Equifax Fallout Could Boost Consumers' Shaky Harm Claims

October 6, 2017Media Mention

Tim Toohey was quoted in Allison Grande’s article that ran in Law360 on October 6, 2017, discussing the Equifax data breach and the congressional hearings in both the Senate and House following the breach. The hearings have attempted to shed light on the responsibilities companies should have when it comes to cybersecurity, consumer notification of breaches, and continued post-breach protections for consumers.

“To my mind, the most remarkable thing to come out of the congressional committee hearings of Equifax’s Richard Smith are the comments from both Joe Barton and Elizabeth Warren that there should be modification for data breach laws to compensate the consumers who are victims of the attacks,” said Toohey. “If such laws were passed, this would be a remarkable change in the paradigm for data breach notification laws.”

Toohey notes that breach reporting statutes currently on the books in 48 states have primarily been “informational in nature and have placed the onus on the consumer to monitor his or her credit, sometimes with the assist of credit monitoring provided by the entity that was breached.”

According to Toohey, under the suggestions put forth by Barton, Warren and others, which would essentially establish fixed statutory damages for consumers, the burden would shift to companies to ensure that consumers are made whole, regardless of whether individuals have suffered identity theft or any other actual harm.

“This would be a major change from current laws because it would potentially lead to significant financial consequences when a large number of consumers have suffered a breach,” he said. “It would also be a major departure from the burdens that consumers have faced in civil litigation in showing that they have suffered actual damages from a breach.”

Establishing actual financial harm has thus far hindered consumer claims.

“Although consumers often believe that they have been harmed when personal data is exposed in a breach, companies are often able to avoid liability — particularly in civil lawsuits — because there is no demonstrable financial harm,” Toohey said. “Legislators seem to be recognizing that regardless of whether a consumer has suffered financial losses ... they have been harmed by having information exposed and through the fear or concern regarding potential harm.”

To view full Law 360 article, click here (subscription required).