EPIC - In re SuperValu Customer Data Security Breach Litigation

In re SuperValu Customer Data Security Breach Litigation

Concerning Whether Victims of Data Breaches Must Suffer Certainly Impending or Actual Concrete Harms (i.e., Damages) In Order to Sue

Background|
EPIC's Interest|
Legal Documents|
News|
Resources|

Summary

This case concerns a proposed class action against SuperValu after the grocery store chain was hacked, placing at risk the personal data of SuperValu customers. At issue is whether plaintiffs must demonstrate actual damages to satisfy the “injury-in-fact” requirement of Article III standing. The trial court dismissed the complaint, finding the plaintiffs failed to demonstrate they suffered an “injury-in-fact” because the risk of future damages was not imminent. But the trial court confused injury-in fact, which is a legal injury, with actual damages, which are the consequential harm. This confusion is widespread among federal courts since the Supreme Court’s recent decision in Spokeo v. Robbins. The appeal is pending before the U.S. Court of Appeals for the Eighth Circuit:

Top News

EPIC Scrutinizes FBI "Insider Threat" Database: In comments to the FBI, EPIC criticized a proposed "Insider Threat" database that would gather virtually unlimited amounts of personal data outside the protections of the federal Privacy Act. EPIC urged the FBI to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that FBI data practices pose a risk to federal employees. EPIC has consistently warned against inaccurate, insecure, and overbroad government databases. Earlier this year, EPIC filed comments with DOD and DHS regarding similarly flawed proposals to expand data collection without adequate privacy safeguards. (Oct. 20, 2016)
Senators Seek Answers About Yahoo's Massive Data Breach: Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information. (Sep. 27, 2016)

More top news »

Data Protection 2016: 500 Million Yahoo Users Victims of Massive Data Breach » (Sep. 22, 2016)

Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.

House Report Criticizes OPM Handling of Massive Data Breach Last Year » (Sep. 7, 2016)

In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

Data Protection 2016: Nationwide Hotel Data Breach » (Aug. 15, 2016)

Sheraton, Hyatt, Westin, and Marriott hotels in 10 states and Washington, D.C. have announced that hotel payment records were breached beginning as early as March 2015. Malware discovered in at least 20 hotels across the country collected customers’ names and payment card numbers, card expiration dates, and verification codes. Surprisingly, the hotels said that they will not notify individual customers of the breach. Almost every state in the country has a mandatory breach notification law. Hyatt announced another payment card breach earlier this year at 250 hotels in approximately 50 countries. EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.

EPIC Defends Right of Data Breach Victims to Seek Legal Relief » (Jul. 20, 2016)

EPIC has filed an amicus brief urging a federal appeals court to protect a consumer’s ability to sue companies that fail to protect their personal information. A group of consumers sued a grocery chain after faulty security practices left their credit card information exposed to hackers. A lower court dismissed the privacy case because consumers had not yet suffered from fraudulent transactions. In its brief, EPIC explained that the court misunderstood the relevant law, confusing the legal obligations of companies to maintain good security with the harm that consumers eventually suffer. For the purposes of filing a lawsuit, EPIC said courts should focus on whether companies have violated a legal obligation such as safeguarding personal data, including credit card information. EPIC regularly files briefs defending consumer privacy.

Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey » (May. 16, 2016)

A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

NY Attorney General Reports 40% Increase in Data Breaches » (May. 5, 2016)

New York Attorney General Eric Schneiderman announced that his office has received 459 notices of data breaches impacting New Yorkers so far in 2016, representing a 40 percent increase over the same period last year. The office expects to receive a record-setting thousand notices or more this year. "Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information," said Schneiderman. EPIC recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable » (Feb. 18, 2016)

A new report from California Attorney General Kamala Harris examines data breaches in California from 2012 to 2015. There were 657 data breaches during the last four years, which compromised over 49 million records. The retail sector experienced the largest share of breaches at 25%, followed by the financial sector at 18%. Among several recommendations, the report recommends that organizations adopt strong encryption. "Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security," Attorney General Harris stated. The Attorney General received a 2015 EPIC Champion of Freedom Award. EPIC recently launched "Data Protection 2016," a non-partisan campaign to make data protection an issue in the 2016 election.

Hackers Breach US Government Database, No Recourse for Non-Americans » (Feb. 9, 2016)

Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States.

Markey and Barton Pursue VTech Data Breach » (Dec. 2, 2015)

Senator Edward Markey (D-Mass.) and Congressman Joe Barton (R-Tex) have asked VTech, "How do you protect children's information?" The electronic toy produced,recently exposed the personal profiles of millions of children in a cyber hack. The personal date included names, mailing addresses, email addresses, download history, birthdates, and genders. Senator Markey and Congressman Barton asked about VTech's data and security practices, including compliance with the Children's Online Privacy Protection Act, data the company collects about children, and security standards. EPIC has testified several times before Congress on protecting children's data and supported the updates to the Childrens Online Privacy Protection Act.

Administrative Decision Tosses LabMD Data Security Case » (Nov. 21, 2015)

An administrative law judge has dismissed an FTC complaint alleging that LabMD failed to provide reasonable data security for personal information. The admin judge found that the FTC's regulation of unfair trade practices requires a showing that consumer harm was "probable," not just "possible." The decision--which is not binding on federal or state courts--leaves in place the decision in FTC v. Wyndham, which held that the FTC can enforce data security standards. EPIC filed an amicus brief in Wyndham, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."

EPIC Testifies Before Senate on Risks of SSN on Medicare Cards » (Oct. 6, 2015)

EPIC will testify before the Senate Committee on Aging about "Protecting Seniors from Identity Theft: Is the Federal Government Doing Enough?" A law enacted earlier this year prohibits the inclusion of SSNs on Medicare cards, but the federal agency tasked with implementing the change has said it will take years. In a prepared statement, EPIC President Marc Rotenberg warns about the growing risk of SSN-related identity theft. Mr. Rotenberg said, "Given the growing risk of identity theft coupled to the SSN and the fact that other federal agencies have already removed the SSN from identity cards, there is simply no excuse for further delay." EPIC has long urged Congress and state legislators not to use the SSN on identity documents.

Appeals Court Upholds FTC's Data Security Authority » (Aug. 24, 2015)

A federal appeals court ruled that the Federal Trade Commission can enforce data security standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The company argued that the FTC lacked authority to enforce security standards, but the court disagreed. EPIC filed an amicus brief, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.

Federal Appeals Court Revives Driver Privacy Claims » (Aug. 20, 2015)

In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period."

Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015)

In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers.

Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015)

A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.

California AG Urges Congress to Reform Data Breach Notification Bill » (May. 21, 2015)

California Attorney General Kamala Harris has admonished the House Energy and Commerce Committee about the proposed Data Security and Breach Notification Act. In a letter to Committee leadership, Harris wrote, "I urge you to recognize the important role that states play in developing innovative approaches to consumer protection, and to reject a one-size-fits all law that establishes a ceiling rather than a floor on data security and data breach notification and consumer protection." California's Constitution guarantees the right to privacy, and California passed the first ever state data breach notification law. EPIC has also warned that the House bill would preempt stronger state laws and strip the FCC of its authority to defend consumer privacy.

EPIC Launches State Policy Project » (May. 5, 2015)

EPIC has launched the EPIC State Policy Project to track legislation across the county concerning privacy and civil liberties. The EPIC State Project will identify new developments and model legislation. The Project builds on EPIC's extensive work on emerging privacy and civil liberties issues in the states. The new State Project will focus on student privacy, drones, consumer data security, data breach notification, location privacy, genetic privacy, the right to be forgotten, and auto black boxes.

House Reconsiders Data Breach Bill » (Apr. 15, 2015)

Members of the Energy and Commerce Committee have convened to rework the Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumer privacy. Rep. Frank Pallone and others have raised concerns. EPIC previously urged Congress to adopt baseline federal law that would allow states to develop innovative legislative responses to privacy risks.

Massive AT&T; Consumer Privacy Violation Results in $25 Million FCC Penalty » (Apr. 8, 2015)

The Federal Communications Commission has settled an enforcement action against AT&T; for the company's massive consumer privacy violations. According to the Commission, employees at AT&T; call centers around the world accessed the "CPNI" (call record information) of nearly 280,000 U.S. customers without their permission. Then AT&T; distributed that information to traffickers of stolen cell phones. As a condition of settlement, AT&T; will pay a $25 million penalty, eclipsing the 2014 Verizon settlement as the FCC's largest ever data security action. EPIC has long supported the robust defense of CPNI privacy.

Data Breach Bill Would Preempt State Law, Weaken FCC Authority » (Mar. 13, 2015)

Representatives Burgess, Blackburn, and Welch have proposed a bill for data breach notification. The Data Security and Breach Notification Act would require businesses to notify consumers of a data breach "unless there is no reasonable risk of identity theft or financial harm." The bill would also preempt stronger state laws, and would strip the FCC of its authority to protect consumers privacy. In 2005, EPIC testified before Congress on "Identity Theft and Data Broker Services" and urged the regulation of data brokers following the disclosure that Choicepoint sold personal information to identity thieves. In 2009 and again in 2011, EPIC favored baseline federal law that would allow states to innovate and develop new legislative responses to privacy risks.

Federal Courts Considers FTC's Data Protection Authority » (Mar. 3, 2015)

A federal appeals court heard arguments today in FTC v. Wyndham, an important data privacy case. Wyndham Hotels, which revealed hundreds of thousands of customer records following a data breach, is challenging the FTC's authority to enforce data security standards. In an amicus brief joined by legal scholars and technical experts, EPIC defended the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards." EPIC explained that the damage caused by data breaches - more than $500 million last year - makes data security one of the top concerns of American consumers. EPIC warned the court that "removing the FTC's authority to regulate data security would be to bring dynamite to the dam."

Anthem breach Shows Risks of "Big Data" » (Feb. 5, 2015)

One of the largest health insurers in the country has lost millions of medical records of American consumers. The most recent breach of sensitive medical information shows the dangers of "Big Data" and the mistaken conclusion of the report of the Presidents Science Advisors, which simply assumed the benefits of data collection. EPIC has urged the FTC to establish data minimization procedures for companies limit the risks of data breaches.

EPIC Urges House to Safeguard Consumer Privacy » (Jan. 26, 2015)

EPIC has sent a statement to the House Commerce Committee for the hearing, "What are the Elements of Sound Data Breach Legislation?". EPIC had testified before the House Committee in 2011 on data breach notification, urging Congress to set a national baseline standard. EPIC also supports enactment of the Consumer Privacy Bill of Rights. EPIC also urged the House Committee to promote "algorithmic transparency." EPIC has warned that “[t]he ongoing collection of personal information in the United States without sufficient privacy safeguards has led to staggering increases in identity theft,security breaches, and financial fraud.”

Obama Issues Executive Order to Strengthen Consumer Privacy » (Oct. 17, 2014)

President Obama signed an Executive Order today to Improve the Security of Consumer Financial Transactions. The Order will require enhanced security features for government financial transactions, including chip-and-PIN technology which has greatly reduced financial fraud and identity crimes in Europe. The Executive Order states that "the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality..." The White House also announced a series of measures to safeguard consumer financial security, including more secure payment systems, efforts to reduce identity theft and support "algorithmic transparency." EPIC has endorsed many of these proposals. The White House also announced a summit on cybersecurity and consumer protection. For more information, see EPIC: "Cybersecurity and Data Protection in the Financial Sector" (House 2011), EPIC: "Cybersecurity and Data Protection in the Financial Sector" (Senate 2011), and EPIC: Identity Theft.

Home Depot Data Breach Exposes Millions of Credit Card Records » (Sep. 4, 2014)

A data breach at Home Depot might have exposed millions of consumers' credit card records, according to an announcement from Home Depot's corporate center. "We're looking into some unusual activity that might indicate a possible payment data breach," the announcement read, "If we confirm a breach has occurred, we will make sure our customers are notified immediately." In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. In May of this year, the President's science advisors surprisingly found little risk in the massive collection of personal data by companies. However, a recent FTC report on data brokers warned that "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." EPIC has urged the White House to enact the Consumer Privacy Bill of Rights and to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, and EPIC: Identity Theft.

Report - Half of American Adults Data Hacked So far This Year » (May. 29, 2014)

A new report finds that 432 million online accounts in the US have been hacked this year, concerning about 110 million Americans. In the last year, 70 million Target customers, 33 million Adobe users, 4.6 million Snapchat users, and potentially all 148 million eBay users had their personal information exposed by database breaches. Earlier this month, the President's science advisors found little risk in the continued collection of personal data. However, the FTC's recent report on data brokers warned that, "collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused." Earlier, EPIC urged the White House to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: Big Data and the Future of Privacy, EPIC: Identity Theft and EPIC: Choicepoint.

FTC Chair Ramirez Urges Senate to Act on Data Security Legislation » (Feb. 5, 2014)

The Senate Judiciary Committee hearing on "Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime" followed a series of major data breaches at Target, Neiman Marcus, and Michaels, which compromised the personal data of tens of millions of consumers. Senator Leahy, who has introduced important data privacy legislation, said "In the digital age, Americans face threats to their privacy and security unlike any time before in our Nation's history." FTC Chair Edith Ramirez expressed strong support for federal data security legislation. (2h18m). In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights, which is supported by consumer privacy organizations. For more information, see EPIC: Privacy Legislation, EPIC: Identity Theft, and EPIC: Federal Trade Commission.

Senator Leahy Proposes Consumer Privacy Legislation » (Jan. 9, 2014)

Senator Leahy has introduced the Personal Data Privacy and Security Act of 2014. The Act would strengthen privacy and data security by establishing a national standard for data breach notification, and requiring companies to create a data privacy and security program to protect and secure sensitive data. The bill follows a massive data breach at Target that compromised the personal data of more than 40 million consumers. Senator Leahy stated that the bill "aims to better protect Americans from the growing threats of data breaches and identity theft" and said there would be a hearing in the Judiciary Committee later this year. In 2012 President Obama set out a framework for consumer privacy protection, the Consumer Privacy Bill of Rights. For more information, see EPIC: Privacy Legislation and EPIC: Identity Theft.

Identity Theft Remains Top Concern of US Consumers » (Feb. 29, 2012)

According to the Federal Trade Commission, identity theft was the top source of consumer complaints in 2011 comprising 15 percent of the 1.8 million total complaints filed. This is the 12th year in a row in which identity theft has occupied the top position. The report contains data on 30 complaint categories, which are broken down by metropolitan areas and provided to state and local law enforcement offices. For more information, see EPIC: FTC and EPIC: Identity Theft.

Data Breach Legislation Moves Forward in the Senate » (Sep. 26, 2011)

Three data breach bills are headed to the Senate floor after a favorable vote in the Senate Judiciary Committee. The bills [S. 1151, S. 1535, S. 1408] set out a variety of approaches to protecting user data and warning users when personal data is improperly released. Testifying recently before the Senate and the House, EPIC has supported new measures for online privacy but warned against a federal law that would "preempt" stronger state laws.

California Passes Updated Data Breach Legislation » (Sep. 1, 2011)

California has enacted Senate Bill 24, first introduced in 2001 by Senator Joe Simitian, which strengthens existing state breach notification law. Since 2002, California law has required data holders to notify individuals if their data is breached, but the law did not specify what information should be included in the notification. This new law specifies the information that should be provided, including instructions on how to contact credit agencies. The law also requires that the state Attorney General be notified in the event of a breach. EPIC testified in 2009 before the House Commerce Committee against "federal preemption" in national data breach legislation, citing important legislative innovations to protect consumers that take place in states such as California. For more information, see EPIC: ID Theft.

House Subcommittee Approves Weak Data Breach Bill » (Jul. 21, 2011)

A House Commerce Subcommittee voted in favor of the SAFE Data Act, a data breach bill sponsored by Rep. Bono Mack (R-CA). The bill requires companies to act quickly in the case of breach and encourages minimization of data collection. However, the bill preempts stronger state laws and does not adequately protect personal information. EPIC Executive Director Marc Rotenberg testified before the Subcommittee on this bill. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. For more information, see EPIC: Identity Theft. Webcast.

In Response to Mounting Evidence of Data Breach Risk, EPIC Urges Congress to Act » (Jun. 21, 2011)

EPIC Executive Director Marc Rotenberg testified before the Senate Banking Committee, urging lawmakers to apply breach notification regulations to financial institutions and promote authentication techniques that reduce risks to consumers. EPIC observed that "current laws do not adequately protect consumers," and highlighted a series of recent high profile data breaches in the financial sector. The hearing, "Cybersecurity and Data Protection in the Financial Sector" follows May 2011 data breaches at Citigroup and Bank of America. The breaches exposed sensitive financial data linked to hundreds of thousands of consumers; individuals lost millions of dollars from their accounts. EPIC previously testified before the House concerning data breach legislation. For more, see EPIC: Identity Theft and EPIC Testifies in Congress on Data Breach Legislation.

EPIC Testifies in Congress on Data Breach Legislation » (Jun. 15, 2011)

EPIC Executive Director Marc Rotenberg testified today before the House Commerce Committee on the SAFE Data Act, a bill introduced by Rep. Bono-Mack to require greater protection for sensitive consumer data and timely notification in case of breach. EPIC emphasised the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC supported recent changes in the bill that would require companies to act more quickly in case of breach and encourage minimization of data collection. EPIC recommended changes in the bill to strengthen enforcement, require notification, protect identifiers linked to individuals, and ensure that state governments are able to respond on behalf of consumers as new problems emerge. Webcast

Senator Leahy Introduces Data Privacy Bill » (Jun. 8, 2011)

Senator Leahy introduced the Data Privacy Bill of 2011, which is aimed at increasing protection for Americans' personal information and privacy. The bill establishes a national breach notification standard, and requires businesses to safeguard consumer information and allow consumers to correct inaccurate information. Leahy previously sponsored the Personal Data Privacy and Security Act in 2005 and has introduced similar legislation in the last three Congresses. For more information, see EPIC: Identity Theft and Summary of Legislation.

EPIC Tells FTC To Step Up Enforcement Against Debt Collectors » (May. 27, 2011)

EPIC submitted a statement to the Federal Trade Commission in response to a public request for feedback about new trends in technology, consumer protection, and the debt collection industry. EPIC argued that Congress has authorized the FTC to bring much stronger regulations to bare on the debt collection industry. The Federal Debt Collection Practices Act prohibits debt collectors from publicizing consumers' debts to any third party. Section 5 of The FTC Act bars unfair and deceptive trade practices. The Gramm-Leach-Bliley Act gives debt collectors an affirmative legal duty to protect the sensitive information they collect. Congress gave the FTC authority to enforce all three of these laws. EPIC cited the sharp rise in complaints to the agency about debt collectors and a recent criminal case against debt collectors who coordinated with an identity theft scheme in Buffalo, New York as compelling reasons for the agency to introduce meaningful enforcement actions. For more information, see EPIC: Identity Theft.

Senator Leahy Calls for Updates to Federal Privacy Law, Attorney General Confirms Sony Investigation » (May. 4, 2011)

At a Justice Department oversight hearing, Senate Judiciary Chairman Patrick Leahy today urged Congress to enact the bipartisan Personal Data Privacy and Security Act. He also said that the "collection, use and storage of Americans’ sensitive personal information, including by mobile technologies, is an important privacy issue." He asked the Attorney General to work with the Congress on updates to the Electronic Communications Privacy Act and other Federal laws implicating Americans’ privacy. During the hearing, the Attorney General confirmed an investigation into the Sony network attack, considered the most serious data breach to date. For more information, see EPIC - Wiretapping, EPIC - Identity Theft.

Senator Blumenthal Asks Justice Department to Investigate PlayStation Breach » (Apr. 29, 2011)

Senator Richard Blumenthal (D-CT) wrote to Attorney General Eric Holder asking that the Department of Justice open an investigation into the Sony PlayStation security breach. Sony recently informed PlayStation Network customers that an "unauthorized user" had obtained the personal and financial information of 70 million gamers, including minors. Blumenthal wrote that whomever hacked into the PlayStation Network violated the Computer Fraud and Abuse Act. He also expressed concern about Sony's week-long delay in notifying users about the breach. In 2009, EPIC testified before Congress about the need to strengthen data breach notification laws, noting "in the absence of security obligations and breach notification requirements, it is too easy for firms to continue bad practices." For more information, see EPIC: Identity Theft.

Privacy Watchdog Receives Broad Protection for Publishing Public Records » (Apr. 15, 2011)

A federal judge has issued a final order in favor of privacy advocate Betty Ostergren, who challenged a state law designed to prosecute her for drawing attention to the state's poor security practices. Ostegren had posted public records on her website that included Social Security Numbers made available by the state of Virginia. A district court held that Virginia may not prosecute her for re-publishing the Social Security Numbers of state officials. On appeal, a federal appeals court ruled that the court’s holding was too limited, and on remand the court said that Ostergren can re-publish any publicly available documents. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC: Ostergren v. McDonnell, EPIC: Social Security Numbers, and EPIC: Identity Theft.

Epsilon Data Breach Threatens E-mail Privacy of Millions » (Apr. 7, 2011)

Epsilon, a large marketing firm, has lost the names and e-mail addresses of customers of Walgreens, JP Morgan Chase, Capitol One, Tivo, and other large companies. The firm announced the data breaches late last week. Data service providers, such as Epsilon, are not well known by consumers and are not typically regulated. Epsilon provides data analytics, targeting, profiling of customers, as well as e-mail tracking services. Previously, EPIC provided comments to the Federal Trade Commission and testimony to the United States Congress on the need for comprehensive privacy protection for customer data. For more information, see EPIC: Identity Theft.

Social Security Protection Act of 2010 Becomes Law » (Dec. 23, 2010)

President Obama signed a bill aimed at reducing identity theft by limiting the Government's use of and access to social security numbers. The bill, which passed the House and Senate, prohibits government agencies from printing social security numbers on checks and from allowing prison inmates access to social security numbers. "Social Security numbers are among Americans' most valuable but vulnerable assets," said Sen. Feinstein, a sponsor of the bill. "Identity theft is a serious concern for all consumers, and we should make every effort to protect personal information." EPIC has testified many times before Congress on the need to safeguard the SSN, including House hearings in 2000, 2001, 2006, 2007 and EPIC has also litigated important cases on SSN privacy. For more information, see EPIC: Social Security Numbers, EPIC: Identity Theft, and EPIC: Doe v. Chao.

Web Companies Defend Data Collection Practices, Google Absent » (Oct. 12, 2010)

Eleven internet companies responded to Rep. Markey and Rep. Barton's request for information regarding their data collection practices. However, the companies said that it is "impossible" for them to eliminate online tracking of consumer behavior. Google refused to respond to the survey questions. At the same time, Microsoft, Intel Corp. and E-bay announced support for Rep. Rush's "Best Practices Act." This bill contains a private right of action as well as a safe harbor for companies that comply with a self-regulatory "Choice Program" approved by the Federal Trade Commission. EPIC recently testified before Chairman Rush's committee " and recommended new safeguards for Internet users. For more information, see EPIC: Identity Theft.

Senate Holds Hearing on Data Security and Breach Notification Bill » (Sep. 24, 2010)

The Senate Commerce Committee held a hearing on S. 3742, The Data Security and Breach Notification Act of 2010. This bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. EPIC director Marc Rotenberg testified on a similar bill in the House recommending support but also urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. The Senate thus far has not addressed these concerns. For more information, see EPIC: Identity Theft.

Appeals Court Protects Free Speech for Privacy Advocate » (Jul. 26, 2010)

Privacy Advocate Betty Ostergren has won in federal appeals court in her challenge to a state law designed to prosecute her for drawing attention to the state's online publication of SSNs. In Ostergren v. Cuccinelli, the court ruled that the Commonwealth of Virginia may not prosecute Ostergren for publishing the SSNs of state officials available in public land records until the Commonwealth itself stops making these unredacted documents available. EPIC filed a "friend of the court" brief in support of Ostergen, urging the court to hold that the First Amendment protects Ostergren's speech. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.

FTC Delays Identity Theft Rule Yet Again » (Jun. 2, 2010)

The Federal Trade Commission is delaying, for the fourth time, its enforcement of the "Red Flags Rule." This rule requires creditors and financial institutions to implement programs to identify, detect and respond to the warning signs, or “red flags,” that could indicate identity theft. The FTC has decided to delay enforcement through the end of the year in order to give Congress time to enact legislation that could clarify what kind of entities would be considered "creditors" under the rule. For more information, see EPIC: Identity Theft.

Inspector General: ID Theft Not a Priority at Justice Department » (Mar. 31, 2010)

The Inspector General's Office released a new report on the Department of Justice's Efforts to Combat Identity Theft. The report states that identity theft is a growing problem, but the Justice Department's efforts to combat the crime have "faded as priorities." The Inspector General concludes that the Department has failed to develop a coordinated plan to combat identity theft since a 2007 task force report. In 2007, EPIC proposed a comprehensive strategy to "address the root causes of identity theft: excessive data collection and lax security practices." For more information, see EPIC: Identity Theft.

Massachusetts Data Protection Law Goes into Effect » (Mar. 10, 2010)

Massachusetts’s new data protection law went into effect at the beginning of March. The law applies to all companies that own or license the personal information of Massachusetts residents. According to the new regulations, companies are now required to create a comprehensive security program that details how personal information will be safeguarded. Governor Deval Patrick stated, “Consumers should feel confident that their personal information is protected, and not exposed to loss or theft. These regulations improve the safety of personal information, while giving businesses the flexibility to secure that information without undue burden.” For more information on privacy and identity theft, see EPIC: Identity Theft.

House Passes Data Breach Bill » (Dec. 11, 2009)

Today, legislators passed the Data Accountability and Trust Act, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. The bill now moves to the Senate, which is also considering a similar measure sponsored by Senator Patrick Leahy. In May, EPIC Director Marc Rotenberg testified before Congress, urging lawmakers to strengthen the proposed law by adopting a broader definition of "personally identifiable information" and permitting stronger state laws to remain. TFor more, see EPIC Identity Theft.

EPIC Urges Court to Protect Speech of Privacy Advocate » (Oct. 19, 2009)

Today, EPIC filed a "friend of the court" brief with the Fourth Circuit Court of Appeals, urging the court to hold that the First Amendment protects the speech of Betty Ostergren, a privacy advocate. Ostergren runs a Website that republishes Social Security Numbers, collected from public records, to persuade Virginia lawmakers to stop releasing documents that reveal Social Security Numbers. Under Virginia law, Ostergren could be prosecuted for publishing SSNs, even though Virginia makes the numbers widely available. A lower court held that the law violated Ostergren's First Amendment rights. Virginia appealed. EPIC's brief urges the appeals court to uphold the lower court's ruling. For more information, see EPIC Ostergren v. McDonnell, EPIC Social Security Numbers, and EPIC Identity Theft.

California Governor Vetoes Consumer Privacy Bill, but Signs Bill to Strengthen Celebrity Privacy » (Oct. 16, 2009)

Governor Schwarzenegger has terminated S.B. 20, a bill that would have strengthened California's data breach laws by requiring that consumers be notified every time their privacy was compromised. But the Governor and "Terminator" star signed A.B. 524, an amendment to California's current anti-paparazzi law that will protect the privacy of celebrities by making it easier to sue photographers and media outlets for taking or purchasing unauthorized pictures. For more information about privacy in California, see the California Office of Information Security and Privacy Protection.

House Committee to Consider Data Breach Bill » (Sep. 29, 2009)

On September 30, the House Energy and Commerce Committee will consider a proposed federal law that would establish national standards for data breaches notifications. The Data Accountability and Trust Act (DATA) also regulates information brokers and requires companies to adopt security policies. The Senate is considering a similar bill that protects additional categories of consumer information. In May, EPIC testified before Congress on the DATA bill, highlighting the importance of regulating data brokers, but warning of the dangers posed by federal laws that preempt stronger state privacy safeguards. In May, President Obama stated that "executive departments and agencies should be mindful that in our Federal system, the citizens of the several States have distinctive circumstances and values, and that in many instances it is appropriate for them to apply to themselves rules and principles that reflect these circumstances and values." For more information, see EPIC Identity Theft.

FTC Issues Final Breach Notification Rule for Electronic Health Information » (Aug. 21, 2009)

The Federal Trade Commission issued a final rule requiring breach notification by vendors of medical records and related entities. In June, EPIC submitted comments recommending that all entities handling electronic health records be subject to the regulation and that the FTC should establish a central location to track and announce breaches. The FTC modified the rule accordingly. EPIC had also recommended that information "accessed" be treated as "acquired", substitute media notices be used as supplemental notification, verification of data breach notices be required, minimum security standards be created, penalties for violations be assessed, and the creation of "safe-harbors" for de-identified data be opposed. The rule was mandated under the American Recovery and Reinvestment Act. See EPIC Medical Privacy and EPIC Identity Theft.

New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)

Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.

EPIC Urges Comprehensive Strategy for ID Theft » (Jun. 17, 2009)

With ID theft rapidly increasing in the United States, EPIC Executive Director Marc Rotenberg today urged a Congressional Committee to address the root causes of the problem. In testimony before the House Oversight Committee, Mr. Rotenberg said that the government typically acts only after the crime has occurred and warned that the problem will get worse if current trends continue. EPIC recommended a comprehensive strategy for ID Theft that would include: (1) Establishing privacy safeguards for web 2.0 services; (2) Ensuring privacy protections for outsourcing; (3) Enacting comprehensive privacy legislation; (4) Making privacy protection a focal point of cybersecurity policy; and (5) Developing better techniques for Identity Management. See EPIC pages on Identity Theft.

Congress Holds Open Markup Session on Data Breach Bill » (Jun. 3, 2009)

The Committee on Energy and Commerce held an open markup session on the Data Breach Bill. The Chairman of the subcommittee intends to have a law that is strong and adequately protects consumers. EPIC testified before Congress on this bill, which requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law. For more information, see EPIC's page on Identity Theft.

EPIC Submits Comments on Health Breach Notification to the FTC » (Jun. 1, 2009)

The Federal Trade Commission proposed a rule requiring notification when the security of medical information is compromised. EPIC recommends that all entities handling health records be subject to standard security; tightening exemptions for de-identified data, enhancing media notification of health data breaches, ensuring additional breach notification through means such as text messages and social networking sites, and verification of receipt of notifications. See also EPIC's Page on Medical Privacy.

EPIC Testifies Before Congress on Data Breach Bill, Urges Changes to Strengthen Act » (May. 5, 2009)

EPIC Director Marc Rotenberg testified before Congress on the Data Accountability and Trust Act, which would require security policies for consumer information, regulate the information broker industry, and establish a national breach notification law. Rotenberg said "companies need to know that they will be expected to protect the data they collect and that, when they fail to do so, there will be consequences." The EPIC Director opposed the preemption of stronger state laws, and recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that "identifies or could identify a particular person." To learn more about Identity Theft, see EPIC's Identity Theft page.

For Identity Theft Law, Supreme Court Rules that the Government Must Prove Intent to Impersonate » (May. 4, 2009)

In a critical case for the emerging field of identity management, the Supreme Court today reversed a lower court opinion and ruled unanimously in favor of the petitioner. The Court held that individuals who provide identification numbers that are not their own, but don’t intentionally impersonate others, cannot be subject to harsh criminal punishments under federal law. The case involved a mandatory 2-year prison term, added on to a prior conviction, for presenting a fake Social Security Number to an employer. EPIC filed an amicus brief in support of the petitioner, arguing that the "unknowing use of inaccurate credentials does not constitute identity theft." For more information, see EPIC, Flores-Figueroa v. United States.

Supreme Court to Hear Argument in "Identity Theft" Case, EPIC Urges Justices to Protect Privacy Enhancing Technologies » (Feb. 23, 2009)

On Wednesday, the Supreme Court will hear arguments in a case that will determine whether individuals who include identification numbers that are not theirs, but don't intentionally impersonate others, can be subject to harsh criminal punishments under federal law. In Flores-Figueroa v. United States, the petitioner challenged his conviction for "aggravated identity theft." EPIC filed a "friend of the court" brief, on behalf of 17 legal scholars and technical experts, urging the Justices to protect techniques that allow individuals to safeguard privacy. EPIC explained that the crime of "identity theft" should require an intent to impersonate another. The EPIC brief urges the Court to avoid "a precedent that might inadvertently render the use of privacy enhancing pseudonyms, anonymizers, and other techniques for identity management unlawful." For more, see EPIC's Flores-Figueroa v. United States page.

Data Breaches on the Rise in the US » (Jan. 6, 2009)

A new report from the Identity Theft Resource Center found a 47 percent increase in data breaches in the United States over 2007. Noting 656 reported breaches at the end of 2008, the report identified the company, the category of breach and the number of records exposed. The Center concluded that most breached data was unprotected by either encryption or even passwords. According to the FTC, data breaches are the leading cause of identity theft. For more information, see EPIC's page on Identity Theft.

Questions Presented

Must a plaintiff suffer a concrete harm (i.e., damages) in order to satisfy the injury-in-fact requirement of Article III standing?

Background

Factual History

SuperValu “owns and operates retail grocery stores in the United States. SuperValu controls the payment processing at its stores and also provides payment processing services to AB Acquisition and Albertson’s stores.” Processing payments involves collecting and storing consumers’ personally identifiable information that is embedded in the magnetic strips of their debt and credit cards. The PII collected includes “cardholder names, account numbers, expiration dates, and PINS.”

According to an August 14, 2014 press release, hackers installed malware on SuperValu’s network which processed card transactions. The intrusion “resulted in potential theft of information embedded in the magnetic strip of payment cards for sales transacted at 209 SuperValu stores and 836 AB Acquisition stores” between June 22, 2014 and July 17, 2014.

On September 29, 2014, SuperValu indicated a second data breach occurred in “late August or early September,” in which hackers installed a different malware onto the network processing card transactions for some AB Acquisition and some Albertson’s stores. Following these press released, four putative class actions were filed on behalf of twelve named plaintiffs. These cases were consolidated by the Judicial Panel on Multidistrict Litigation in December 2014.

Procedural Background and Lower Court Opinion

The consolidated action alleges six claims against the defendants (SuperValu, AB Acquisition, and Albertson’s): violation of eight state consumer protection statutes and six state breach notification statutes, negligence, negligence per se, unjust enrichment, and breach of implied contract. The trial court dismissed without prejudice finding the plaintiffs lacked standing to invoke federal subject matter jurisdiction.

The lower court determined the alleged risk of future harms (i.e., damages) are not imminent. Relying on Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011), the court found that the threatened harms (i.e., damages) are speculative in both whether and when the harms will come to pass. Specifically, the allegations rely on whether the hacker: “(1) read, copied, and understood Plaintiffs’ personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names.” According to the court, the single alleged instance of an unauthorized charge that occurred a year after the data breach is not fairly traceable to the defendant.

To dismiss statutory claims, the court relied on In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013), which stated “plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.”

Additionally, the court reiterated mitigation costs cannot establish standing according to Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013). The court finally said the facts failed to support allegations of diminished value of the plaintiff’s PII, lost benefit of the bargain, or a concrete injury from loss of privacy and confidentiality.

Legal Background

Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.

EPIC's Interest

EPIC has a long history of advocating for consumers against the risks of identity theft and financial fraud.

In April 2016, EPIC filed an amicus brief in the Third Circuit case Storm v. Paytime, Inc., which involved a very similar question as In Re SuperValu. EPIC argued that consumers are facing unprecedented threat from data breaches and subsequent misuse of their personal data. Accordingly, now is not the time to be limiting consumers’ options for recourse. EPIC also argued that consequential, downstream harms such as identity theft and financial fraud are irrelevant to whether data breach victims have standing to sue breached companies.

In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.

In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court.

In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.

EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.