. (42) The doctrine of standing is closely related to the "case" or "controversy" requirement and serves to separate cases that are properly before the federal courts and those that are not. (43) The standing doctrine limits the scope of the federal judicial power by restricting the types of litigants that are "empowered" to bring suit in federal court. (44) The "irreducible constitutional minimum of standing" requires (1) an injury-in-fact, (2) causally connected to the conduct complained of, that is (3) likely to be redressed by a favorable decision of the court. (45)

1. Standing and Intangible Harms

   The Supreme Court's application of standing principles to intangible harms is...