Data breaches often lead to civil litigation

by Doug Pollack

Most of us by now have received at least one data breach notification letter that has stated that our personal information was lost or stolen. I received one just a month ago from a brokerage firm that I did business with years ago. Often, with high profile companies or very large breaches, these events can turn into a PR nightmare for the company.

A recently published article titled “Data Breaches Mean More Than Bad Publicity” in the New York Law Journal looks at an associated trend toward civil litigation targeted towards companies that experience a data breach.

“The negligent (or even innocent) loss of electronic data to cybercriminals inflicts billions of dollars of damage on our economy, as personal information has become a sought-after treasure trove for cybercriminals…These costs are likely to escalate as, in an increasing trend, corporations are also being pummeled with civil litigation related to data breaches.”

The authors also note the difficulties inherent with complying with the numerous, different and sometimes conflicting state data breach notification laws.

“Forensic investigations are also critical to guide a corporation through the maze of state data breach notification laws. Such laws will require varying levels of compliance, depending on the nature of the breach and of the entity’s operations. California’s data breach law, which has served as a model for many other states, demands that upon discovering a breach of personal information, a business ’shall disclose any breach of the security of the system’ to any affected persons ‘in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.’ ”

The authors conclude that companies must prepare for lawsuits that may accompany a data breach. But they also note that plaintiffs have a difficult time proving damages in many cases. Companies should be very diligent in managing their data breach response efforts in order to ensure that affected individuals do not suffer real harm.

“While the hurdles for plaintiffs remain high, these lawsuits have become a fact of life in today’s litigious society. Corporations suffering data breaches thus must now routinely face an onslaught of civil litigation in addition to the negative publicity and regulatory scrutiny coming from data breaches and their announcements. “