The OPM Data Breach: Harm Without End?

By Daniel J. Solove

Posted on June 19, 2015


Share

The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:


If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. "The data is sold off, and it could be a while before it's used," said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. "There's often a very big delay before having a loss."


The article reiterates something I have long been arguing, that data involved in a breach can be used long afterwards. The article goes on to quote Ed Mierzwinski:


"Credit card numbers and debit card numbers have a short shelf life, because banks figure out which cards are at risk, and people get new numbers without asking for them," explained [Ed] Mierzwinski. "Social Security Numbers have a very long shelf life -- a bad guy that's smart won't use it immediately, he'll keep a hoard of numbers and use them in a couple of years."


The OPM breach is far worse because it involves background check information, which could be used in ways beyond identity theft and for an indefinite period of time – perhaps for the rest of the victims’ lives.


Courts have often dismissed cases brought for data breaches because courts conclude that the victims suffered no harm. Courts have rejected the argument that the risk of future identity theft, fraud, or other injury is a cognizable harm. For example, in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a hacker obtained financial information from a company about the plaintiffs, who sued the company. The court dismissed the lawsuit:


We conclude that Appellants' allegations of hypothetical, future injury are insufficient to establish standing. Appellants' contentions rely on speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants' names. Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.


The Supreme Court has consistently dismissed cases for lack of standing when the alleged future harm is neither imminent nor certainly impending. . . . Here, Appellants' alleged increased risk of future injury . . . is dependent on entirely speculative, future actions of an unknown third-party.


Courts are uneasy with recognizing future harm because it involves too much speculation about the future. Nothing bad might ever happen.


Image: Man with crystal ball

The problem with the type of harm suffered in many data breaches such as the OPM breach is that it often will not materialize within the statute of limitations for most causes of action, which can be just a year or two. The harms from a data breach are often not immediate. They are often hard to trace to a particular breach because the culprits are rarely found and prosecuted.


We need a better way to address the harms involved with data breach. The current approach seems to deny reality and try to treat the harm like it is a cut that needs to be bandaged. But the harm is more akin to an exposure to radiation or a toxic chemical, the effects of which might not be felt until years later.


I’m working on an article about privacy and data security harms with Professor Danielle Citron in which we hope to propose a better way to handle such harms, a way that is practical and fair and that does not unduly penalize the organizations that have incidents or fail to protect the victims whose data was compromised. Wish us luck!


Some of my earlier posts on harms:

  1. Privacy and Data Security Violations: What’s the Harm?
  2. How Should the Law Handle Privacy and Data Security Harms?
  3. Do Privacy Violations and Data Breaches Cause Harm?
  4. Why the Law Often Doesn’t Recognize Privacy and Data Security Harms

 

* * * *


Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. Along with Paul Schwartz, Solove is a Reporter on the American Law Institute’s Principles of Data Privacy. He is the author of 10 books including Understanding Privacy and more than 50 articles.


Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum – Oct. 21-23 in Washington, DC, an event aims to bridge the silos between privacy and security.



The preceding is republished on TAP with permission by its author, Professor Daniel Solove. “The OPM Data Breach: Harm Without End?” was originally published June 17, 2015 on Professor Solove’s LinkedIn Commentary page. Professor Solove is among LinkedIn’s 150 top influential thought leaders.

 


Share

About the Author

  • Daniel J. Solove
  • George Washington University
  • 2000 H St., NW
    Washington, DC 20052


Recent TAP Bloggers