Equifax, Strava, and Russian Facebook Ads: How to Hold Websites Accountable for Data Breach

By Omri Ben-Shahar

Posted on February 7, 2018


Share

Pollution was the negative product of an industrialized economy. Misuse of Big Data is the new pollution—the negative artifact of a digital economy. And it is occurring with increasing frequency. Strava, a fitness app, may have weakened the U.S. military by posting data that exposes geographical location of users, many of whom are military personnel. Facebook may have weakened the U.S. democracy by showing ads purchased by foreign manipulators to swing voters. And Equifax may have weakened the U.S. financial security by exposing a large database of consumer finances to hackers.

 

One common thread running through these notorious cases of recent privacy breaches is the potential harm arising from tracking people. Strava, Facebook, and Equifax created phenomenal databases of people’s behavior. Each of these platforms uses the data for many good purposes, but they also, unintentionally and sometimes negligently, expose the data to harmful uses.

 

Another, less noticed, common thread running through these cases of privacy breach is the social nature of the harm they caused. The injury from the exposed data was not always to the individual users being tracked and exposed. Rather, it is more akin to pollution: the injury arises from the aggregation of exposure and it is affecting many others.

 

Take Strava’s case. The extraction of publicly-shared location tracking data from Strava and using it to map out military locations does not specifically harm the individuals being tracked, but rather the military interests. It is only by clustering many individuals that a meta-picture about concentrated military activity can emerge. The injury is labeled “privacy” breach, but the informational harm here is distinctly social, not private.

 

Or take Facebook’s showing of political ads purchased by Russian agents to polarize and distort American voting. Such misuse did not specifically harm the individual users of the social networks who were being tracked, profiled, and “sold” to advertisers. Again, it is only by aggregating and exposing a large group of users to the ads that a concentrated harmful impact occurred. Here, too, we can classify the threat as one to people’s privacy, but the informational harm was social, not private.

 

The Equifax security breach is social in a different way. Sensitive personal and financial information of 143 million Americans was exposed by the hacking of a major credit reporting firm—information that the firm collected and stored from people’s financial records. No doubt, significant harm could accrue to specific individuals, if their information ends up being misused. The main concern is identity theft—a distinctly private injury. But there is an additional social aspect to the harm. Only a fraction of the exposed consumers will end up suffering actual identity theft, but the entire pool is harmed. Each of the exposed consumers is experiencing a heightened overhanging sense of financial risk, and may be required to take varying degrees of precaution. The informational injury is not merely to the victimized users, but to the entire population in the database.

 

This social side of the informational injury should have a profound impact on how the law punishes and deters such data breaches. Currently, people who feel offended or violated by the information firms collect, share, or lose have to go to court and prove their injury. Courts are usually looking for individual concrete harm, and are having hard time finding it. Many class actions against companies are filed alleging privacy-related injuries to consumers, but often they dead-end because of the difficulty of proving private injury. Even if great social harm is caused, the firms are not held accountable for it. Deterrence is lacking.

 

If the harm arising from security breaches and leaked data is primarily social, it is not surprising that private lawsuits alleging private harms are not very effective. Courts are looking for the injury in the wrong place. The solution for the problem of social harms has to be a social remedy, not a private one. If Strava’s fitness tracking is harming national security, it would be pointless to expect that individual users will be good surrogates for the preservation of the public good.

 

Identifying the proper social remedy for an informational injury could be challenging. Consider, again, the Equifax security breach case. If courts had information who the actual victims of the resulting identity theft are, they could compensate them directly, ordering Equifax to reimburse their losses. But courts don't and might never have this knowledge. It could take years for the misuse of the data to occur, and it will be hard in any individual case to know for sure if the harm to a specific consumer is attributable to the Equifax breach or to other sources.

 

Instead, by thinking about the Equifax breach as causing social rather than private harm, courts can craft a different remedy, to the entire class of users whose data was compromised. Consumers should each be compensated by an amount reflecting the average risk that they would become actual victims. The Justice Department estimates that the average loss to victims of identity theft is approximately $1500. Of course, not all consumers in the Equifax database will suffer identity theft. The court will need survey evidence to estimate the increased likelihood of identity theft the average consumer. With that, a remedy to the entire class could be crafted. In the same way that a polluter pays damages to an entire community, not merely to those actually injured, an "emitter" of data should compensate the entire affected community for the data exposure. Each consumer might not receive much—perhaps only a few dollars—but multiplied by 143 million . . .

 

Data is the new currency in our economy. Websites and smart devices are providing services to people who pay with their personal information. A lot of good is achieved through such exchange, but occasional unexpected harm emerges. Recognizing that this harm is often social, not private—that it is more like pollution than a car accident—may go a long way towards a solution.

 

 

The preceding is republished on TAP with permission by its author, Omri Ben-Shahar, law and economics professor and Kearney Director of the Coase-Sandor Institute for Law and Economics at the University of Chicago Law School. “Equifax, Strava, and Russian Facebook Ads: How to Hold Websites Accountable for Data Breach” was originally published February 1, 2018 in Forbes.

 


Share