{"id":5630,"date":"2025-11-03T09:30:00","date_gmt":"2025-11-03T09:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5630"},"modified":"2025-11-03T09:30:00","modified_gmt":"2025-11-03T09:30:00","slug":"us-appeals-court-lowers-burden-of-proof-for-data-breach-lawsuits","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5630","title":{"rendered":"US Appeals Court lowers burden of proof for data breach lawsuits"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>An October decision of the 4th US Circuit Court of Appeals in Virginia has \u2014 yet again \u2014 altered the risk calculus of data breaches by easing litigants\u2019 ability to successfully sue breached companies in limited situations.<\/p>\n<p>The case involved an insurance company data breach that resulted in the driver\u2019s license information of almost 3 million customers being leaked. Until this appellate decision, most courts had ruled that having certain types of data stolen alone is not sufficient to prove damages. With such data, plaintiffs must provide proof of actual damage or evidence of actual fraud, the courts have mostly ruled.<\/p>\n<p>Whereas theft of private data, such as medical records, has automatically been considered damaging, most data available from a driver\u2019s license, for example, is public, with even a driver\u2019s license number not helpful to a fraudster, unless joined with other information to enable identity theft. Courts have ruled that plaintiffs must prove thieves had indeed accessed multiple pieces of information.<\/p>\n<p>The 4th Circuit softened that, ruling that because the attackers placed the information on the <a href=\"https:\/\/www.csoonline.com\/article\/564313\/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html\">dark web<\/a>, that suggested a greater risk of actual fraud. Thieves willing to pay for such data wouldn\u2019t be willing to pay if they didn\u2019t have access to other data to complete fraudulent activity.\u00a0<\/p>\n<p>\u201cThe dark web, an anonymous online network for unregulated content and markets, is not a traditional method of communicating information like a newspaper or radio broadcast,\u201d the <a href=\"https:\/\/www.courtlistener.com\/opinion\/10704605\/christopher-holmes-v-elephant-insurance-company\/?q=ELEPHANT+INSURANCE+COMPANY\">4th Circuit judges ruled<\/a>. \u201cBut, not dissimilar to the internet more generally, it is a forum accessible to all \u2014 or at least to those with some degree of proficiency with computers. Information listed on it thus either reaches, or is sure to reach, the public or is close to doing so.\u201d<\/p>\n<p>Moreover, because one of the plaintiffs alleged the information was found to be for sale on the dark web, rather than published openly, which would limit its exposure, the judges explored whether the existence of a paywall should make a difference in terms of proving harm and concluded that it didn\u2019t.<\/p>\n<p>\u201cWe do not see why this should make a difference. One classic example of publicity in public-disclosure tort cases is listing information in a newspaper,\u201d the 4th Circuit judges ruled. \u201cYet many newspapers are only accessible with payment, too. We see no reason to treat the internet differently. Paywalled or not, information listed on the internet is ordinarily accessible to many.\u201d<\/p>\n<p>The panel also clarified what constitutes data being sensitive: \u201cUndoubtedly, a driver\u2019s license number is unlike the details of an affair or a medical condition. People do not consider their driver\u2019s licenses embarrassing and hand them to bartenders and waiters and police officers without hesitation.\u201d<\/p>\n<h2 class=\"wp-block-heading\">How CISOs should respond<\/h2>\n<p>Attorneys watching the case said there are various implications for what CISOs should do differently given the panel\u2019s ruling.\u00a0<\/p>\n<p>Cybersecurity consultant <a href=\"https:\/\/formergov.com\/directory\/brianlevine\">Brian Levine<\/a>, a former federal prosecutor who today serves as executive director of FormerGov, a directory of former government and military specialists, said this decision \u201cis yet another reason why <a href=\"https:\/\/www.csoonline.com\/article\/4046242\/a-cisos-guide-to-monitoring-the-dark-web.html\">CISOs should monitor the dark web<\/a>. It may be an early warning that they may be getting a lawsuit.\u201d<\/p>\n<p>That dark web information may also provide critical guidance for lawyers negotiating with plaintiffs. If the data is definitely not on the dark web, there is a better chance for dismissal and therefore a better chance that a lowball settlement offer may be accepted. But if the data appears on the dark web, that quickly changes.<\/p>\n<p>\u201cFor plaintiffs whose data was breached but not publicly disclosed, the court found no standing because the risk of future misuse was deemed too speculative. Emotional distress and time spent monitoring accounts were not concrete injuries without actual misuse or public exposure,\u201d Levine said. \u201cThis reinforces a high bar for plaintiffs in data breach cases who haven\u2019t yet suffered tangible consequences.\u201d<\/p>\n<p>This decision also forces CISOs to reevaluate how financially exposed the enterprise will be should a breach happen, said <a href=\"https:\/\/www.linkedin.com\/in\/raschcyber\/\">Mark Rasch<\/a>, a former federal prosecutor who specializes in technology legal issues. Prior to this 4th Circuit decision, \u201ca lot of enterprises thought that a data breach might be no big deal because the victims can\u2019t really demonstrate harm, so we don\u2019t need to worry.\u201d This decision changes that.<\/p>\n<p>The court created a new \u201cpublication versus theft\u201d dynamic, Rasch said, where a dark web publication of the information may be enough for a case to proceed. To be clear, the panel\u2019s decision involved whether plaintiffs would be allowed to proceed to discovery and other early stages of the court process.\u00a0<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/douglasabrush\/\">Douglas Brush<\/a>, a special master with the US federal courts, said that a critical factor behind these legal shifts is a flood of lawsuits initiated instantly when an enterprise announces a breach, long before meaningful details are known.<\/p>\n<p>CISOs have thought \u201c\u2018if we lose any of this data, there\u2019s blood in the water,\u2019\u201d Brush said. \u201cThe line CISOs must monitor is the shift from private possession to public accessibility. CISOs should track and document what becomes public, not just what was taken: screenshots, hashes, first-seen timestamps, and linkage to internal systems. That record now drives standing, class scope, and exposure.\u201d<\/p>\n<p>The case could unintentionally motivate attackers to threaten enterprises with dark web publication, giving them leverage to extort more money by suggesting that failure to pay will make the attackers publish and thereby strengthen plaintiffs\u2019 cases against the enterprise.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>An October decision of the 4th US Circuit Court of Appeals in Virginia has \u2014 yet again \u2014 altered the risk calculus of data breaches by easing litigants\u2019 ability to successfully sue breached companies in limited situations. The case involved an insurance company data breach that resulted in the driver\u2019s license information of almost 3 [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5631,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5630","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5630"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5630"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5630\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5631"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}