Data breaches are becoming everyday news. When large companies are hacked, we all hear about it, but small companies get hacked too. Hacking isn’t like the movies, either. It’s not a solo person in their parents’ basement typing vigorously through your firewall. No, hackers are likely breaking into your system by sending emails. It’s the most common way companies are attacked.
Frequently, I hear people explain how companies get sued after a data breach. I recently read an article that cautioned businesses that “consumers have successfully sued a company for wrongfully disclosing their information, whether due to hacking or employee negligence, in hundreds of cases,” (“3 Legal Repercussions of Cyber Attacks”, Larry Alton). With due respect to Larry, what lawsuits is he referring to? There are thousands of security breaches every year, and I couldn’t think of one lawsuit that had been successfully brought by an injured consumer. (By the way, Larry was not the only person to provide these kinds of stats. Many websites warn businesses of the dangers of cybersecurity-based lawsuits)
The reason there aren’t many lawsuits might be because companies tend to be pretty proactive following a breach. Many even pay for identity protection insurance for injured consumers. The other reason might be that many people don’t even know that they had their data breached.
But I suspect that the real reason we don’t hear about these lawsuits is that it is much harder to sue for negligent data breach than people realize.
Consumer Lawsuits Based on Data Breach
A lawsuit based on data breach will most likely be a negligence claim. Consumers would allege that the company did not take reasonable precautions to protect their data. Unless the company purposely disclosed consumer information, this would be the most likely path to a lawsuit.
But what is actually required to make a claim for negligence? It’s not enough to show that data was disclosed. You have to show that the company was negligent in protecting it.
Let’s assume that the company had a duty to protect a consumer’s data. That consumer would still need to prove that the company’s negligence caused the data breach and that the consumer was damaged by the breach. I think both of these items are difficult to establish in court.
Causation in Data Breach
There are two types of causation: factual cause and proximate cause. To prove factual cause, the plaintiff needs to show that but-for the negligence the injury would not have happened. This is generally easy to prove. Proximate cause, on the other hand, requires that the plaintiff prove that the injury was a foreseeable result of the negligence. Generally, an independent actor, like a hacker, would sever the chain of proximate cause because it’s not a foreseeable outcome.
Courts have previously ruled that someone committing a crime is not necessarily foreseeable. For example, if I own a bar and a patron punches another patron in the face, I am not likely liable because assault is not necessarily foreseeable. Don’t get me wrong, there are factual circumstances that can make something like that foreseeable, but normally it is not.
The same applies to data security. As a company, it is not foreseeable to have someone make a concerted, criminal action towards its computer system.
Or is it? I definitely think that we are heading towards a place where these kinds of attacks are foreseeable, especially in regard to certain kinds of businesses. Hospitals and law firms are being hacked more and more regularly. At what point is a hack foreseeable?
Damages can also be difficult to prove in a negligence claim based on data breach. Let’s say that your personal information gets disclosed in a massive hack on your bank. But let’s also assume that your accounts are fine. How do you know that you have been damaged?
HIPAA laws assume damages, but other forms of breach don’t have those same assumptions. The tricky thing about a data breach is that your information may not be used against you any time soon. Your personal information can bounce around the internet for years before your identity is stolen. When it is stolen it will be nearly impossible to link its theft to a specific data breach.
Until you actually see the impact of your data being used, how do you prove damages? Perhaps you can prove potential damages, but those are tricky for courts and juries to understand. How do we weigh the risk of identity theft in connection to a breach? I honestly don’t know.
Should we take precautions?
Just because a company can’t be successfully sued doesn’t mean that we shouldn’t take precautions. If your company has a massive breach, you will likely lose clients, which should be incentive enough to avoid these problems.
Companies should invest in security. We all use cloud computing now, but that’s no real excuse for ignoring security protocol. I recommend that companies have regular training on common threats and regularly update their systems to prevent intrusion. I also think every company should have a plan in the event they are hacked. How will they notify their clients? How will they contain the threat? How will the stop the next attack?
Companies should also consider insurance for cybersecurity breaches. Many commercial insurance policies include provisions for data breach now, sometimes for no additional premium. These policies can offset the cost of resetting a computer system and may allow a company to offer identity theft protections to its clients.
The trick is that some precautions are probably necessary to avoid liability.
For example, let’s say that I have my clients’ social security numbers in a file in my office. Am I liable if someone breaks into my office and steals that file? Probably not. But what if I leave that file in front of my glass door and label it in big, bold letters “SSN’s”? What if I leave my office unlocked? Then I’m probably liable.
It’s the same for cybersecurity threats. Right now, very little is necessary to satisfy your duty to your customers. But it seems to me that over the next few years, courts will start to expect a modicum of security to be implemented. Little things will be necessary at first – updating your system, training employees on the risks of unknown email attachments, etc. Eventually, you may need actual IT security systems in place in order to avoid liability.
Just because a company isn’t liable doesn’t mean it should be cavalier with data. We need to establish good practices. Our clients should expect it now, and the courts will expect it in the future.