Understanding the Swinging Pendulum That is Data Breach Law
In today’s technology-driven economy, organizations of all sizes are exposed to increasingly complex computer security risks. The evolving sophistication of the hacking community only increases the likelihood of a targeted cyber-attack and forces companies to recognize the importance of protecting this valuable data. Additionally, human error accounts for a large percentage of compromised data due to lost laptops, smartphones and/or inadvertent disclosure of sensitive personal and/or corporate confidential information. Companies in all industries face a heightened scrutiny in the regulatory realm due to enhanced enforcement by governmental entities. In addition, nearly every state in the country maintains data breach laws requiring timely notification of individuals whose information may have been compromised as well as adherence to the standards imposed by the Payment Card Industry (PCI) for those companies accepting credit cards. Just one security failure or privacy security could lead to intense regulatory scrutiny and costly civil litigation.
We read about data breaches affecting millions of individuals on almost a weekly basis. What is the future of ligation regarding these breaches?
The main hurdles Plaintiffs must overcome are standing and damages. Generally, for a case to survive a motion to dismiss there must be evidence that information was actually exploited or compromised. One example is posting the information of the victims in a public forum. Some Plaintiffs’ attorneys try to argue that when customers pay for services, there is an implied promise that the defendant would use some of that money to implement cybersecurity precautions and as such, plaintiffs should get a portion of that money back. The Courts have been somewhat split on the standing/damages issue but have usually taken a pro-defendant stance. However, it is very fluid.