In-brief: a 2013 ruling by the Supreme Court that limited the right of Amnesty International to sue the government for damages caused by the actions of the secretive Foreign Intelligence Surveillance Act (FISA) court is being used by Home Depot to question consumers’ right to sue for damages related to a massive theft of credit cards from that company in 2014.
Add this one to the long list of “Unintended Consequences of Supreme Court Decisions”: a landmark ruling involving the actions of a secretive government terror court used to disenfranchise consumers who were the victims of the hack of a prominent retailer.
Huh? Exactly. But that’s the way things are panning out down in Atlanta, where home improvement giant Home Depot is challenging a lawsuit brought by customers whose data was exposed in a massive data breach in September, 2014. In essence, Home Depot is arguing that the consumers don’t have standing to bring suit because they can’t prove harm from the breach – the same suit that the government used to defeat an effort by Amnesty International to bring suit against the U.S. government over the conduct of the Foreign Intelligence Surveillance Act (FISA) court.
The news comes out of a suit filed in May by a group of consumers alleging gross negligence by Home Depot which led to the theft of credit card number. The case has been covered faithfully by The Atlanta Business Chronicle. As I wrote over at the Digital Guardian blog: Home Depot in late May asked the U.S. District Court for the Northern District of Georgia to dismiss the case, citing Clapper vs. Amnesty International, a 2013 case in which Supreme Court ruled, in a 5-4 decision, that the plaintiffs lacked standing to sue the Federal Government, as they couldn’t prove harm as a result of the actions of the secretive FISA court.
In the case of Home Depot, the district court was asked to rule that the individuals suing the retail giant similarly couldn’t prove they were damaged as a result of having credit card information stolen from the store.
“Plaintiffs lack Article III standing because they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot’s alleged conduct. Therefore, Plaintiffs’ claims fail
under the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, and the Complaint should be dismissed with prejudice,” Home Depot’s motion reads.
Home Depot’s argument rests on a couple points that were also raised in the Clapper vs. Amnesty case. First: that there is no real harm caused because “the few plaintiffs who allege some economic harm fail to explain why the losses they allege were not reimbursed.” That’s an apparent reference to the U.S. law that requires consumers to not be held liable for fraudulent charges on their credit cards. That, Home Depot argues, fails the Supreme Court’s charge, in Clapper, that alleged injuries must be “concrete, particularized, and actual or imminent.”
[Read more Security Ledger coverage of data breaches here. ]
The second point made by Home Depot is that the individuals who claim they were injured base their claims on “the hypothetical future acts of third parties, which the Supreme Court held in Clapper is insufficient to establish Article III standing because such conduct is not ‘fairly traceable’ to the defendant.”
In other words: even though it is clear that cyber criminals 1) compromised Home Depot’s network, 2) stole credit cards on millions of its customers and 3) foist those numbers upon cyber criminal exchanges after which they were used for fraudulent purposes, the plaintiffs in the case can’t prove that Home Depot’s failure to secure its network was the direct cause of the fraud. The plaintiffs “statutory claims fail because they have not identified any deceptive act by Home Depot and do not allege any actual damage flowing from Home Depot’s purported delay in providing notice.”
Needless to say: this is a pretty cynical argument. For one thing, Home Depots “failings” are more than hypothetical. Stories like this one in the New York Times document a long history of failings and repeated warnings from IT staff at the company about its lack of attention to securing its point of sale terminals and other infrastructure.
More important: it is an argument that overlooks the myriad of “damages” that flow from security breaches of this sort – from legal fees to lost productivity to emotional hardship.
This 2013 report from the Bureau of Justice Statistics found that identity theft cost Americans $10 billion more in 2012 than all other property crimes put together. That report measured both direct and indirect losses tied to identity theft: both the money thieves got by misusing a victim’s personal info or account information and follow on costs like legal fees and bounced checks written against mysteriously and suddenly emptied bank accounts.
It is unclear how the court will rule on the motion. The court has already taken the somewhat unusual step of separating consumer complaints against Home Depot from those of the company’s business partners, who also allege billions of dollars in damages as a result of the breach.