UPDATE August 9, 2015: Regarding my claim below that a robust market for personal information on the dark web constitutes evidence of its value as a commodity, attorney Caitlin Kelly Henry points out (in the context of a casual conversation at DEF CON) that the court would not recognize illegal activity. But she also notes that businesses are routinely engaged in the lucrative practice of marketing of their customers’ personal data, making essentially the same point. Caitlin adds that this case is well outside her practice area. Thanks nonetheless, Caitlin.
7th Circuit Court of Appeals: You don’t own your personal information
Woah! This is not good news, and while the case was covered in the legal press, this was not the headline. Buried deep in the dicta — page 13 of a 17-page decision — the court says personal information is not a property right.
The question before the court was whether Neiman Marcus customers have standing to sue after the company suffered a credit card breach that exposed the plaintiffs’ personal ID and financial data. The court said they do.
The discussion centered on Neiman’s argument that there was no actual injury since the plaintiffs were not accountable for fraudulent charges on their accounts. Standing can’t be argued on speculative claims of future harm, Neiman argued.
Potential future injury is what’s at issue. Until this decision, there was a high bar to establish the risk of future injury from exposure of personal information. The 7th Circuit has lowered it, granting standing on the speculative claim, and asking why else cyberthieves would steal credit card numbers, if not to set up fraudulent accounts.
After a lengthy discussion of the various legal issues involved, the court threw in some brief comments on the ownership of personal information, mostly for good measure. “For the sake of completeness…” the court said.
Plaintiffs also claim they have a concrete injury in the loss of their personal information, which they characterize as an intangible commodity… This assumes that federal law recognizes such a property right. Plaintiffs refer us to no authority that would support such a finding. We thus refrain from supporting standing on such an abstract injury, particularly since the complaint does not suggest that the plaintiffs could sell their personal information for value.
What!!?? There is and has been a thriving market for personal information, and yes, the information has monetary value. Business has been so good, in fact, that the value per ID on the dark web has gone down since its peak, just as any commodity responds to excess supply.
In this opinion, the 7th Circuit has contradicted itself, acknowledging that the purpose of stealing credit card data is to make fraudulent charges and set up fraudulent accounts in the name of the card holder, yet declaring that the card holder’s personal information has no value.
I’m no lawyer, and further research is in order, but I predict a large herd of worms crawling out of this open can. And by the way, is anyone else reading these documents all the way through?
CASE UPDATE: Neiman Marcus has requested a rehearing en banc in the data breach lawsuit referenced below. The retailer asserts that the 7th Circuit Court’s “use of an expansive standard” to establish standing in data breach suits will be “enormously consequential to the national legal landscape.”