The Oregon Department of Transportation was part of a global hack last year that affected the data of about 3.5 million people with Oregon IDs or driver’s licenses. The information involved in the breach included dates of birth, physical addresses and the last four digits of Social Security numbers.
Earlier this year, two Oregonians filed a lawsuit over the data breach. They say the state failed to protect the personal information of residents.
How should government agencies be thinking about protecting sensitive data? What can the U.S. learn from other countries and their data practices? We dig into these issues with Rohan Grey, an assistant professor at Willamette University College of Law.
The following transcript was created by a computer and edited by a volunteer:
Dave Miller: This is Think Out Loud on OPB. I’m Dave Miller. There is a very good chance that your personal information was hacked last year when the Oregon Department of Transportation had a huge data breach. The data included dates of birth, physical information like height and weight, addresses, the last four digits digits of social security numbers. And it was massive: about 3.5 million people with Oregon driver’s licenses or state IDs. Earlier this year, two Oregonians filed a class action lawsuit over this breach. They say the state failed to protect the personal information of Oregon residents. What can this lawsuit tell us about the bigger picture of data security in this country and around the world? Rohan Grey is an assistant professor at Willamette University College of Law. He joins us to talk about this. Welcome to the show.
Rohan Grey: Thank you for having me.
Miller: What can you tell us first about this particular data breach, the focus of this relatively recent class action lawsuit?
Grey: I think your earlier summary was pretty good. It hit about 90% of all users at the DMV and included most of the regular information you get on a driver’s license. It was to do with certain file transfer software that was hacked at a global level, so it wasn’t necessarily a targeted attack. Although after that hack was discovered, it was revealed that the information at the DMV particularly had been accessed. So we know it was specifically taken by certain actors.
There are issues around how long people knew about it before it became public and whether or not the public was given proper time and things. This lawsuit is a class action by a number of affected actors on behalf of everybody else. It seeks, in addition to damages, permanent insurance and some other supports for people who were victims of the hack.
Miller: As in so many of these cases, the government agency – in this case ODOT – they can’t tell people, if I understand correctly, if their information has been illicitly used, just that it was part of this overall data breach. Where does that leave basically all of us or almost all of us? I mean, if folks had a driver’s license or an ID card last year, what are we supposed to do with that information?
Grey: I mean, unfortunately, feel less safe, hopefully learn a lesson about the issues that are going on underneath our feet when it comes to the changing world of data. We can’t often undo existing breaches, hacks. We can’t put the milk back in the bottle. But it is an important lesson about how much we should be thinking about these things, how much resources we should be devoting in advance to preventing future hacks, and also thinking about just how vulnerable our data can make us.
Miller: How common are lawsuits after governmental agency data breaches?
Grey: This is one of the somewhat unusual aspects of this particular hack is that it was a government hack, it was so wide, and it was information that was affecting individual consumers. It’s not just some important set of information about government technology or whatever else. It was specifically stuff that kind of resembles private commercial hacks. There’s been a pretty big increase in class actions around data breaches over the last couple of years. It’s one of the hottest growing areas of class actions. But I think on the public side, it’s still somewhat rarer. As a result, this was a more high profile case against a backdrop of increasing stories of similar breaches in the commercial sectors.
Miller: What kind of precedents are there? How, in general, have judges or juries responded to these class actions?
Grey: I think they’re sort of ramming up in recent years. I mean, obviously you can speak to class action specialists, litigators, and they will probably have a closer pulse on the ground. But, [in] the last couple of years, I think there was a sort of clearing of the air around whether or not there was a harm enough to cause standing. Maybe five or six years ago, there was a fair bit of debate around different courts as to whether or not simply having your data accessed count as a harm that you could then get damages for and things. But I think in recent years, more and more jurisdictions and federal courts have found that you can and also looked at different theories as to how we could hold actors liable for that data in ways that we hadn’t looked at previously.
Miller: Oh, so in other words, before – not too long ago – there was a question of, if you just had been among the thousands or millions of people whose data was a part of a breach, that alone wasn’t enough to …
Grey: Right, it was a sort of murky legal question as to whether or not that was a harm in and of itself or if you had to wait to actually have somebody use your credit card information…
Miller: … or try to open a new checking account …
Grey: …or maybe find out that it was part of a batch that were explicitly sold on the dark web or something like that.
Miller: But even so, if we’re talking about, let’s say in this case, 3.5 million people who were potentially affected, it’s hard to imagine that all of us are gonna get a large amount of money.
Grey: No. In the past, the numbers have been sort of low two figures: 20 bucks, things like that, per person. So when you think about the point of class action lawsuits, the money, at least on that front, isn’t usually, in cases like this, about making people whole. I mean, what is the value of knowing that all of your information is out there forever? Oh, maybe $16? It’s almost insulting to have a number like that. But when you think about 3.5 million people who are harmed, times $20, and then you put that number in the face of ODOT, now suddenly that’s an incentive to maybe change your policies in the future or have more due diligence about who you choose as a third party contractor for data security. So it’s a legal strategy that affects the people who have to pay out a lot more than the people getting the money.
Miller: Do you get the sense that these suits, whether we’re talking about a public agency or a private company, have spurred all these folks, who have enormous amounts of our data, to become better stewards of our data? Is there evidence to suggest that that’s happened?
Grey: It’s a question of how deep you want to pull back the layers because, at least in my view, one of the biggest problems we have at the moment is an economic machine that treats data as sort of almost like oil or gold, right? It’s a thing that you are always trying to get more of. Especially in the age of AI and advanced business analytics, when in doubt, collect data. And then at some point in the future, we’ll develop the right kind of analytic system to find meaning in it. You know what I mean? When in doubt, categorize and label everything, and then we’ll work out the science later on.
So there’s a structural tendency towards generating data, accumulating data, storing data. And we treat it like it’s a thing that you give up: “Oh, I get free email and all I do is give them up some data.” But it’s much more akin to littering. You’re creating more and more of this stuff. That means there’s more and more chances of it getting stolen.
Miller: Littering with bits of ourselves.
Grey: Right. Exactly. It’s sort of like dust is skin cells almost, right? We are creating this huge amount of information. The problem is it’s ecological. If I send someone an email, I’m not just telling them about who I send emails to. I’m telling them who receives emails from me, and that’s about other people. We have this sense in which we want to treat, in certain legal contexts, data as another commodity, right? It’s like a can of beans on the shelf. You buy it. I pay for it. Sometimes I pay you in services like a free email service or a free web page. But once I give you the money for it, or give you compensation, that’s it. It’s done. I’ve paid you for it. It’s mine now. Whereas, thinking about it almost like land or natural resources or a pond where you can’t take it away from where it is, my data is always gonna affect me. So, whether or not I want to let you use it is a different question from whether or not you can ever kind of buy it and own it. It’s almost like you hear about stories where people say that photos used to steal people’s souls. It’s kind of like that.
Miller: It seems to me that we have had an option open to us for as long as there’s been gmail, for example, that we could pay for our own email service. In paying, there are places where they’re not going to be essentially just using us as data creators they can then monetize. And those haven’t been particularly successful. I mean, many, many people – most people – use free email, maybe with this trade off in mind, maybe not. What does it tell you that many of us are consciously choosing right now, day after day, to do something different than what you’re suggesting?
Grey: I think it just suggests that the scale of the harms we’re talking about is too high for people to really comprehend in any reasonable way.
Miller: What do you mean by that?
Grey: I mean, most of us are spending our day working out how to get through the day, how to pay our rent, how to have a nice weekend or whatever else. And if somebody says a million tiny microscopic decisions you make is gonna kill the planet, it’s too hard to internalize what you’re supposed to do about that. So it’s part of the reason we have collective action. It’s part of the reason we have governments. It’s part of the reason we have societies. So that we can say, look, if it was up to me living my own life, I’d probably be too narrow minded to think about this. But this is a social thing, right? This affects everybody.
So what we need to do is collectively decide that certain kinds of treatment of data shouldn’t be allowed. If it’s yours, if it affects you personally, yeah, let other people access it. But have a duty of care. Keep it to be yours. Don’t have it to be something that can be alienated from you and bought and owned and chopped up.
Miller: What’s a different governmental model? I mean, to go back to the ODOT or DMV example, this is not free email. This is a government agency that says: We need this information so we can verify who people are, so we can decide whether or not they should be allowed to drive or do various things in terms of interactions with the government.
So what’s a better model? In addition to the basic idea that, whatever data they have, ideally they’d be doing a better job of keeping it out of the hands of Russian hackers or whoever, what’s a different model for maintaining and collecting that data in the first place?
Grey: Yeah, I like to use the example of Estonia, which got a lot of press a few years ago for its data model, in part because it was anticipating one day needing to be a government in exile if they were ever invaded by the Russians right next door, and so designing a whole government that can work on the run. They created a model where they use this very fascinating, simple legal principle – which a number of other countries in Europe have since started picking up – which is: “collect once.” So, any piece of information, you only have to collect it once. If it’s already been collected by the government, a private company can’t ask for it again.
Now, if you think about that, it sounds very simple. But think about the number of different forms you might have to sign in a year that require you to give your name or your date of birth. Now, imagine if that was not asking you to give it again, creating a parallel, separate piece of data about the same information, but saying, “We hear you’ve given this information once. Can we access it?” Then once we’ve finished accessing, it goes exactly where it was.
Miller: I’m trying to imagine how that might work in Oregon, for the DMV as an example. People also pay, say, taxes at the state level or maybe want to get a hunting or fishing license with the Department of Fish and Wildlife. How would it work if we had the Estonian model just at the state level?
Grey: Well, that’s interesting that you started with it at the state level because you can almost take it one of two ways. One is, you can really decentralize it. You can say really what we want is people to have their own information and the state is asking for access to it, right? That would allow for more pluralism; allow, for example, Native groups to have their own identification systems, etc. The other option is to have a central database. Then say everybody accesses that, and then we have it almost like social security numbers. So, I wouldn’t start at the state level. I would start at the federal level. That way you would have one name, one ID, that if the state needed to use it for something they could say, “We see you’ve already got a legal name on file federally. Can you tell us what it is?”
So we don’t need to have two separate systems there. Or, if you did want to have a state system, you could do it at that level. So that if you had one state ID – everything from paying your taxes, to in-state college tuition, to a criminal record, to whatever else – you could use that and access it in different ways, without those different actors having access to your pot of data. They could only access it once you approve it.
Miller: What do you see as the political contours of this question? I frankly find it impossible to figure out what direction this would go, how it would map out onto the existing contours of left and right, of progressive and conservative in this country.
Grey: No, it’s definitely one of those situations where you want at least a two-dimensional map because I think you end up having some people on the libertarian right and a lot of people on the anarchist or civil libertarian left who might have a lot more in common about not wanting governments to have access to large pots of data. Maybe the left would say we also don’t want large corporations and the right would be more sanguine about that.
But in general, I think this is much more a civil libertarian issue. When it comes to how you want to set up the politics around this, I think a lot of it is probably, unfortunately, gonna have to wait until another big crisis. It took the Edward Snowden revelations. It took the Equifax hack for us to even talk about credit reporting information for a hot minute, and then we’ve all forgotten about it again.
It’s kind of scary to think about how large a data breach you might need before people start to really take this seriously – maybe everybody’s private Facebook DMs or something. You know, maybe it would have to take something very personally embarrassing before people realized how dangerous it could be.
Miller: Or we would all just say, “I guess that was embarrassing, but this is convenient” and move on with our lives. Or is that too cynical?
Grey: Well, I had a law professor, when I was his law student who said to me, “I lost a lot of family members in the holocaust. The next time they come for my family, which they will, they’ll get every single one because they know where we are all the time.” That kind of hit me like a ton of bricks as someone that was sort of like, “Well, if I’m not doing anything wrong, what do I care if I have something to hide?” The answer is: Just like the pollution is ecological, the privacy is ecological. If you want to let people have anonymity – which I have come to appreciate is, I think, a very fundamental part of an advanced civilization – the scale of society to allow you to not be the exact same person you were born in a small village that everybody knows your [bleep] all the time. That idea that you could reinvent yourself, you could have cash transactions, things like that, becomes a pretty central value to either uphold or not. So I think that’s where a lot of this debate is going to come down to is whether or not people choose to value anonymity as a form of defense against political tyranny.
Miller: Rohan Grey, I look forward to talking again. Thanks very much.
Grey: Thank you.
Miller: Rohan Grey is an assistant professor at Willamette University College of Law.
Contact “Think Out Loud®”
If you’d like to comment on any of the topics in this show or suggest a topic of your own, please get in touch with us on Facebook, send an email to thinkoutloud@opb.org, or you can leave a voicemail for us at 503-293-1983. The call-in phone number during the noon hour is 888-665-5865.