Natasha Bertrand reports:
A data-analytics firm hired by the Republican National Committee last year to gather political information about US voters accidentally leaked the sensitive personal details of roughly 198 million citizens earlier this month. And it’s now facing its first class-action lawsuit.
Deep Root Analytics, a data firm contracted by the RNC, stored details of about 61% of the US population on an Amazon cloud server without password protection for roughly two weeks before it was discovered by security researcher Chris Vickery on June 12.
The class-action lawsuit, filed by James and Linda McAleer of Florida and all others similarly situated, alleges Deep Root failed to “secure and safeguard the public’s personally identifiable information such as names, addresses, email addresses, telephone numbers, dates of birth, reddit.com browsing history, and voter ID number, which Deep Root collected from many sources, including the Republican National Committee.”
Read more on Business Insider.
So here’s the thing, again. Where’s the demonstrate of injury? Spoiler alert: there doesn’t seem to be any. According to Bertrand, the complaint says that those exposed in the data breach may be vulnerable to identity theft and “a loss of privacy,” and argue that the “actual damages” exceed $5 million.
Well, a lot of courts have already held that increased probability of possible harm does not confer standing. And “loss of privacy?” Well, that should be a cognizable harm or injury, but is it?
As bad as this misconfiguration/exposure seems, is this a case of “what might have been” or a case of “what happened?” And either way, is what happened anything much more than publicly available information being made more conveniently publicly available?
Damages are the issue, but security measures might be taken more seriously if businesses had to shell out some real dough for screwing around with data, so attorneys are going to keep trying.