Protecting Your Company from Cybersecurity Litigation
Updated: Jan 2, 2022
Though hacking has made headlines for years (search, Dropbox, Evernote, Target, Apple, Home Depot, Ashley Madison, LinkedIn, etc.), it rarely affected our day-to-day lives. Then came reports of the 2016 hack of the Democratic National Committee, which possibly shifted the outcome of a presidential election and underlined the very real implications of inadequate cybersecurity. In its recent article Policy Ideas for a New Presidency, the Center for Long-Term Cybersecurity notes that cybersecurity "needs to be thought of as an existential risk to core American interests and values, rising close to the level of major armed conflict and climate change."
The increase in connectivity across all industries has drastically increased the potential for data breaches. Post data-breach consumer lawsuits, which typically assert breach of contract or negligence theories, are on the rise. Shareholder lawsuits, which typically assert claims for breach of fiduciary duty due to lack of adequate data security measures, are seeing some success. Investigations by government agencies — including the FTC, FCC, and SEC — are now common. Finally — while it's rare — some companies have faced criminal charges for egregious security lapses.
Companies have successfully argued that there was no identifiable harm cause by the intrusion. However, some courts have allowed cases to proceed on a lower evidentiary burden of "substantial risk of future injury."
The damages available to plaintiffs in a cybersecurity litigation depend on the nature of the company's business and the types of personal information the company possesses. Proving causation between the breach and actual harm is more difficult than it appears because it may be unknown how or whether customer information is actually used. Companies have successfully argued that there was no identifiable h
arm cause by the intrusion. However, some courts have allowed cases to proceed on a lower evidentiary burden of "substantial risk of future injury."
If a lawsuit or investigation results from a data breach, your company's internal policies and procedures will be thoroughly scrutinized. Although having acted with commercial reasonableness and in accordance with industry standards will not prevent litigation, it will assist with a more favorable resolution.
This article was originally published in Today's General Counsel, V14 N3, on June 1, 2017, and continues in full at the link listed.