A data breach is a specific event in which secure or confidential information is released without authorization to an environment that is not secure. In many cases, this involves either an intentional theft of the information in the database of some entity, usually a business, or an accidental leak of sensitive information due to an error.
Data breaches often involve electronic means of communication and data storage, such as hard drives, digital video or audio files, laptops, wi-fi connections, and phone and smartphone chips.
Types of information that are often targeted in a data breach include:
- Personal information: This includes such information as names, addresses, including email addresses, phone numbers, and social security numbers;
- Business records, business assets, confidential information such as trade secrets and related information;
- Bank account records, credit card information, and other financial data;
- Medical health records.
Clearly, data breaches can sometimes result in additional unpleasant issues for victims such as identity theft or a loss of business profits.
Who Can Be Held Liable for a Data Breach?
Responsibility for a data breach is usually classified as two different types, external factors and internal factors. External factors for data breaches typically involve:
- Theft by a hacker or a business competitor;
- Corporate espionage;
- Negligence or breach of duty by a data privacy management firm.
Internal factors that may be the cause of data breaches include:
- Faulty internal security measures;
- The negligence of an employee;
- Breach of fiduciary duty on the part of an employee or business partner;
- Failure to keep current with electronic security measures.
Some data breaches may involve both kinds of factors, such as when an employee collaborates with an outside hacker and provides data or passwords.
The issue of who might be held legally liable is more complicated.
Are There Any Legal Remedies for a Data Breach?
There are already many breach notification laws in the United States that require businesses to notify people whose data have been exposed in a breach. For example, all 50 states have data breach reporting laws. They have varying criteria for determining whether a breach has occurred and for the kind of notice to victims that is required.
Most state’s laws require businesses to comply with the law of a given state if any breach compromises the personal information of a resident of that state. So, one thing a business must do is to consider the scope of the data they collect and store. They need to be able to determine whether they would have obligations to notify under the law of any given state.
In addition to notifying the affected individuals, many states compel a business to notify the state Attorneys General offices and the credit reporting agencies. The requirement depends on how many identified individuals in the state received notification of a breach.
Under certain circumstances, a business may have the option of giving substitute general public notice rather than individual notice. In most cases, usually substitute notice is a notice in a prominent place on the website of the business and published in the media, for example, in print, on television, and on radio.
Substitute notice would be allowed if any of the following is true:
- The business does not have contact information for some of the identifiable individuals;
- The number of identified people is particularly high;
- The cost of individual notifications would be excessive.
In these situations, a business may have the option of giving substitute notice or may even be required to provide substitute notice, either in addition to or instead of individual notices.
Federal Laws governs obligations to report data breaches in specific industries, including:
- The Health Insurance Portability and Accountability (HIPAA) Act: HIPAA provides notification requirements for a security breach that compromises protected health information held by an entity covered by HIPAA or its business associates;
- The Gramm-Leach Bliley Act (GLBA): The GLBA requires covered financial institutions to notify customers whose personal information is compromised by a security breach;
- The Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers: This rule, recently issued by the Federal Deposit Insurance Corporation (FDIC), requires FDIC-supervised banking organizations to notify the FDIC within 36 hours of determining that they have suffered a computer security breach that meets certain criteria.
The victim of a data breach who suffers damage that can be compensated could file a lawsuit for negligence against a business that experiences the breach. Every person and business owes its customers, clients and business partners a duty of care, which arguably includes a duty to take reasonable steps to protect sensitive data. If a person or business fails to do at least as much as a reasonable person would do to protect the security of its databases, this could be considered a breach of the duty of care.
In other words, if the person or business should have put better protection in place but failed to do so, this could be considered negligence, and it could result in financial liability.
Another circumstance that might lead to a finding of negligence is if, when a breach occurs, the person or business does enough to reduce harm to the people affected. Arguably, a person or business has a duty to take steps to reduce the harm to people whose data is stolen. This duty might include the duty to notify the person promptly, to investigate immediately and to remediate the damage to the extent possible. Again, failure to take steps to reduce the harm could be viewed as negligence giving rise to liability for damages.
Failure to give notice of a data breach as required by state or federal law, as noted above, could be offered as evidence of negligence.
If a party whose data has been exposed in a data breach is able to prove liability for negligence in a court of law, this may lead to various legal consequences. These could include paying an award of money damages to compensate the victim for their economic losses. In many cases, criminal charges may be applied for hacking and other violations.
Some experts recommend that an entity that maintains a database of personal information or sensitive or confidential business information develop active defenses and a response plan for breaches. For example, they might want to have a breach coach who can practice their breach response, doing so in a manner that maintains its confidentiality, of course.
Experts also recommend that an entity with a valuable database have cyber security liability insurance. Cyber security liability insurance could be especially helpful for a business that does any of the following:
- Collects payment information from online sales;
- Maintains a database of sensitive personal information on current, past or prospective customers, clients or patients;
- Stores employee information in digital form, including Social Security numbers and medical information;
- Makes heavy use of technology for daily operations.
A person who is a victim of a data breach and has suffered losses as a result would want to consult an attorney, who would investigate how the breach occurred, who was responsible and whether negligence on the part of the business itself in failing to protect its database or responding to a breach caused the person’s losses. Other possible legal theories that might serve as the bases for a civil lawsuit are breach of contract and breach of warranty.
Do I Need a Lawyer for Data Breach Legal Issues?
Data breaches can be very serious and can cost a company profits, lost contacts, and a loss of private information. It can also put customers and clients in an unsafe position, such as vulnerability to identity theft and other problems.
You may need to hire a business lawyer in your area if you have any legal issues or conflicts involving a data breach. Your lawyer can provide legal advice and guidance to help you with your claim. Also, if you need to file a lawsuit, your attorney can represent you in a court of law.