Liability Risks of High-Profile Security Breaches

When high-profile security breaches cause the loss of consumer personal information, lawsuits frequently follow. In fact, in the Sony PlayStation security breach, lawyers filed a class action against the company nine days after the breach occurred. If your company holds consumer personal information, a class action against your company is a significant risk if a data breach occurs.

Plaintiffs have asserted a number of claims against companies that have experienced data breaches. First, they frequently assert negligence claims against the defendant companies. Typically, plaintiffs claim the company had a duty to protect the security of personal information, the company failed to exercise reasonable care to protect that information, a breach occurred as a result, and the breach caused the plaintiffs damage.

Second, plaintiffs may assert a breach of contract claim against the company hit by the breach. They may point to express promises of security or claim an implied contractual duty to protect information. They then contend that the compromise in security constituted a breach of the contract between the company experiencing the breach and its consumer customers.

Finally, plaintiffs may assert statutory claims against the company based on laws against unfair and deceptive trade practices or laws against false advertising. They may contend that inadequate security is an unfair trade practice, misleads consumers (perhaps because of advertised assurances of security), or is illegal under data security laws. The violations may entitle consumers impacted by the breach to a refund of their payments to the company. In addition, the FTC may bring an enforcement action against a company experiencing a breach for these same reasons.

Companies may also face information security liability for alleged privacy violations or by failing to supervise their employees. If companies roll out products or services that allegedly violate consumer privacy by accessing their applications or devices without permission, they may be sued for violating cybercrime laws. In addition, if rogue employees within companies gain unauthorized access to competitors’ computer systems to uncover business intelligence, they may face cybercrime claims based on unauthorized access.