-
The 4th US Circuit Court of Appeals in Virginia has made it far easier for data breach victims to sue, ruling that the sale of stolen data on the dark web itself constitutes a “substantial risk” of harm.
-
The court established a “publication vs. theft” dynamic. Simply having data stolen wasn’t enough, but offering it for sale now qualifies as an imminent threat that grants victims standing to sue.
-
The decision overturned previous dismissals in a case involving 3 million exposed driver’s licenses, signaling that even common PII can be a liability if marketed to criminals.
The United States 4th Circuit of Appeals has, once again, altered the risk calculus for cyber attacks, allowing litigants to pursue legal action against breached organizations in certain circumstances.
The incident involved a recent insurance company cyber attack that led to the exposure of nearly 3 million clients’ driver’s licenses. Before its appellate ruling, several courts had ruled that victims just having specific types of data stolen is not enough to prove damages. The courts ruled that, in addition to the given data stolen, litigants must provide evidence of actual damage or proof of actual fraud.
Notably, courts automatically rule theft of certain personal data, like medical records, as damaging. However, the majority of data seen on a driver’s license is considered public, and hackers will need to combine any of that data with other data to be able to successfully perform identity theft.
The Recent 4th US Circuit Court of Appeals Adjustments
In the recent ruling, the 4th Circuit Court concluded that for threat actors to post these credentials on the darknet implied a higher risk of actual fraud. The court added that threat actors who agree to pay for such data would only do so if they have access to other credentials to complete fraudulent acts.
One of the litigants alleged that a hacker posted their data for sale on the dark web, rather than publishing it openly. After the judges considered whether the presence of a paywall should have an effect in proving harm, they didn’t conclude that it did not.
Furthermore, the judges clarified what categorizes data as sensitive, stating that a driver’s license number is not like the information of a medical condition or an affair. The panel even noted that people usually provide their licenses to waiters, bartenders, and police officers without hesitation, and do not consider them embarrassing.
Attorneys Respond to the Case
Attorneys viewing the case commented on it, stating that there are different consequences for what CISOs should do differently when considering the panel’s ruling.
Brian Levine, a cybersecurity consultant and former federal prosecutor who is currently the executive director of FormerGov, also commented on the matter. Brian explained that this ruling “is one more reason why CISOs should consider the dark web.”
He believes this dark web information could also be very helpful for lawyers negotiating with a plaintiff. If the data is definitely not on the dark web, there is a better chance of dismissal and, in turn, a better chance of an acceptance against a very low settlement offer. However, if someone breaches the data, the dynamic changes rapidly.
As Mark Rasch, a former federal prosecutor who now works on technical cases, wrote about the case, matters require CISOs to think about how financially exposed the company will be if a cyber incident transpires.
Our Take on It
This ruling fundamentally expands corporate liability by legally acknowledging the dark web as a direct extension of a data breach. The immediate financial risk to a company now crystallizes not when a hacker first steals data, but the moment that data is listed for sale. That makes proactive dark web monitoring a non-negotiable component of legal defense and financial risk assessment, moving it from an intelligence function to a core fiduciary duty.
