Who is liable for a data breach?
Author: Lucie Kossut
Data breaches started to occur more frequently, making individuals, businesses, and public institutions concerned about becoming the next target. Although the top-level cybersecurity solutions always try to be a step ahead of potential cyber offenders, the sophistication of hacking methods continuously increases. However, the main issue that concerns those affected by data breaches remains unclear. Who is legally responsible for a breach?
Due to the increasing number of data breaches affecting private businesses and public institutions, Congress, regulators, and state governments are putting effort into protecting these entities from future incidents involving unauthorized access. However, at the moment no federal law grants such protection to cover the data breaches affecting personal information of private individuals. In other words, no strict civil liability is imposed on entities that experience a security breach.
Are There Any Exceptions?
There are two cases in which civil liability may potentially arise. The first one occurs if a company did not take the proper measures to safeguard the personal information that leaked as a consequence of a security breach. In such circumstances, the plaintiff may argue that the company failed to take action that is either required by statute or reasonable under the circumstances to protect his or her data. The second case involves a company that was affected by a breach despite the successful implementation of legally required or reasonable steps that were supposed to prevent any attack. If in such circumstances, if the company does not take proper action to remedy the situation or does not increase the effectiveness of its security solutions, they may be held liable for some of the damages.
If the company is held liable, the plaintiff may receive monetary compensation for any economic losses and reimbursement for the out-of-pocket expenses required after the data breach. Although rarely, the plaintiff may also be eligible for additional compensation for the emotional distress resulting from the situation.
Lastly, a data breach that occurred as a result of negligence may result in damage to the reputation of the company that was attacked. In some cases, businesses may also face backlash from government agencies, which could lead to heavy fines and legal action.
To summarize, security breach liability is not strictly imposed on the company that was targeted. Usually there are two scenarios in which the plaintiff may be able to prove that the company should be held liable for the breach due to negligence. If the company is found to be liable, the plaintiff may receive monetary compensation and/or reimbursement for any costs incurred because of the breach.