Laws regarding data hacks, companies remain murky

Data hacks are happening at an alarming rate to some of the world’s largest companies, but consumers whose personal information is being stolen are struggling to hold those companies accountable.

The problem, legal analysts say, is victims have a rough time connecting any one hack to a problem with their own credit or finances — without that direct link, judges have been tossing efforts to get companies to do more than provide credit monitoring.

“The ordinary consumer really has very little recourse,” said Paul Rosenzweig, a law professor at George Washington University. “I would advise the ordinary consumer to seek changes in the law.”

With hacks expected to grow in number and severity, it’s an issue voters, lawmakers and businesses are likely to confront. Among the questions legal analysts are debating is what constitutes negligence on a company’s part, how far liability extends and what sorts of incentives can be put in place to make sure companies are willing to report hacks.

After Equifax suffered its breach earlier this year affecting more than 143 million people, it waited more than 40 days to notify customers.

Uber, meanwhile, waited more than a year after its hack of information on roughly 57 million customers before it alerted them to the theft.

The company also paid its hackers $100,000 to destroy the data, which has sparked several investigations into the transportation platform.

Those breaches set off a round of bills introduced in Congress trying to get at the problem.

Mr. Rosenzweig said laws could require companies pay liquidated damages, so instead of customers proving exact cause and effect of suffering economic loss after a hack, they could collect a set amount of money from the company breached such as $1,000.

“Until companies are required to be liable for the harms they cause directly and indirectly from their lack of cyber security of their systems, we are going to continue to systematically underinvest in cyber security as a country — that’s true of Uber,” he said.

One bill offered by Sen. Bill Nelson, Florida Democrat, would require companies to notify customers of an attack within 30 days, and if anyone concealed the hack, he or she would face up to five years in prison.

Sen. Patrick Leahy, Vermont Democrat, also introduced a bill requiring notification standards and safeguard practices, mandating companies take preventative steps to avoid cyber breaches.

Hacks go beyond the private sector.

The IRS in 2015 saw hackers access financial transcripts of tens of thousands of taxpayers. The federal Office of Personnel Management also revealed in 2015 that it had suffered a devastating breach with the most sensitive information from 22 million personnel files stolen.

Labor unions for federal employees sued the OPM, arguing the agency had ignored repeated warnings to update its systems. A federal judge earlier this year ruled that while the OPM behavior was “troubling,” the federal employees weren’t able to show they’d actually faced a financial loss due to the government’s actions.

Peter Swire, a law professor at Georgia Institute of Technology, said banks have been more successful than individuals in collecting damages after cyber breaches. Banks are able to show how much they’ve had to pay out to cover fraudulent purchases.

After Target’s 2013 data breach, the retailer struck a deal with banks and credit unions, paying them $40 million to settle fraud claims from 40 million credit card numbers that were hacked.

“The banks have actually done the best,” said Mr. Swire.

Mr. Rosenzweig said there are few examples of individuals successfully collecting damages after a hack.

One occurred in 2012 when the 1st U.S. Circuit Court of Appeals ruled against People’s United Bank allowing one of its customers, Patco Construction Company, to be refunded after unauthorized withdrawals occurred from its account after a cyber attack.

The withdrawals had been flagged as high risk due to the location, amount and time but the bank didn’t notify Patco.

Legal experts expect the hacks to get worse as new technology enters the marketplace.

“The hacking is going to get into all sorts of consumer devises — driverless cars, medical devises, home security systems, I mean right now it is data held by Uber and it’s big industrial systems like power plants or waste water facilities, [but] in the next generation, it’s going to be vulnerability in the internet of things,” said Mr. Rosenzweig.

Mr. Swire said consumers should review their credit reports regularly in order to check for fraud.

“Every individual is entitled to see their credit report every year from each credit reporting agency, so my advice is for people to check their credit reports and make sure nobody is doing something under their name,” he said.

And according to the Federal Trade Commission, consumers should file their taxes as soon as possible in order to avoid tax identity theft, because compromised social security numbers can be used by thieves to collect tax refunds.