Is a Company Liable for Being Hacked?

Data breaches are becoming everyday news. When large companies are hacked, we all hear about it, but small companies get hacked too. Hacking isn’t like the movies, either. It’s not a solo person in their parents’ basement typing vigorously through your firewall. No, hackers are likely breaking into your system by sending emails. It’s the most common way companies are attacked.

Frequently, I hear people explain how companies get sued after a data breach. I recently read an article that cautioned businesses that “consumers have successfully sued a company for wrongfully disclosing their information, whether due to hacking or employee negligence, in hundreds of cases,” (“3 Legal Repercussions of Cyber Attacks”, Larry Alton). With due respect to Larry, what lawsuits is he referring to? There are thousands of security breaches every year, and I couldn’t think of one lawsuit that had been successfully brought by an injured consumer. (By the way, Larry was not the only person to provide these kinds of stats. Many websites warn businesses of the dangers of cybersecurity-based lawsuits)

The reason there aren’t many lawsuits might be because companies tend to be pretty proactive following a breach. Many even pay for identity protection insurance for injured consumers. The other reason might be that many people don’t even know that they had their data breached.

But I suspect that the real reason we don’t hear about these lawsuits is that it is much harder to sue for negligent data breach than people realize.

Consumer Lawsuits Based on Data Breach

A lawsuit based on data breach will most likely be a negligence claim. Consumers would allege that the company did not take reasonable precautions to protect their data. Unless the company purposely disclosed consumer information, this would be the most likely path to a lawsuit.

But what is actually required to make a claim for negligence? It’s not enough to show that data was disclosed. You have to show that the company was negligent in protecting it.

Let’s assume that the company had a duty to protect a consumer’s data. That consumer would still need to prove that the company’s negligence caused the data breach and that the consumer was damaged by the breach. I think both of these items are difficult to establish in court.

Causation in Data Breach

There are two types of causation: factual cause and proximate cause. To prove factual cause, the plaintiff needs to show that but-for the negligence the injury would not have happened. This is generally easy to prove. Proximate cause, on the other hand, requires that the plaintiff prove that the injury was a foreseeable result of the negligence. Generally, an independent actor, like a hacker, would sever the chain of proximate cause because it’s not a foreseeable outcome.

Courts have previously ruled that someone committing a crime is not necessarily foreseeable. For example, if I own a bar and a patron punches another patron in the face, I am not likely liable because assault is not necessarily foreseeable. Don’t get me wrong, there are factual circumstances that can make something like that foreseeable, but normally it is not.

The same applies to data security. As a company, it is not foreseeable to have someone make a concerted, criminal action towards its computer system.

Or is it? I definitely think that we are heading towards a place where these kinds of attacks are foreseeable, especially in regard to certain kinds of businesses. Hospitals and law firms are being hacked more and more regularly. At what point is a hack foreseeable?


Damages can also be difficult to prove in a negligence claim based on data breach. Let’s say that your personal information gets disclosed in a massive hack on your bank. But let’s also assume that your accounts are fine. How do you know that you have been damaged?

HIPAA laws assume damages, but other forms of breach don’t have those same assumptions. The tricky thing about a data breach is that your information may not be used against you any time soon. Your personal information can bounce around the internet for years before your identity is stolen. When it is stolen it will be nearly impossible to link its theft to a specific data breach.

Until you actually see the impact of your data being used, how do you prove damages? Perhaps you can prove potential damages, but those are tricky for courts and juries to understand. How do we weigh the risk of identity theft in connection to a breach? I honestly don’t know.

Should we take precautions?

Just because a company can’t be successfully sued doesn’t mean that we shouldn’t take precautions. If your company has a massive breach, you will likely lose clients, which should be incentive enough to avoid these problems.

Companies should invest in security. We all use cloud computing now, but that’s no real excuse for ignoring security protocol. I recommend that companies have regular training on common threats and regularly update their systems to prevent intrusion. I also think every company should have a plan in the event they are hacked. How will they notify their clients? How will they contain the threat? How will the stop the next attack?

Companies should also consider insurance for cybersecurity breaches. Many commercial insurance policies include provisions for data breach now, sometimes for no additional premium. These policies can offset the cost of resetting a computer system and may allow a company to offer identity theft protections to its clients.

The trick is that some precautions are probably necessary to avoid liability.

For example, let’s say that I have my clients’ social security numbers in a file in my office. Am I liable if someone breaks into my office and steals that file? Probably not. But what if I leave that file in front of my glass door and label it in big, bold letters “SSN’s”? What if I leave my office unlocked? Then I’m probably liable.

It’s the same for cybersecurity threats. Right now, very little is necessary to satisfy your duty to your customers. But it seems to me that over the next few years, courts will start to expect a modicum of security to be implemented. Little things will be necessary at first – updating your system, training employees on the risks of unknown email attachments, etc. Eventually, you may need actual IT security systems in place in order to avoid liability.

Just because a company isn’t liable doesn’t mean it should be cavalier with data. We need to establish good practices. Our clients should expect it now, and the courts will expect it in the future.

Legalities of Contract Tracing Precautions

I appeared in court last week in a courthouse that I have not visited since March. I have plenty of cases there, but the judges have been very efficient at keeping attorneys out of the courtrooms. I had to attend because I had clients who were appearing.

When I arrived, security asked me a battery of questions including if I had any symptoms of COVID or if I had come in contact with anyone who had symptoms of COVID. They then took my temperature using a thermal camera. Once I was allowed into the courthouse, I was asked to fill out a half sheet of paper, detailing who I was, my contact info, and which courtroom I was to appear in. Finally, a bailiff escorted me to the courtroom.

All of these procedures felt a bit overboard to me, and I was concerned that I would have too high a temperature to be let in the building. I didn’t have any signs of COVID, but I know that thermal cameras can be very inaccurate at measuring body temperatures. I wondered if I would be black-listed if I registered higher than 100.4 degrees. Being escorted also seemed a bit silly since it’s a public building. Plus, they did not escort me out, which meant I was free to roam the premises. I didn’t, but it did seem to undermine the value of the original escort.

But this got me thinking, is this legal? What if I had refused to comply with one of these steps? I assume I would have been barred from entering the courthouse, but can they do that?

The short answer is yes, they can do all of these things, but I think it warrants some discussion.

What businesses (and government) are doing

Businesses and governments are pulling out all stops on the COVID prevention routines. I have seen some form of each of the following techniques:

Recording customer information

Taking names, phone numbers, and, possibly, email addresses.

Taking temperatures

The temperature that is most cited with refusing admittance is 100.4. I have heard stories of patrons being forced to wait for their temperature to reduce before being admitted, but I have never heard of anyone who was actually barred due to temperature.

I recently heard about someone who tested at 107, which would mean that they were dead. Eventually, their temperature came down and they were allowed into the establishment, but it begs an important question: what happens when the machine is clearly wrong?

Asking COVID-related questions

These questions normally include whether you have symptoms, which can be tricky since the list of symptoms is pretty long, and I am yet to hear of an establishment identifying what the symptoms are. Do you have to report if you have a headache but no fever? I don’t know. I imagine that many people lie about these questions. I’m not sure what value they actually have.

Limiting the number of customers on the premises

Limiting customers may be mandated by the government order. This limitation makes sense, but it can be applied in kind of silly ways. For example, I visited a local game store recently and the manager told me that he had to limit the store to five customers. He lamented to me that sometimes this meant separating families – a mother, father, and their four children, for example. One person would have to wait outside. But of course, that’s silly because those six people live together and don’t pose any additional risk by being allowed in together, not even to him.

Requiring the use of masks

This requirement is mandated by the government and makes perfect sense. Masks have been proven to reduce the risk of spreading the illness and pose no hazard to the wearer. If you disagree with me, don’t bother letting me know. I don’t care about your opinion, you are wrong.

Mandating social distancing

This is also an obvious solution to the problem. The little dots that businesses ask you to stand on help to keep space between people and reduce the spread of the infection.

Some places are using one or two of these strategies, and some places are using all of them.

Is it legal?

Businesses cannot refuse to serve someone based on a discriminatory reason, and, generally, when we consider limitations such as the ones listed above, we need to consider whether the limitations imposed satisfy a legitimate business purpose.

The legitimate business purpose is to limit the spread of COVID. That is clearly a reasonable purpose so the actions taken are legal because they are pursuing that purpose, even if it means that the business is refusing to serve some people.

Therefore, you can’t claim discrimination when a business makes you leave because you’re not wearing a mask. First, I’m not sure there is discrimination there at all. Requiring you to wear a shirt is not discriminating. Second, they are fulfilling a legitimate business purpose in protecting their employees and other customers.

But what about some of the other requirements?

For example, taking temperatures has been proven to not prevent the spread of COVID. Thermal cameras are frequently wrong, and not everyone who has COVID gets a fever. Further, the actual problem with COVID is that the vast majority of people have no symptoms at all, including fever. Therefore, arguably taking temperatures does not satisfy the legitimate purpose of limiting the spread of infection. Can businesses or governments use a method that doesn’t work and still satisfy the legitimate purpose?

We see this in other areas. Consider the security theater that occurs before getting on a plane. Taking off your shoes almost certainly does not prevent attacks on airplanes, but we do it anyway. I actually read an article years ago (that I cannot cite due to lack of memory) that discussed how the FBI conducted a test whereby it was able to smuggle an outrageous number of bombs aboard airplanes. My point is that these security requirements are allowed despite not being very effective so it stands to reason that judges will also allow the taking of temperatures to enter a store or government building.

In short, yes, I think the security theater will be allowed, and if you refuse to comply with the requirements, they can refuse to admit you.

Rollover into a Business Startup (ROBS)

I was recently contacted by a potential client that asked about using a rollover into business startup (ROBS) to fund his new business. I had heard of a ROBS, but I didn’t know much about how it worked so I decided to do some research.

A ROBS account (a very unfortunate acronym, in my opinion) allows a new business owner to use his or her retirement funds to start their new business. That means that they can use money from their 401(k) or traditional IRA without paying taxes or penalties so long as the money is used correctly for the new business.

How a ROBS Works

First, the entrepreneur must form a C-corp. Unfortunately, a C-corp is the only permitted business entity. C-corps tend to be more complicated to maintain, and an S-corp or an LLC would generally have tax benefits to the owner.

The entrepreneur then sets up a retirement account for the new business. This could be a traditional 401(k) plan or a profit-sharing plan. Then the owner transfer funds from his or her personal retirement account to the business retirement account. There are no penalties or taxes paid for this transfer. That’s the point of the ROBS. Using those funds, the company retirement account buys shares from the company. Those funds are then available as cash for the company.

Requirements to form a ROBS

The business owner must have an eligible retirement account. Most accounts are eligible except for Roth IRA’s and Roth 401(k)’s. The owner must also have at least $50,000 in retirement funds. This is not technically a rule, but the costs of forming and funding a ROBS can be steep and anything less than $50,000 won’t make sense.

Lastly, the business owner must be a legitimate employee of the business. This usually means that they must work at least 1,000 hours a year. Owners must be careful not to overpay themselves because that would get them into trouble with the IRS and Department of Labor (DOL).

The funds must be used for the business. They cannot be used in any way for personal use. This makes sense because if the owner could use the money for personal gain, he or she would essentially be taking the money out of the retirement accounts without paying taxes or penalties. Obviously, the IRS and DOL would prohibit that kind of use.

ROBS Costs

There is usually a high upfront fee required by providers. The fee is usually around $5,000. The ongoing costs can be as high as $150 per month to maintain the ROBS.

There are some other costs associated with a ROBS. Employees are allowed to invest in the exact same way that the owner does, meaning they can invest in the retirement plan and use those funds to buy shares of the company. The owner is obligated to educate his or her employees about these options.

(“Rollover for Business Startups (ROBS): The Ultimate Guide”, Dennis Shirshikov, “Rollovers as Business Startups (ROBS): What You Need to Know”, Steve Nicastro)

ROBS: good idea or bad?

I think whether a ROBS works for an individual is based greatly on who that individual is and what they plan to do with the money.

The main benefit of a ROBS is that you can fund your startup with your own money. Therefore, you have no investors and no debt costs. If your business does well, your retirement funds can increase greatly.

The main problem is the risk of losing your retirement funds. If you’re comfortable with risk, then you might feel fine putting your funds on the line. If you have a lot of retirement funds, you may not be risking your entire retirement, and if you’re young, you have plenty of time to build up your retirement accounts before you actually retire.

The nature of the business matters, too. If you’re investing in a franchise or something with a proven model, the risk is a lot lower than starting a brand-new business. Most new businesses fail or aren’t very profitable. Picking an industry, you know and a business model with a good track record will help mitigate that risk.

The last risk is the fact that you have to make the retirement plan available to your employees. For most small businesses this is not a problem, but I could see a situation where the ownership shares could get a bit diluted. The owner would need to keep an eye on this in certain circumstances.

Bottom line is that the ROBS may work for the right person in the right business. Rules need to be followed, but if you handle everything correctly, this could be a low-cost way to fund a new startup.