Welcome
Privacy & Data Security Law News

INSIGHT: DASHBOARD Act Could Be Unintended Game Changer for Data Breach Valuation

Oct. 11, 2019, 8:01 AM

In 1999, Scott McNealy, founder and CEO of Sun Microsystems, said “You have zero privacy anyway. Get over it.”

Twenty years later, consumer advocacy groups and the plaintiffs’ bar haven’t “gotten over it.” Neither have Sens. Mark R. Warner (D-Va.) or Josh Hawley (R-Mo.). They’ve introduced legislation that would impose significant new requirements on “commercial data operators,” those companies with more than 100 million monthly active users.

Dubbed the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, the legislation would require businesses to:

  • Disclose—to users and to the Securities and Exchange Commission—the types of data collected;
  • Disclose all the ways in which the data is being used, including uses not directly related to the particular online service;
  • Disclose any contracts with third-party data collectors;
  • Allow users to delete all, or individual fields of, data collected; and
  • File an annual report on the aggregate value of the user data collected.

To implement the valuation requirement, it empowers the SEC to develop methodologies for calculating data value to accommodate different data uses, industries, sectors, and business models.

The Act recognizes that, while user data has become increasingly valuable, there is very little transparency about how it is collected, bought, sold and valued.

While much of the commentary on the Act to date has focused on compliance challenges, this article focuses on the impact compliance will have on America’s most frenetic data privacy battleground: U.S. courts. The act’s valuation disclosure requirement could fundamentally change how damages are demanded, calculated, and awarded in data breach litigation.

Aggregate Data

In 2017, the U.S. digital advertising industry reported $83 billion in revenue. Divide that by the 287 million U.S. internet users, and the average digital ad revenue user is $289 per year. Facebook alone generated nearly $27 billion in revenue ($20 per monthly active user) through its advertising products. Meanwhile in 2016, Equifax, Experian, and TransUnion reported revenues of approximately $3.1 billion, $4.55 billion, and $1.7 billion, respectively, from collecting and brokering Americans’ credit information.

Advertisers are paying not only for personal data, but also for distribution of ads to users’ platforms (i.e., well-targeted access to users’ eyes and ears). Knowledge of a user’s browser history and other criteria help advertisers decide which ad to display where. The price of the particular placement is auctioned off in real time to the highest-paying bidder and then is immediately loaded onto the user’s screen.

The most valuable placements are those that connect advertisers to users most likely to consume. Researchers at the University of Rochester Simon School of Business recently compared ads presented to users who did not allow tracking cookies (i.e., users the ad buyer had no behavioral data on) with ads presented to users who allowed tracking cookies. On average, ads served to “opt-out” users went for 59.2% less than those served to “opt-in” users. By curating data from multiple sources, digital marketing companies are better able to determine each individual’s propensity to make a particular purchase.

Individual Data

While we have a good understanding of the value of data-driven advertising in the aggregate, valuing an individual’s personal data remains difficult. There are no (legal) data marketplaces where individual information is transparently priced and traded.

Instead, we have to extrapolate from the value of aggregated data, or rely on anecdotal information from the dark web. On the dark web, the going rate for user information varies, from $5 for a simple credit card number to $2,000 for a U.S. passport. Leaving aside the illegality, dark web “valuation” is problematic because of this variety and because personal information is bought and sold in multiple ways, including individual, bulk, and bundled.

Data Breach Litigation

The difficulty of valuing an individual’s personal information is manifest in data breach and privacy litigation damage claims.

Plaintiffs typically assert that the misappropriated information creates risk and associated mitigation cost (e.g., credit monitoring), and also that the value of their information has been diminished by being compromised.

Putative class representatives have to establish first standing to sue, which requires showing that they—individually—have suffered actual damages. Litigants and the courts have struggled to find actual, individualized damages from data falling into unauthorized hands.

The “analysis” of this issue has occurred mostly at the pleadings stage—long before experts have issued reports or been deposed, and far removed from any jury. Thus, while more than 1,100 data breach lawsuits were filed in 2018 alone, we still do not have juries calculating the value of personal information and awarding damages. The fear of that unknown has resulted in multi-million dollar class action settlements—e.g., Equifax at $671 million; Target at $28.5 million; Anthem at $115 million; and Uber at $148 million.

Sunlight as Disinfectant

The premise of the DASHBOARD Act is that Americans are unknowingly, and therefore unwillingly, giving large businesses their personal information because they don’t understand the value of their information, and because businesses have concealed, or worse, misrepresented, their collection and use of this information. By requiring significant public disclosures, the Act will inform the valuation of individual’s personal information.

Rather than the gross speculation that has passed for damage claims in lawsuits to date, real valuation information—that can be studied and analyzed, compared and scrutinized—could be available to plaintiffs and defendants alike, as well as judges and juries.

Plaintiff’s lawyers will be able to assemble putative classes based on the nature and extent of a class member’s online presence. Finally able to calculate damages, defense lawyers and insurers may seek to “pick off” a named plaintiff or challenge class certification, facilitating subclasses and earlier settlements. Moreover, to the extent that it informs a “worst-case” liability scenario, a defendant may be more willing to try a lawsuit, which often brings down the value of class action settlements.

Justice Louis Brandeis noted that “sunlight is said to be the best of disinfectants.” And some of us still believe that our adversarial system is, fundamentally, a search for truth through the clash of ideas and arguments. The evaluation of damages, particular for massive plaintiff classes, should be informed by more than speculation based on hearsay from an illegal marketplace.

The real, current, and comprehensive valuation information developed as a result of the DASHBOARD Act would be a vast improvement.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Jason Scheiderer is a partner in Dentons’ Litigation and Dispute Resolution practice and Privacy and Cybersecurity team and focuses on complex commercial litigation. He also serves on Dentons’ diversity and inclusion committee and ethics committee, and is resident in the firm’s Kansas City, Mo., office.