Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Class Action Breach Lawsuits: The Impact of Data for SaleAttorney Steven Teppler Analyzes Why Georgia Court Ruling Is Significant
After a data breach, if individuals' stolen information is offered for sale on the dark web, that potentially bolsters class action lawsuits filed by plaintiffs against the breached organization, says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C.
Data offered for sale "actually shows that someone is attempting to monetize the victims' information," he says in an interview with Information Security Media Group. "And the likelihood of it being purchased or used is very much more heightened because you have proof that the information is for sale or available and connecting the dots ... is much more clear."
Those arguments were spotlighted in a Dec. 23 ruling by the Georgia Supreme Court to reverse an earlier Georgia Court of Appeals decision that had upheld the dismissal of a class action lawsuit filed against Athens Orthopedic Clinic in the wake of a 2016 cyberattack.
The clinic reported a health data breach in July 2016 to the Department of Health and Human Services as a "unauthorized access/disclosure" incident involving its electronic health records and affecting 201,000 individuals.
The attack was allegedly committed by the hacking group The Dark Overlord, the clinic told ISMG in July 2016.
"The hacker offered at least some of the stolen personal data for sale on the so-called 'dark web,' and some of the information was made available, at least temporarily, on Pastebin, a data-storage website," the Georgia Supreme Court wrote in its ruling.
"The court of appeals concluded that the plaintiffs' negligence claim was properly dismissed because the plaintiffs 'seek only to recover for an increased risk of harm," the state supreme court noted in its decision to reverse that ruling.
The high court stated that the plaintiffs in the case alleged that "a thief stole a large amount of personal data by hacking into a business's computer databases ... the thief offered at least some of the data for sale, and all class members now face the 'imminent and substantial risk' of identity theft given criminals' ability to use the stolen data to assume the class members' identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts and open new accounts in their names."
The court adds: "Assuming the truth of these allegations, as we must at this stage, [we] presume that a criminal actor has maliciously accessed the plaintiffs' data and has at least attempted to sell at least some of the data to other wrongdoers. Moreover, an important part of the value of that data to anyone who would buy it in that fashion is its utility in committing identity theft."
In the Athens Orthopedic breach case involving medical data, "there's a heightened risk because of the richness of the information and amount of information per victim that was exposed," says Teppler, who is not involved in the case.
"The defendant's alleged negligence exposed the plaintiffs to risk of harm that was more likely to occur because the fact that the threat actor - the criminal who stole the information - was actually offering it for sale on the dark web. So, you could more likely connect the dots between the sale of this information and an imminent identity compromise."
In the interview (see audio link is below photo), Teppler also discusses:
- What else stands out about the recent Georgia Supreme Court ruling;
- The significance of the ruling in the context of other data breach litigation trends;
- Predictions about other cyber trends and related litigation in 2020.
Teppler leads the electronic discovery and technology-based litigation practice at the law firm Mandelbaum Salsburg P.C. He's the co-chair of the American Bar Association's IoT Committee; a member of the Seventh Circuit Court of Appeals Electronic Discovery Pilot Program; and a founder and co-chair of the American Bar Association's IoT National Institute as well as the ABA's National Institute on Electronic Discovery and Information Governance.