Victims of BlueLeaks: Don’t Rush to the Courthouse
Every INFOSEC nerd who read Brian Krebs’s June 22, 2020 article about the “Hundreds of thousands of potentially sensitive files from police departments across the United States” that were leaked online by “BlueLeaks” let out a nervous gulp. The breach that offered the 269+ GB of personal information arose from a Texas web service provider working on behalf of the state's law enforcement agencies.
Per Krebs’s article, “the BlueLeaks data … could expose sensitive law enforcement investigations and even endanger lives.” The leaked material spans nearly 24 years of archived material and contains personally identifiable information (PII), including contact information, as well as surveillance footage, emails, and photographs.
In addition to endangering lives, BlueLeaks destroyed the privacy of thousands of individuals. Without opining as to any alleged fault of any party involved in the data breach (aside from the hackers, obviously), there is little to no recourse for the average citizen whose data was exposed by BlueLeaks.
To set the stage, when a person is arrested, all information on his/her driver’s license is collected by the arresting authorities. If he/she is incarcerated for an extended period of time, medical information is collected, especially if that individual has certain health conditions and requires access to prescription medication (example: HIV, Depression, Hepatitis-C).
For the individual whose personal information was exposed as part of BlueLeaks, options for civil recovery are extremely limited unless the hackers are eventually identified and brought to justice:
1. Neither HIPAA nor the FTC Act Permits Private Lawsuits.
In Dumay v. Episcopal Health Servs., 19-CV-06213 (S.D. N.Y., 2020) patients at St. John’s Episcopal Hospital filed suit against the hospital alleging that it failed to maintain adequate cybersecurity to safeguard patients’ financial data, medical data, and PII following a cyber-attack. Specifically, Plaintiffs alleged that the hospital violated Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Federal Trade Commission Act, characterizing their causes of action as "sounding in common negligence, negligent hiring and training of employees, breach of fiduciary duty, implied contract, and delay in notification of the data breach."
While negligence is a state court claim, the Southern District’s June 18, 2020 decision clearly held that HIPAA does not allow private rights of action and provisions of the Federal Trade Commission Act may only be enforced only by the Federal Trade Commission – not private citizens.
2. Fraud or Intentional Malfeasance by the Service Provider is Unlikely.
Generally, Texas’s Deceptive Trade Practices and Consumer Protection section of its Business and Commercial Code requires evidence of fraud, active knowledge of misleading statements or false advertising, and/or evidence of deceptive trade practices to prevail on consumer protection claims and allow the recovery of attorneys’ fees. Such claims are notoriously difficult to substantiate and, at the risk of sounding naïve, folly is far more prevalent than fraud.
At the present time, there is no publicly released information to suggest that the web service provider for the compromised Texas entities was anything other than a faultless victim itself of malicious cyber criminals.
3. Texas Law Enforcement Offices should have Sovereign Immunity.
While Tex. Civ. Prac. & Rem. Code § 101.0215 allows private suits against municipalities of the state for various types of “proprietary” services (those not required to be provided by law), it affords its agencies and municipalities sovereign immunity for governmental functions such as police and fire protection. And, ancillary actions associated with the operation of a governmental function are also immunized, regardless of the motive for engaging in the actions. The Texas agencies and various police department’s decisions on how to best store and manage collected data are likely protected from judicial inquiry by sovereign immunity.
Thus, the victims whose personal information and/or health information were disclosed on BlueLeaks generally have three options: 1) Wait for the Texas Attorney General or the FTC to take action on their behalf; 2) Enlist the assistance of an identity-theft protection service; and/or 3) Try to prove negligence against the web service provider. However, proving negligence requires an intense factual investigation, evidence of a breached duty that caused the injury at issue, and guiding jurisprudence on this scenario is non-existent.