“Private Cybersecurity Lawsuits”
Question: What liability do we have to individuals in a private lawsuit if there is a data breach?
A company can be privately liable to an individual or individuals in a number of ways deriving ultimately from “common law” court made laws, or “statutes” enacted by Federal or State legislatures.
The common law causes of action are as follows:
- Negligence (A company breached a legal duty that caused foreseeable injury to an individual)
- Negligent misrepresentation (A company failed to exercise reasonable care and supplied false information that cause damages to an individual)
- Breach of contract (A company breached a bargained for promise or promises in a contract)
- Breach of implied warranty (A company’s product or services failed to satisfy basic expectations of fitness)
- Invasion of privacy (A company published private facts about individual that are offensive and not of public concern)
- Unjust enrichment (A company knowingly benefitted from an individual in a manner that was so unfair that basic principles of equity require the company to pay the individual the fair value of that benefit)
The statutory law used is generally going to be under a consumer protection law that is specific to a state.
So as not to overload you, I will be covering negligence this month and the other causes of action in the November posting.
Negligence is the most common type of action that is brought. For an individual to win a negligence case he or she must prove a) There was a legal duty owed to the individual by the company, b) the company breached that duty, c) the breach caused a reasonably foreseeable, d) “cognizable injury” to the individual.
DUTY/BREACH – In cybersecurity negligence cases, legal duty and breach of that duty are not usually main areas of dispute. Courts usually agree that companies have a legal duty to safeguard personal information and that a failure to safeguard that information is a breach of that duty. In fact, a court MAY consider industry standard security protocols (like encryption for example) to define the duty of care. This should scare anyone reading this blog post because it means that the court would consider a non-compliance with an industry standard to a be negligence! Furthermore, the defense that the harm was caused by a hacker and not the company will in all likelihood be rejected because the company’s lack of security plays a key role in allowing the harm to occur. Ouch.
CAUSATION – Causation is also rarely contested, but is harder to show than duty and breach of duty. Unlike most negligence cases in other areas that focus on whether a breach of duty ‘proximately’ caused (was a moral/closely related cause of) injury, in the cybersecurity realm the question of “but for” causation (whether the breach had anything to do at all with the injury) is a significant question of fact that is often not easy to determine. For example, if a hard drive with personal information gets stolen, but that information (or information very similar) doesn’t get exposed online until one year later, how can we know if the cause of the exposure was the hard drive and not some other source? This is a very fact specific question and depends on all the circumstances in the case. However, a court usually need only find a “plausible” connection for the case to proceed. If the information on the hard drive is identical to the exposed information a court will be more likely to find causation than if the exposed data is only similar but not identical to the information on the hard drive. Also, taken into account in these cases is the time that has elapsed between the security breach and the exposure. The longer the time period the less likely a court will find causation.
COGNIZABLE INJURY - On less scary note for companies, the last required element in negligence cases, “cognizable injury” is more difficult to establish. As of right now, many but not all states are continuing to adopt what is known as the “Economic Loss Doctrine.” The doctrine was created back in 1927 and bars a finding of injury if there was no physical harm or property damage. That may sound like a slam dunk win for defendant companies, and in many cases it is, but not all. First, not all states apply it to every negligence claim. Second, even if the state does apply it to cybersecurity negligence claims it may have exceptions. The exceptions found thus far are a) there is an independent duty to protect the data beyond the general commercial expectations, and b) there is a special relationship between the company and the individual. The exception that is most likely to swallow the rule, and the one to be most wary of, is the “special relationship” exception which generally requires the following elements:
- Company required individual to turn over private information;
- Plainly foreseeable that injury would result from a breach;
- Company failed to notify individual promptly of breach, causing injury;
- Company knew its security was insufficient; and
- Company morally culpable in their behavior;
- Policy is served by the exception.
The takeaway here should be that any company dealing with personal information better have its information security system up to industry specifications, follow the required notification rules required by states. Digital Edge can help with both.
