by LawInc Staff
October 1, 2024
Data broker National Public Data (NPD) is facing a class action lawsuit for allegedly failing to adequately protect the highly sensitive personal information of over 2 billion people. The case offers a masterclass in data privacy litigation, from the types of claims asserted to the legal duties and damages at issue.
Get up to speed fast on this high-stakes case, from the massive scale of the data allegedly exposed to the array of federal and state law claims involved. Learn what makes this privacy class action one to watch for anyone concerned about protecting personal data in the digital age.
1. Understand the Basics of the Case
-
- Who: Plaintiff Charles Geletko seeks to represent a class of roughly 2.9 billion people whose data was allegedly exposed.
- What: A database compiled by National Public Data containing names, birthdates, SSNs, addresses, relative info, etc. was reportedly breached.
- When: Breach discovered in April 2024, with data apparently collected and exposed prior to that date. Suit filed September 2024.
- Where: Filed in US District Court for the Central District of California. NPD is a Florida company that sells data access nationwide.
- Why: Plaintiff alleges NPD failed to properly secure the data, enabling the breach. Seeks damages and improved data security.
Key Allegations:
-
- Cybercriminal “USDoD” claimed to access and leak nearly 2.7 billion NPD records containing sensitive personal info like SSNs.
- NPD allegedly collects personal data from various sources without subjects’ knowledge or consent to compile and sell access to.
- Exposed data is already being leaked on hacker forums and the dark web where criminals can exploit it for identity theft and fraud.
- NPD has not notified affected individuals or explained the cause of the breach and remedial measures taken.
- Plaintiff and class face substantial risk of identity theft and must incur costs for credit monitoring, data removal, etc.
Why It Matters:
-
- The vast number of people potentially impacted makes this one of the largest data breaches ever, affecting nearly 1 in 3 people globally.
- Highlights risks of data brokers amassing huge troves of personal info, often without the subjects’ knowledge or ability to opt out.
- Sensitive data like SSNs in criminal hands creates major identity theft and fraud risks that can haunt victims for years.
- Even deceased people’s data was exposed, enabling criminals to commit “ghosting” fraud using their info.
- Shows importance of strong data security and breach response, as Plaintiff alleges NPD’s failures enabled the breach and compounded harms.
Key Takeaways:
-
- The colossal scale of personal data allegedly collected and exposed makes this case highly consequential for data privacy standards.
- Breach illustrates the major risks of data brokers compiling mass databases of personal info without subjects’ knowledge or consent.
- Underscores importance of robust data security measures and breach notification/remediation to protect people’s sensitive info.
- Shows how breaches can have ripple effects, with this data resurfacing on dark web and hacker sites where it can be exploited.
- Will be closely watched for court’s analysis of company’s legal duties re: data security and standing for massive class actions.
2. Examine the 8 Causes of Action Alleged
-
- 1. Negligence/Negligence Per Se: NPD allegedly had a duty to protect the PII (Personally Identifiable Information) yet negligently failed to do so as evidenced by the breach.
- 2. Unjust Enrichment: NPD was obligated to safeguard PII it collected and profited off of, so it’s unjust for it to retain the $$ benefit.
- 3. Invasion of Privacy: Public disclosure of Plaintiff’s PII was highly offensive and NPD acted with reckless disregard for privacy.
- 4. Breach of Third-Party Beneficiary Contract: Plaintiff was intended beneficiary of NPD’s contracts requiring data protection.
- 5. Breach of Implied Contract: NPD agreed to safeguard PII like SSNs but breached the implied contract by failing to do so.
- 6. CA Constitutional Right to Privacy: Plaintiff had reasonable expectation of privacy in PII that NPD breached by allowing exposure.
- 7. CA Consumer Legal Remedies Act: NPD engaged in unfair practices in collecting, selling PII with PII where it was susceptible to breach.
- 8. CA Unfair Competition Law: NPD’s privacy/security reps were unfair, fraudulent, and NPD profited off Plaintiff’s PII unfairly.
Elements Explained – Selected Claims:
-
- Negligence Per Se: Must show: 1) NPD violated a statute/reg (like FTC Act section 5 here); 2) The violation proximately caused the injury; 3) Plaintiff is in class of persons statute intended to protect; 4) Injury is type statute aimed to prevent.
- Unjust Enrichment: Requires: 1) NPD received benefit ($$ for PII); 2) at Plaintiff’s expense (his PII used); 3) under circumstances making it unjust for NPD to retain the benefit without paying.
- Breach of Implied Contract: An implied agreement can arise from parties’ conduct, here NPD collecting PII in exchange for an implied promise to safeguard it. Elements: 1) Plaintiff provided PII to NPD; 2) NPD failed to reasonably protect it.
- CA Consumer Legal Remedies Act:Prohibits “unfair methods of competition and unfair or deceptive acts or practices.” NPD’s collection and poor security of PII without disclosing breach risks could be unfair/deceptive practice.
- CA Unfair Competition Law: Forbids any “unlawful, unfair or fraudulent business act.” NPD’s inadequate data security and misrepresentations about security could violate the UCL.
How Laws Apply:
-
- NPD likely had legal duty to use reasonable data security measures, so its apparent failure to do so could be negligence.
- If NPD violated Section 5 of the FTC Act by misrepresenting its security practices, that could be negligence per se.
- By profiting off of selling access to Plaintiff’s PII yet failing to protect it as impliedly agreed, NPD may be unjustly enriched.
- If NPD contracted with third parties to properly secure data and didn’t, it could have breached those agreements, harming intended beneficiary Plaintiff.
- If NPD omitted known data breach risks when collecting PII, that could be an unlawful/unfair practice under the UCL and CLRA.
What to Watch:
-
- Which claims survive the pleadings stage and NPD’s likely motion to dismiss certain causes of action.
- The court’s analysis of NPD’s specific legal duties regarding data security as a data broker and whether they were breached.
- If the court finds Plaintiff has properly pled the elements of each claim based on NPD’s alleged conduct.
- How the court construes and applies California’s UCL and CLRA to data privacy issues like improper PII collection and security failures.
- The scope of damages available if Plaintiff’s claims succeed, from restitution to injunctive relief mandating security improvements.
3. Analyze the Alleged Damages at Issue
-
- Monetary Relief Over $5 Million: Amount in controversy exceeds $5 million given the large class size of 2.9 billion people.
- Actual Damages Incurred: Costs of credit monitoring, removing PII from data broker sites, lost time, out of pocket expenses, etc.
- Emotional Distress: Anxiety, anger, sleep issues, and other mental effects from breach.
- Benefit of the Bargain Losses: Plaintiffs deprived of benefits of having their PII collected and used with adequate data security promised.
- Injunctive & Declaratory Relief: Court orders mandating security audits/improvements and declaration of parties’ rights going forward.
- Punitive Damages: Potential exemplary damages to punish and deter if NPD’s conduct found malicious or oppressive.
- Attorneys’ Fees & Costs: Reimbursement of Plaintiff’s attorneys’ fees and litigation costs if certain claims succeed.
Examples from Complaint:
-
- Plaintiff and class must spend $355-395/year to automate data removal requests to get their PII off data broker sites after the breach.
- $200/year for credit monitoring services and $180/year for dark web scanning to detect and prevent identity theft post-breach.
- PII has lost value now that it’s been released and is no longer private – data like SSNs previously worth $40-363 per record.
- Lost time value for hours spent dealing with breach aftermath, like reviewing accounts, disputing fraudulent activity, etc.
- Breach inflicted stress, nuisance, annoyance, and lost productivity that can be compensated as general damages.
Legal Standards:
-
- To recover actual damages, Plaintiff must prove losses with reasonable certainty, though exact precision isn’t required.
- “Benefit of the bargain” compensation puts Plaintiff in position he’d be in had NPD upheld its end of the deal to protect data.
- Plaintiff doesn’t need to show actual identity theft/fraud to get damages – exposure to increased risk can be injury.
- Court can grant injunction if Plaintiff shows: 1) Likelihood of success; 2) Irreparable harm; 3) Balance of hardships favors Plaintiff; 4) Injunction serves public interest.
- For punitives, Plaintiff must show oppression, fraud or malice by clear and convincing evidence.
Factors to Watch:
-
- Can Plaintiff prove class members suffered real, non-speculative harm despite no claims of actual identity theft so far?
- How will court quantify hard-to-measure damages like emotional distress, lost PII value, and annoyance?
- Will benefit of the bargain damages apply in an implied contract where Plaintiff never directly dealt with NPD?
- Can Plaintiff show likelihood of future harm and inadequate legal remedies to warrant an injunction?
- Does NPD’s conduct in allegedly misusing PII and hiding breach risks rise to level deserving of punitive damages?
4. Understand What’s at Stake in the Case
-
- Potentially Billions in Damages: Even modest per-person damages could yield a massive total given the enormous class size.
- Judicially-Mandated Security Improvements: A plaintiff win could force NPD and other data brokers to upgrade practices.
- Curbing Unauthorized Data Collection: Case targets data brokers’ core business model of compiling data without consent.
- Clarifying Data Broker Duties: Court rulings will help define the data security obligations data aggregators owe consumers.
- Vindicating Privacy Rights: Holding companies accountable for misusing personal data and hiding breach risks.
Broader Impacts:
-
- Case could set precedent for legal remedies available in future data broker breach cases.
- Plaintiff victory may open floodgates to more class actions against data aggregators, increasing their litigation risk.
- Security upgrades and reforms that result could become de facto industry standards.
- Court rulings will clarify scope of implied contracts between data subjects and brokers and when they are breached.
- Case brings attention to largely unregulated data broker industry and may spur calls for targeted privacy legislation.
Key Questions:
-
- Will the unprecedented scale of the class and PII at issue make the court more or less inclined to certify the class?
- How will the court deal with potential variations in state law for a nationwide class asserting some state law claims?
- What level of culpability does NPD need to have shown regarding the breach to warrant the remedies sought?
- How much weight will the court give FTC data security standards in assessing NPD’s duty of care and alleged negligence?
- If NPD is hit with a huge damages verdict, will it drive smaller data brokers out of business or spur consolidation?
Potential Outcomes:
-
- Court certifies a class, Plaintiff wins on key claims, and NPD pays massive damages and enacts major security improvements.
- Court substantially narrows the class or dismisses some claims, reducing NPD’s exposure and weakening precedent.
- Parties reach a settlement where NPD pays a smaller sum and agrees to moderate security upgrades and reforms.
- NPD succeeds in compelling arbitration and avoiding court, minimizing potential class-wide liability.
- Court splits the difference with a modest class-wide award and declaratory judgment on data broker duties without injunction.
Summary
The class action against National Public Data for its massive data breach will be a defining case in privacy law, testing the data security obligations and liability exposure of data brokers dealing in billions of people’s personal information.
With an unprecedented class size, a wide array of legal claims asserted, and the potential for billions in damages, the lawsuit will have major ramifications for the largely unregulated data broker industry and the privacy rights of all those whose information they trade in.
The case bears close watching for the court’s analysis of the common law, statutory and constitutional duties—if any—that data collectors like NPD owe to data subjects to safeguard their PII and the scope of harm needed to hold them liable when those duties are breached. The outcome could reshape the data broker landscape.
Test Your Data Breach Class Action Knowledge
Questions:
-
- 1. What must a plaintiff show to have standing to sue over a data breach?
- A) The plaintiff’s data was definitely stolen and misused
- B) Evidence of falsified accounts or ID theft in the plaintiff’s name
- C) A concrete injury or substantial risk of imminent harm
- D) Actual financial losses like fraudulent credit card charges
- 2. What factor tends to demonstrate a company’s negligence in a data breach?
- A) The company used industry-standard encryption protocols
- B) It trained employees annually on data security
- C) It failed to patch a known vulnerability
- D) It notified affected consumers within 30 days
- 3. What’s a common damages theory asserted in breach litigation?
- A) Trespass to chattels
- B) Breach of the implied warranty of merchantability
- C) Violation of the covenant of good faith and fair dealing
- D) Unjust enrichment
- 4. Which law has the FTC used to set data security standards?
- A) The Fair Credit Reporting Act
- B) Section 5 of the FTC Act
- C) The Gramm-Leach-Bliley Act
- D) The Computer Fraud and Abuse Act
- 5. What’s a hurdle for data breach class actions?
- A) Satisfying Rule 23(a)’s typicality requirement
- B) Showing classwide proof of actual harm
- C) Overcoming potential arbitration clauses
- D) All of the above
- 1. What must a plaintiff show to have standing to sue over a data breach?
Answers:
-
- 1. C) Courts have held a data breach plaintiff has standing by plausibly alleging the breach caused actual, concrete injury OR substantial risk of imminent harm, even without proven misuse of their data yet.
- 2. C) Failing to patch a known security vulnerability that enables a breach can demonstrate negligence, while using proper encryption, training, and notification protocols tends to show reasonable care.
- 3. D) Unjust enrichment is a common quasi-contract claim in data breach cases, arguing it would be inequitable for the company to retain benefits obtained from the plaintiff’s data if it failed to secure that data as promised.
- 4. B) The FTC has used its authority under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices,” to bring enforcement actions over inadequate corporate data security measures.
- 5. D) Data breach class actions can face multiple certification hurdles, including showing the class rep’s claims are typical, that common issues predominate over individual ones, and that the case should stay in court rather than be compelled to arbitration.
Key Takeaways
The National Public Data breach class action raises major issues re: the duties and liabilities of data brokers dealing in billions of people’s information. It will be closely watched for the court’s handling of:
-
- The standing and class certification standards in massive data privacy suits
- The scope of harm needed to sustain claims like negligence, contract breach, unfair practices
- Whether data brokers have implied obligations to data subjects they don’t directly interact with
- The application of state and federal consumer protection laws to data security failings
- The availability of damages theories beyond proven financial loss for breach victims
With so much at stake for a largely unregulated industry that trades in most people’s personal data, the precedent set could reshape privacy law and the risks of collecting mass troves of sensitive data in the digital age. The litigation bears watching as it unfolds.
Also See
Brain Data Not for Sale in California: How SB 1223 Safeguards Your Neural Privacy
Alarming Allegations: Lawsuit Claims Verizon Secretly Collected Customer Voiceprints
Alarming Allegations: Lawsuit Claims Verizon Secretly Collected Customer Voiceprints
Follow LawInc on Instagram
View this post on Instagram