This post has been brewing for a while, but the catalyst finally came after someone (I'll refer to him as Jimmy) recently emailed me regarding the LOQBOX data breach from 2020. Their message began as follows:
I am currently in the process of claiming compensation for a severe data breach which occurred on the 20th February 2020
Now I'll be honest - I had to Google this one. There are so many data breaches today that I have trouble keeping track of them and there was nothing noteworthy whatsoever about this one that caused it to stick in my memory. Turns out there were a bunch of tweets mentioning me in this context in Feb 2020, but that was all. The data never began circling within the usual hacking groups, it never turned up publicly and thus never appeared in Have I Been Pwned (HIBP). As far as breaches go, it was a bit of a non-event. But not to Jimmy.
Jimmy was seeking compensation and he'd reached out to me because LOQBOX had referred him to HIBP and, allegedly, used the absence of their breach as a defence for why compensation was not due. I suspect they may also have pointed to the other 6 data breaches Jimmy's email address was in and suggested that should he suffer any breach-related adverse consequences, it would be near impossible to establish which breach was the cause of this.
I want to make my views on this crystal clear: I'm dead against individuals like Jimmy attempting to suck money out of a company that's been breached unless there is clear and quantifiable harm that can be traced back specifically to that incident. Now, I'm not a lawyer, so that means I can look at this with common sense instead of as a means of lining my pockets. I've had many, many discussions with class action lawyers reaching out for information on breaches and the question I always ask (which they can never give me a non-bullshit answer on), is "what specific harm has occurred to individuals as a direct result of this breach?" Knowing there was no way he'd break the non-bullshit pattern, I put this to Jimmy:
What has the impact been on you that’s resulted in the compensation claim?
I was right; the response amounted to the following:
Here in the UK we are covered by data protection laws and this includes non-financial distress knowing that our data is now in the hands of criminals and being sold, misused etc.
C'mon, seriously?! A data breach made you sad and now you want money for being sad? Was there any actual impact on Jimmy?
I have received an increase in spam, and an increase in unsolicited phone calls to my number etc. I have to be aware that phishing scams may be used against me.
For fuck's sake Jimmy. There are 3 massive problems with this and I suspect LOQBOX used HIBP to demonstrate the first one: there are 6 other data breaches Jimmy appears in on HIBP. If he's received more spam as a result of a breach, which breach was it? LOQBOX? Or one of the other ones? Also, there are 6 other breaches we know Jimmy was in, how many more are there we don't know about? The only answer to that question is "we don't know"; Jimmy doesn't know, LOQBOX doesn't know and his lawyers sure as hell don't know. Nobody knows. So how is it that Jimmy is so convinced LOQBOX is responsible for emails and phone calls he doesn't want?
The second problem is that you don't need a data breach to get spam, unsolicited phone calls or phishes. Based on the age of some of the breaches Jimmy is in, he's had that email address for many years; how many places has he left it after agreeing to the terms and conditions he didn't read? (No offence to Jimmy on that, nobody reads the terms and conditions.) How many places did his personal data then flow to? How many times was his information published somewhere publicly for other purposes? Happens all the time. Spam, unsolicited phone calls and phishes don't just come from data breaches and it's enormously difficult to reliably attribute them back to a source.
The third problem is the assumption that due to him now being in a 7th data breach (that he knows of), he needs to start being "aware that phishing scams may be used against him". Seriously? Like if Jimmy wasn't in a data breach he wouldn't need to worry about phishing? Like I said earlier, bullshit.
But I pushed on, because I'm a curious guy:
How have you attributed spam and phishing emails back to the LOQBOX breach as opposed to another breach or obtaining your personal info from another source?
I've seen cases, for example, where people have used service-specific email addresses thus having a high degree of confidence where their email was exposed if they suddenly start receiving spam. I've also seen cases where very specific data attributes only present in the breached service were then abused. Maybe Jimmy had evidence of this?
There would be no way to attribute the spam and phishing emails back to LOQBOX solely, the claim is based on the distress caused by the loss of data which in provided for in law as a non-material damage
Ya reckon?! So if there's no way to attribute the nasty stuff back to this breach, what's the point of the legal action? It soon became clear:
Damages are already quantified into brackets in the UK, courts see minimal distress as being the lowest level of compensation with damages awarded up to £2000 and financial loss as the highest as these are easier to prove, where damages awarded can be in the tens of thousands.
You know what this is? It's called ambulance chasing:
Ambulance chasing is a term which refers to a lawyer soliciting for clients at a disaster site. The term "ambulance chasing" comes from the stereotype of lawyers who follow ambulances to the emergency room to find clients. "Ambulance chaser" is used as a derogatory term for a personal injury lawyer.
Here's a perfect illustration of this: try a Google search for "loqbox data breach" and within the very first results, you'll find the following:
In the first result above, there's a section on why you should claim compensation:
Holding them accountable is what the Information Commissioner's Office is for and the first link in this post to The Register's story advises that LOQBOX has already been in contact with the ICO. They're in a position to level penalties against organisations who've suffered breaches and indeed they've done this many times before, for example against TalkTalk and also against Carphone Warehouse. Same for "forcing companies to implement better data security"; this is the regulator's job, not Jimmy's.
Let me pause here and emphasise an important point: I'm all for organisations who've suffered data breaches due to security lapses being slapped with penalties. Absolutely 100% the book should be thrown at them by regulators. What I'm not for is people looking at a security incident like this and seeing it as an opportunity to cash in for personal gain after suffering absolutely no losses whatsoever. "Distress" is a bullshit reason and were it not for the opportunity to make a few quick bucks, I'd argue that "distress" never would have crossed their mind.
One of the other lawyer ads had this gem to offer:
Of course it could have been avoided - every data breach could have been avoided! And of course LOQBOX could have done more, they could done whatever it was that led to this breach better. Every single data breach occurs as a result of human error somewhere in the process of building and managing the service. Every. Single. One.
Part of the problem with these class actions is that they present no downside to the claimants. Every single one of those ads makes the following promise:
That last point nails it - what does Jimmy have to lose by having a red hot go at LOQBOX? Nothing, he only has everything to gain.
Fortunately, ambulance chasing in this form often fails miserably. For example, a class action against the Marriott fell apart for precisely the reasons I've argued above:
The Court dismissed Plaintiff’s claims for lack of standing, holding that Plaintiffs failed to plausibly allege that their alleged injuries were fairly traceable to Marriott’s conduct—an essential element of standing.
A 2015 suit against eBay failed for similar reasons:
For such a lawsuit to be successful, however, legal experts say plaintiffs must typically prove - per what's known as Article III standing - that they suffered an actual or threatened injury
But as I said earlier, I'm in no way against penalties being issued to firms that suffer data breaches and outcomes such as the FTC achieved against Equifax seem quite reasonable. This was a case where Equifax didn't just fall well short of their obligations to secure customer data in the first place, but they did a woeful job of handling the incident after the fact. The "up to $425 million to help people affected by the data breach" settlement seems fair in this case and it was achieved by an independent government agency, not by lawyers looking to cash in.
There will, of course, be many cases that are simply settled out of court and we may never know the result. I dare say this is often the desired outcome of these class actions; strike a deal that's appealing enough to avoid extensive court time, give those in the breach who joined the action a pro-rata'd slice of the settlement and the law firm keeps a big chunk of coin themselves without ever seeing a courtroom. Each one of those lawyer advertisements earlier on is there for one reason and one reason only: to make money for the firms involved. They're not charities, this isn't for good will, it's simply business.
Curious as to how other people felt, I put out a simple poll whilst writing this blog post:
How do you feel about class actions being brought against companies that suffer a data breach? Specifically, when there is no demonstrable impact such as identify or financial theft, only "distress". This is separate to regulatory action. Example: https://t.co/LajgclGfOv
— Troy Hunt (@troyhunt) April 3, 2021
It's not an overwhelming result one way or the other, but clearly the bias leans towards my views on the matter. The comments left in response to the poll tell a fuller story:
Other: Companies that gather customer data should be regulated, and actions against companies that suffer a data breach should be regulatory actions.
— Adam A (@ghedipunk) April 3, 2021
I believe it is hard to genuinely answer this for all cases in general. If a company has done their due diligence to prevent such breaches as much as possible, I don’t think it is fair to sue them, especially if there is no demonstrable impact. They are victims as well after all.
— Jan Tytgat (@jantytgat) April 3, 2021
To me, the specific of having no demonstrable impact makes all the difference.
— Chris Larsen🇨🇦🇩🇰 (@thechrislarsen) April 3, 2021
Privacy lawyer here. Litigation is an inefficient means to protect the public and promote good cybersecurity. A regulator with expertise and a sense of duty is probably the best option. I’ll list a few reasons why.
— Jade Buchanan (@Jade_Buchanan) April 3, 2021
That last one is particularly good and I encourage you to read the remainder of Jade's thread. Class actions being targeted at "big, headline grabbing breaches" that don't involve harm to the individual and only small payouts ultimately being achieved give you a sense of the pointlessness of it all. Jade's observation about "fairness" in terms of regulatory penalties incentivising better security without destroying businesses whilst class actions instead focus on damages absolutely nails one of my key concerns I raised earlier on. Just read it, it's a great thread.
Other than the sleazy selfishness of the whole situation, what really worries me about this practice is the perverse incentives it creates for breached organisations; what does it do to their desire to report honestly if, in addition to regulatory action, customers could go to town on them in a class action? And more specifically, lawyers such as those above are pursuing LOQBOX with absolutely zero evidence whatsoever that the breach had any impact on their customers beyond making them a bit upset (AFAIK). Whilst regulators have a specific framework to work within and industry precedents will help dictate penalties, private law firms seeking out pitchfork-wielding data breach victims is a much more unpredictable beast.
And that's exactly what I told Jimmy. He replied with another email about the distress he was suffering knowing that criminals have obtained his data and that regardless of my views, I really should add LOQBOX to HIBP. I explained (again) how I can't add data I don't have and that to the best of my knowledge, it's not circulating anywhere. I left him with one final suggestion:
Perhaps now knowing that the data isn’t in broad circulation will help alleviate your distress.