Negligence liability for datasecurity breaches

Negligence liability for datasecurity breaches

Regardless of the method, cyberattacks involve the same formula: the unauthorized access to and use of information in order to achieve a malevolent or criminal goal. It is increasingly difficult and all but impossible for companies to keep out a well-funded and motivated attacker. Liability for negligence in protecting confidential data is now an ever present threat.

The cost of a datasecurity breach

A datasecurity breach presents companies with potentially significant financial exposure on many fronts among them the costs related to forensic investigation and remediation work and the costs stemming from data breach notification. Additional costs can arise from resulting investigations by government agencies and state attorneys general; and the losses resulting from negative publicity and the costs of managing and mitigating the damage from that bad publicity.
As cyberattacks and datasecurity breaches have become more frequent, so has the resulting litigation. FTC enforcement actions are establishing de facto “standards” while organizations such as the National Institute of Standards and Technology (NIST) are developing voluntary guidelines for reducing cybersecurity risk to critical infrastructure. (Framework for Improving Critical Infrastructure Cybersecurity)

Tort liability for a cybersecurity breach

Failure to satisfy those standards creates a limited inference of negligence which might lead to tort liability. At the present time, consumer-driven litigation alleging failure to adhere to cybersecurity “best practices” has been limited to actions brought by the self-styled “Masters of Disaster” who dominate the plaintiffs’ class-action bar. However, many personal injury trial lawyers trolling for liability opportunities are starting to file straightforward conventional negligence claims against deep-pocket defendants for the damages to individuals arising from cyber security breaches which result in personal identity theft. These underemployed lawyers now see these claims as a fertile field for contingent fee litigation.
Liability for a cybersecurity breach can be predicated upon failure to follow cybersecurity “best practices”; for violations of a privacy or consumer data protection law; and for breaches of contract, such as agreements—whether explicit or implied—to protect personal information; and failures by outsourced service providers.

Liability for loss of market value

Shareholder lawsuits alleging a decline in Company stock price as a result of failing to prevent a breach in cybersecurity are another area of concern about liability issues. Liability concerns should also trouble Board members who may face individual claims which might trigger exclusions in conventional Officers and Directors Errors and Omissions insurance policies and require defense independent from defense of the Company and its executive management.

Cyberinsurance is no longer an option

The demand for cyberinsurance has increased dramatically as prudent Companies incorporate the threat of data incidents into enterprise risk management and insurance risk transfer mechanisms; but cyberinsurance is no guarantee that companies and professional practices can escape significant damage from data security breaches.

Portions of this page was developed from analysis of Limiting Liability Before a Data Breach by Allison Brecher, a senior litigation counsel and director of information management and strategy and Orrie Dinstein, global privacy leader at Marsh & McLennan Companies. It appeared online in the ALM publication, Corporate Counsel, on March 26, 2015.