An October decision of the 4th US Circuit Court of Appeals in Virginia has — yet again — altered the risk calculus of data breaches by easing litigants’ ability to successfully sue breached companies in limited situations.
The case involved an insurance company data breach that resulted in the driver’s license information of almost 3 million customers being leaked. Until this appellate decision, most courts had ruled that having certain types of data stolen alone is not sufficient to prove damages. With such data, plaintiffs must provide proof of actual damage or evidence of actual fraud, the courts have mostly ruled.
Whereas theft of private data, such as medical records, has automatically been considered damaging, most data available from a driver’s license, for example, is public, with even a driver’s license number not helpful to a fraudster, unless joined with other information to enable identity theft. Courts have ruled that plaintiffs must prove thieves had indeed accessed multiple pieces of information.
The 4th Circuit softened that, ruling that because the attackers placed the information on the dark web, that suggested a greater risk of actual fraud. Thieves willing to pay for such data wouldn’t be willing to pay if they didn’t have access to other data to complete fraudulent activity.
“The dark web, an anonymous online network for unregulated content and markets, is not a traditional method of communicating information like a newspaper or radio broadcast,” the 4th Circuit judges ruled. “But, not dissimilar to the internet more generally, it is a forum accessible to all — or at least to those with some degree of proficiency with computers. Information listed on it thus either reaches, or is sure to reach, the public or is close to doing so.”
Moreover, because one of the plaintiffs alleged the information was found to be for sale on the dark web, rather than published openly, which would limit its exposure, the judges explored whether the existence of a paywall should make a difference in terms of proving harm and concluded that it didn’t.
“We do not see why this should make a difference. One classic example of publicity in public-disclosure tort cases is listing information in a newspaper,” the 4th Circuit judges ruled. “Yet many newspapers are only accessible with payment, too. We see no reason to treat the internet differently. Paywalled or not, information listed on the internet is ordinarily accessible to many.”
The panel also clarified what constitutes data being sensitive: “Undoubtedly, a driver’s license number is unlike the details of an affair or a medical condition. People do not consider their driver’s licenses embarrassing and hand them to bartenders and waiters and police officers without hesitation.”
How CISOs should respond
Attorneys watching the case said there are various implications for what CISOs should do differently given the panel’s ruling.
Cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, a directory of former government and military specialists, said this decision “is yet another reason why CISOs should monitor the dark web. It may be an early warning that they may be getting a lawsuit.”
That dark web information may also provide critical guidance for lawyers negotiating with plaintiffs. If the data is definitely not on the dark web, there is a better chance for dismissal and therefore a better chance that a lowball settlement offer may be accepted. But if the data appears on the dark web, that quickly changes.
“For plaintiffs whose data was breached but not publicly disclosed, the court found no standing because the risk of future misuse was deemed too speculative. Emotional distress and time spent monitoring accounts were not concrete injuries without actual misuse or public exposure,” Levine said. “This reinforces a high bar for plaintiffs in data breach cases who haven’t yet suffered tangible consequences.”
This decision also forces CISOs to reevaluate how financially exposed the enterprise will be should a breach happen, said Mark Rasch, a former federal prosecutor who specializes in technology legal issues. Prior to this 4th Circuit decision, “a lot of enterprises thought that a data breach might be no big deal because the victims can’t really demonstrate harm, so we don’t need to worry.” This decision changes that.
The court created a new “publication versus theft” dynamic, Rasch said, where a dark web publication of the information may be enough for a case to proceed. To be clear, the panel’s decision involved whether plaintiffs would be allowed to proceed to discovery and other early stages of the court process.
Douglas Brush, a special master with the US federal courts, said that a critical factor behind these legal shifts is a flood of lawsuits initiated instantly when an enterprise announces a breach, long before meaningful details are known.
CISOs have thought “‘if we lose any of this data, there’s blood in the water,’” Brush said. “The line CISOs must monitor is the shift from private possession to public accessibility. CISOs should track and document what becomes public, not just what was taken: screenshots, hashes, first-seen timestamps, and linkage to internal systems. That record now drives standing, class scope, and exposure.”
The case could unintentionally motivate attackers to threaten enterprises with dark web publication, giving them leverage to extort more money by suggesting that failure to pay will make the attackers publish and thereby strengthen plaintiffs’ cases against the enterprise.