[BreachExchange] Is There Automatic Civil Liability For A Data Breach?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 20 19:58:01 EST 2017


https://www.jdsupra.com/legalnews/is-there-automatic-
civil-liability-for-98897/

No! It is a common misconception among the general public that someone
always has to pay when there is a data breach. It is understandable that
individuals affected by a data breach will be upset, distraught, and even
angry. In light of recent large-scale data breaches, it is safe to say we
have all been there, with our personal information that we entrusted to
particular companies or employers now out there in the hands of cyber
thieves.

Data breaches may result in serious harm to the affected individuals, such
as identity theft and disruption of their lives and businesses. Of course
they will want someone to pay, and they will probably find a plaintiffs’
attorney who will file a lawsuit regardless of whether your company has any
liability, hoping that a jury would reward the “victim” simply because they
suffered damages.

The reality is that data breaches happen to the best of us. And sometimes
even if a company took every reasonable step within its power to prevent
data breaches and ramp up security, it may still experience a data breach.
But the accusations will still be made: “How could you let this happen?” “I
trusted you to keep my data secure.” “You’re going to pay!” It is common
for individuals affected by a breach to believe that a data breach could
not have possibly occurred without someone being negligent. This common
reaction results in a high propensity for litigiousness among the victims
of any data breach.

Laws Provide Some Breathing Room For Diligent Companies

Generally, data privacy laws across the United States, both state and
federal, do not impose strict civil liability on entities that experience a
breach of security resulting in the disclosure of personal information to
unauthorized or unknown parties. Rather, potential civil liability may
arise in two scenarios. First, if a company fails to implement steps that
are either required by statute or reasonable under the circumstances to
safeguard private information, it could face the very real possibility of a
negative legal judgment. Second, even if a company implemented legally
required or reasonable steps to prevent a breach before it occurs – in
other words, did everything right up to the breach incident – it could
still face liability if it fails to take post-breach steps to remedy the
situation or mitigate the harm. This could include steps required by a
specific state statute, such as providing notification to those impacted,
or those simply deemed reasonable under the unique circumstances related to
the specific breach in question.

While statistics show that most data breaches have a root cause of human
error, a human error does not automatically mean the company was negligent.
A legal determination of fault under a negligence theory will depend on the
precise circumstances in which the mistake or human error was made. This is
also the case if the breach was the result of intentional or malicious
actions by an insider. Unfortunately, the lawyerly answer “it depends”
still applies.

Nightmare Hypothetical Scenario Demonstrates Potential Problems

For example, imagine a rogue and disloyal employee bent on misappropriating
your trade secrets defects to a competitor after uploading electronic files
pertaining to your customers and employees to their Google Drive (in an
attempt to bypass USB detection). It turns out the files contain private
non-public information of customers and medical information of employees.
The former employee’s Google Drive is then hacked by some unknown party and
all the customers’ and employees’ private information is exposed. Once the
affected individuals learn that their information has been leaked, they
want someone to pay. Are you at fault for the data breach in this
hypothetical scenario?

Ultimately, if you took all the legally required or reasonable steps to
safeguard private information, and the data breach occurred despite your
best efforts, there should be no liability absent a contractual
indemnification or guaranteeship obligation towards the affected
individuals. The challenge, however, is proving that you did all you could
to prevent a data breach. It may come down to a battle of the expert
witnesses opining on what were the applicable “best practices” at the time
of the incident. For instance, was it reasonable for the rogue employee to
have had access to those files? Was it reasonable for this employee to have
been able to access a personal cloud-based account using a company device?

After The Breach: Picking Up The Pieces

Once a breach occurs, a new set of obligations arise, including compliance
with applicable state and federal data breach notification laws, some of
which may also require the provision of identity theft protection or
monitoring services to the affected individuals. When an incident qualifies
as a data breach under a state’s data breach notification statute, failure
to timely notify the affected individuals may give rise to liability for
civil penalties imposed by the state’s attorney general or other state
enforcement authority.

Some statutes create a private right of action so that, in addition to
other claims under the common law, the affected individuals may file their
own lawsuit for failure to comply with the state’s data breach notification
law. In the absence of a private cause of action provision in the statute,
only the government can enforce and impose penalties for these statutory
violations. Of course, this will not stop plaintiffs’ attorneys from
asserting a common law negligence claim based on violation of the breach
notification statute.

In addition to complying with statutes and regulations, companies that
experience a data breach of their systems should take steps consistent with
their duty of care to the affected individuals. This may potentially
include providing identity theft protection services even where not
required by law, or extending such coverage for two years where the law
only requires one year of coverage. Another reasonable step recommended by
data security practitioners is to engage an external, independent security
consultant to conduct a comprehensive security assessment or audit of your
IT infrastructure and information management systems. If the security audit
reveals gaps in security, you should promptly take action to implement
recommended changes aimed at preventing data breaches in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171120/cf679a21/attachment.html>


More information about the BreachExchange mailing list