State of Michigan’s Personal Data Breach and Fraud Fall Out
When Michigan state leaders neglected to act on lead in public drinking water, the case put Michigan in the national spotlight and set a new precedent for public water safety standards. At great cost… Could the focus of the next big precedent-setting case be Michiganders’ personal data?
This February, Detroit’s local Fox 2 News reported the State of Michigan’s breach of approximately two million social security numbers and other personal data. The State initially publicly reported a “potential data breach”. Then, on February 3, 2017, an internal communication at the State of Michigan told union employees, that the information compromised in the “potential” breach “does potentially include 1.9 million social security numbers of Michiganders.”
Long before the State of Michigan created the “Michigan Talent Investment Agency” in 2015, the newest in a succession of custodians of Michigan job seeker’s personal data, Michigan companies had been reaching out to the state with claims of their employee’s personal data, including their social security numbers, had been compromised. Companies began to notice fraud related to their employees social security numbers, and notified the state that something was amiss.
One of those affected was a retired employee from military automaker AM General who was informed that his data had been compromised in the State of Michigan breach in a communication sent to him just months after his retirement. A unique set of circumstances created the perfect storm of vulnerability for this man, and set him up to become not only a victim of identity theft, but real, “de facto” harm related directly to a breach of personal data.
Michigan is one of the states that enforce laws like an Employment Security Act of 1936. This law’s section 27(a)(1) holds that unemployment benefits are to be immediately payable once a (re)determination is issued by the state allowing benefits.
In layman’s terms that means that once a state unemployment official gives approval that benefits should be paid, they cannot be stopped without going through the dispute process.
In 2013, the State of Michigan hired a relatively well-known software vendor, Fast Enterprises who sells what we call in the enterprise software industry, an “out-of-the-box (OOTB) solution”. OOTB means it’s a one-size-fits-all solution that is slightly modified to meet the unique nomenclature – and some of the business processes — of a local client. Their flagship product GenTax is the product that engaged most of the “Special Claim” unit of Michigan’s License And Regulatory Affairs (LARA) operating branch.
People familiar with the incident at the Service Employees International Union (SEIU) Local 517M say that the OOTB product was initially bought to manage interactions between tax-paying enterprises and the state departments, not unemployment. Fast Enterprises boasts the vast majority of its clients as Departments of Revenue across many of the 50 states. SEIU employees named their OOTB product MiDAS (Michigan Integrated Data Automated System) which eventually integrated and managed all transactions across all departments that fell under Special Claims, including functioning groups like Employee File Claims, Trade Readjustment Claims, and Combined Wage Claims. The combined wage office, for instance, engages unemployment insurance claimants who need to combine Michigan benefits with benefits from other states. In that capacity, workers who’ve worked in multiple states are having their personal data collected by agencies in various jurisdictions that potentially adopt a varied degree of cyber security policies for vendors and themselves.
The nature of business operations and the order of events here are particularly important because of how litigators have been arguing data breaches at various courts. Succeeding the Supreme Court case Spokeo v Robins there has been a split in thought from federal justices with regards to how citizens can sue of personal data breaches. Whether defendants in cases involving personal data breaches improperly held information or not, a new group of opinions affirms that an individual or class can’t sue a data holder unless the data is at risk. Alison Frankel of Reuters News reports that
Spokeo v. Robins definition of constitutional standing, data breach victims can sue even if they haven’t shown hackers actually used their stolen personal information.
Soon after that SCOTUS decision three judge panel on the Seventh US Circuit Court that heard arguments on another case titled Braitberg v. Charter Communications is affirming that
That lead plaintiff Derek Gubala did not plausibly allege that his personal data was at risk as a result of Time Warner’s supposedly improper retention.
Both of these court cases mirror what is happening in Michigan on a smaller scale, as thousands of companies are now working with the state to dispute fraudulent unemployment claims. People close to the matter think that it is an “inside job” at the State of Michigan. But cyber security experts like Steve Schwartz of Global Cyber Consultants state that “all enterprises need to integrate more cyber policies with company culture. It’s bigger than IT.”
The question remains: how much harm from a data breach is enough for victims to have standing to sue, become party to a class action, win settlements, or even recoup their dignity? Bloomberg BNA reports that a data breach class claim from the U.S. Court of Appeals for the Sixth Circuit case involving Nationwide Mutual Insurance Co. is a candidate for high court review this year. And this could mean the court rulings will resolve some of the ambiguity surrounding the “harm” test.
There are a slew of other cases in the pipeline where those harmed and anticipating harm at the end of unavoidable data breaches are preparing for the worst. In a federation of varying legislative interpretations that we have the United States of America, we must continue to ask the how personal data is tied to the value of an individual’s inalienable rights.
The retired AM General employee who asked not to be mentioned by name is just one of a reported 20,000 false unemployment fraud claims against Michigan residents documented by the Detroit News. We know from the Employment Security Act that tax payers including individuals and institutions have exchanged tangible monetary value for fraud. The greater truth here is that people’s personal data has tangible value tied directly to their dignity, and the greatest effort of public and private institutions needs to be propping up the public’s trust in them. Otherwise they aren’t relevant.