One of the obstacles to consumer class action lawsuits in response to data breaches has been that most individuals cannot demonstrate actual harm, where harm is defined by the courts in financial terms. As Judge D. Brock Hornby explained when he threw out most of the Hannaford Bros. lawsuit, Maine state law requires that there be a way for a court to attach an actual monetary figure to loss, and since it is not possible to put an actual monetary value on on time, frustration, and inconvenience, the lawsuit could not proceed.
The recent hacking and extortion attempt of the Virginia Prescription Monitoring Program, however, gives new meaning to “pain and suffering” that breach victims may suffer. As the Associated Press reports, some patients have been unable to get their prescriptions for painkillers or other medications filled because access to the database has not yet been fully restored even though pharmacists are still required to use it.
Now if and when the hacker is caught and prosecuted, I will bet dollars to donuts that the prosecutors will include victim impact statements about how people suffered because they could not get their medications as a result of the breach. But those very same people may not be able to get any measure of compensation in a court of law should they sue civilly? Perhaps this makes sense to lawyers, but thankfully, I am not a lawyer.