A common data breach scenario runs along these lines: Company X keeps sensitive consumer data, including name, credit card information, and email address. Despite the company’s promises, this information isn’t encrypted, pseudonymized, or subject to restricted access. The data are accessible from any networked computer at work and through the company’s web portal. The data is stolen by a recently-terminated employee, who gained access to the database because the password iss “admin” or “password12345.” (If these are your actual passwords, stop reading and go change them. I’ll wait.)
At this point, you might imagine that if anyone is sued, it would be the thief, and they well may be. But as we’ve discussed, the FTC could sue the company for failing to safeguard its customer information. The other potential lawsuit is the one cutomers bring against the company for failing to safeguard data.
That lawsuit is almost certainly going to be based in tort law, which is the realm of non-criminal wrongs. Torts cover everything from libel to hitting someone in the face with an actual torte. In the data security context, the claim is for negligence – that is, Company X didn’t take reasonable steps to safeguard against a predictable risk of harm. The majority of data breach lawsuits in the United States follow this rubric, although there are important exceptions. In Pennsylvania, for instance, the right to bring a data breach negligence lawsuit is very limited.
Nevertheless, tort claims are likely to be the route plaintiffs follow when there is a data breach. It’s helpful to consider why that may be. Negligence claims developed as a response to actual physical injury, and later grew to cover economic harms as well, but how does a data breach fit within the rubric?
Simply put, a negligence claim argues that the company had a duty to protect the customer or the customer’s information, but failed in its duty, causing harm to the customer. If a court agrees that the company should have taken better precautionary steps, then the plaintiff may be entitled to damages. In some cases, the company can be liable even if the customer’s personal data wasn’t used to steal their identity or the breach did not result in direct financial harm.
None of this is to say that there aren’t other types of data breach lawsuit, or that this will always be the norm. But it is important to understand that, as long as data breaches are generally considered to be torts, you should prepare for them like you would for any other negligence lawsuit.
Not to be glib, but the key is to try not to be negligent. (Yes, I realize that that was glib and an oversimplification, but my point remains). If you approach data security in the same way you approach not leaving banana peels on the floor of your restaurant, you’ll at least have a starting point. Taking reasonable precautions, thinking about data security as a component of doing business, and refusing to take shortcuts at the expense of protecting information are the building blocks of a datasmart legal strategy.