But as I was looking at two unrelated privacy legal filings on Friday, was struck by the different legal tactics and the very different probability of success.
When the topic is lawsuits, though, it's critical to get a clean definition of "success" at the very start. The plaintiffs here were all consumers. Is the objective to make the consumer whole, in the sense of getting them to the point financially where they would have been the data privacy booboo never happened?
Is it to make it much more likely that the wrong will never be repeated, sparing other consumers of the headache? Is it to make money for the consumer? Is it, dare I say, to make moneys for the law firms?
The recent TJX lawsuits, for example, could be said to have failed for their consumer plaintiffs on all of those objectives, other than making money for the law firms and even that money was rather paltry.
As has been noted in this column many times, these lawsuits have an uphill battle for two reasons. There is currently no federal law—and Minnesota is the only state law that even comes close—that requires businesses to protect consumer data. So the accusation that a retailer or other business was reckless in protecting consumer private data is nice sounding, but there's no law that says businesses have any such obligation.
Until some privacy laws with real teeth are passed, these privacy incidents will continue to happen. Indeed, their frequency will sharpen increase as this legal loophole is understood by more businesses.
The second problem with these consumer data privacy litigation efforts is that there is rarely any true monetary loss. The actions are more galling and infuriating than actually take-money-out-of-a-consumer's-pocket costly. There are lots of potential true monetary losses but almost no provable ones.
Even if a consumer was ripped off for, let's say, $2,000 because of information the merchant let loose, the retailer (or bank) would simply refund that $2,000 and eliminate the loss.
That all said, let's look at two pieces of litigation that were filed last week, in connection with two unrelated privacy breaches from three deep-pocketed companies: $52 billion Sears, $41 billion Sprint and $36 billion Wells Fargo.
The Sears lawsuit was a result one of the two Sears data privacy breaches confirmed last week: a hidden spyware campaign and a feature that allowed consumers to look up other people's Sears purchases.
Specifically, it was a response to the ability to have a consumer's Sears purchase history displayed to anyone who knew the consumer's name, phone number and street address. On Friday, Sears shut down the part of its site that revealed that data. But not before lawyers from the New York City-based KamberEdelson was able to file papers
The lawsuit—filed on behalf of New Jersey resident Christine Desantis—concedes that the consumer lost no money might that she might—possibly—in the future. (There are those cynical sorts who might say, "Fine. When she does lose money, then file the lawsuit," but I won't go there yet.)
The lawsuit then tried to list the flaw's consequences, which it identified as "staggering." What do they consider so staggering? Let's take a look.
Point one, quoting from the lawsuit filing: "A nosy person can find out how much his neighbor spent on a new washing machine or lawnmower."
Point two: "Marketing companies can mine the (Sears) Web site for data about Sears customers in order to transmit detailed advertisements for additional products and/or warranties."
Point three: "Hackers can systematically access this data for much more insidious purposes. They can use the data to commit fraud by, for example, sending e-mails or making phone calls purporting to be from Sears alerting individuals to a recall of a specific product. They then can use the information they have obtained from Sears's website to gain trust over the unsuspecting victim and obtain access to a person's credit information, social security numbers or even a person's house." True, but it's hypothetical until it happens.
My personal favorite, whose logic escapes me: "Desantis and the members of her class were damaged by Sears's misconduct, inter alia, because the value of the products and services they purchased from Sears was diminished because Sears made publicly available their personal information connected to those purchases. Put simply, a dishwasher costing $1,000 is worth less than an identical dishwasher where the first purchaser's private purchase information is made public."
Let me see if I understand this. Let's say I purchase a $5,000 52-inch plasma TV. Is that set suddenly worth less if my nosy neighbors learn its price? (My life is certainly worth less if my wife discovers the price, but that's a different issue.)
Then there's the "how much are you asking for" part of the filing: "The aggregate amount at issue is (less than) $5 million collectively, even when factoring in the cost of the injunctive relief and the request for attorneys' fees. Further, no individual in the class is seeking more than $75,000 for him or herself, all types of relief included." No one is seeking more than $75,000? How comforting.
Now let's compare it with the case of Theodore D. Karantsalis, a librarian from Miami, Florida. His case started last month when he received this letter from Sprint Nextel.
The letter told Karantsalis that "a customer logged in through the Checkfree service on the Wells Fargo banking website and, when they clicked on the link to see their current Sprint invoice, they were erroneously presented with your invoice instead. The customer called to report this to Sprint immediately. This issue was caused by a system coding error that mixed up two invoices when two customers were on the system at the same time with the same billing cycle."
Asked the consumer: "I'm not even a customer of Wells Fargo bank. How did they get access to my private information?"
Karantsalis added: "The right to privacy is a personal and fundamental right protected by the Constitution." Not so sure it does that. This is one of these implied rather than explicit rights. Need to leave that one up to the U.S. Supreme Court. *gulp*
Here's where the contrasts get interesting. Instead of retaining a law firm, Karantsalis filed the lawsuit himself, but he did it in Small Claims court and he's suing for exactly $597.
When I first saw this filing—Karantsalis E-mailed it to us and, presumably, a bunch of other journalists as well—I dismissed it as trivial but then it grew on me. A small claims filing sidesteps a lot of legal nonsense that large firms opt for. It also delivers any monies received directly to the consumer.
More importantly, a small claims court judge is more likely to think in terms of fairness and often has more latitude. But the best issue is that it's small enough to not merit Sprint or Wells Fargo fighting it. Unlike Desantis, Karantsalis has a decent shot of getting some dollars and of getting those dollars sometime soon.
Until the laws are changed, what can consumers do to dissuade companies from treating their privacy recklessly? Voting with their purchases seems to be something that most consumers are unwilling to do, if TJX is any indication. Consumers will gleefully say they won't support retailers who treat their data recklessly, but earnings reports suggest they certainly don't actually do it.
But what if every consumer who was so victimized filed a small claims court lawsuit locally? It would likely deliver more to those consumers—remember the $15 checks to the consumer TJX victims?—and would collectively cost the retailers more. I hate to suggest such a move, but clearly something has to be done. In a battle for world domination between lawyers and librarians, my money's riding on the librarians.