Very few data privacy or data security laws permit enforcement by private citizens. This presents a problem, as the injured party cannot control if or when he/she receives compensation for their injuries. At the risk of seeming overly-stoic, the idea of giving a State or Federal agency control over the personal remediation of injuries is unpleasant.
Many state laws followed the Federal Government’s position in declining citizens the ability to sue violators of individual consumer privacy act rights; a practice modeled after the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach Bliley Act (GLBA), or the Federal Trade Commission (FTC) Act. Instead, enforcement of these federal regulations and the splattering of state privacy laws restricts enforcement to state and federal agencies, primarily attorney generals. This legal framework gives relevant industry sectors false senses of protection from civil class action lawsuits.
For example, it was recently announced that the EdTech company, BlackBaud.com, which serves as a cloud data storage and academic application provider, reached a $49.5 million settlement with 49 states in response to events leading up to and following a 2020 ransomware event. The settlement addressed the theft of Blackbaud’s customers' banking, login credentials, social security numbers, and protected health information. And, interestingly, many of the Blackbaud victims were minor children. Blackbaud also paid the Securities and Exchange Commission a $3 million fine for misrepresenting the event to the public and regulators.
Now, private citizens could conceivably file private lawsuits against Blackbaud for negligence and fraud. And in South Carolina, a class action of Palmetto State citizens did sue Blackbaud in In Re Blackbaud, Inc., 567 F.Supp.3d 667 (D.S.C., 2021). However, without a recognized statutory framework to illustrate the violations, the battle to prove the relevant injury and causation can be more difficult for the private citizen than a regulatory agency.
However, in the last several years (maybe 5?), attorneys representing injured masses cleverly enabled citizens and class-actions thereof to sue entities that violate federal regulations by using a traditional negligence framework. Negligence is a simple concept based on a duty, breach, and jury: Person A owes a duty to other people, designed to prevent an injury. If Person A breaches that duty and Person B suffers a resulting injury, Person A will be sued for negligence.
In 2021, the Arizona Supreme Court held that HIPAA could inform the standard of care in a negligence claim against a Costco Pharmacy that inadvertently told the plaintiff’s ex-wife about a prescription for erectile dysfunction medication. The South Carolina District Court in In Re Blackbaud acknowledged that the FTC Act can serve as a potential basis of negligence.
This legal strategy is strengthening. Some litigations are successfully arguing in data breach cases that violations of federal statutes create such obvious breaches of duty that the incident is considered negligence per se (automatic), which is a terrifying reality for any defendant.
In In re Capital One Consumer Data Sec. Breach Litigation, the Eastern District of Virginia, the Plaintiffs alleged that Capital One’s data breach was a violation of the FTC Act and GLBA Safeguard’s rule, and therefore negligence per se (automatic negligence). And, surprisingly, the Eastern District of Virginia agreed that such an allegation was legally plausible. Analyzing the issue under New York law, an investment banking hub, negligence per se exists "if a statute is designed to protect a class of persons… from the type of harm which in fact occurred as a result of its violation[.]”[1] Therefore, the federal court agreed that because New York law would permit a negligence per se claim premised on a federal statute, importing the standard of care from the FTC Act is supportable a claim for negligence per se.
In In re Ambry Genetics Data Breach Litigation, the Central District Court of California similarly allowed a negligence per se claim to proceed under the HIPAA framework.[2]
With federal and state agencies often failing to receive enough resources to consistently enforce cyber laws, private citizens finding mechanisms to assert private rights of action provides another method of enforcement.