The raft of enterprise data breaches over the past few years has prompted rapid evolution in Infosec technology, enterprise security philosophy, and has amplified the strategic importance of cybersecurity among corporate leadership. All good stuff.
But, as every silver lining has a cloud, and, since we live in the most litigious nation on the planet, it should surprise no one that the legal community smells blood in the water. Given this reality, I thought it might make sense to explore the data breach litigation landscape a bit. In this blog, we start with a discussion of consumer litigation, that is, the average Joe/Jane whose credit card was stolen, and how they might avail themselves of the justice system.
Researching the topic, I came across an exceptional legal white paper that is, essentially, a chapter from “Privacy and Surveillance Legal Issues,” a book published by Aspatore[1]. The chapter/white paper – Private Data Security Breach Litigation in the United States (Douglas H. Meal, Partner, with David T. Cohen, Associate, Ropes & Gray LLP) – was published in the book in 2014, so it was likely written some time before that.
The paper details the difficulty information breach plaintiffs have satisfying the appropriate legal criteria to successfully prosecute claims against the breached company. Two legal hurdles, according to the white paper, have been difficult to overcome: 1) proving that the breach was the result of the company’s negligence, and 2) that specific damages can be shown to have been incurred as a direct result of the breach. From the paper:
“…plaintiffs frequently struggle to plead and prove that the data security breach resulted from the victim’s [the company experiencing the breach] breach of its legal obligations, as opposed to an unfortunate perpetration of computer crime by third parties, and/or that any breach of legal obligations caused any recoverable injury.”
Although generally unsuccessful, intrepid plaintiffs’ attorneys have mined the depths of their legal creativity in an attempt to find a legal theory of damages acceptable to courts. According to the white paper, these have included (quotes below taken directly from the above-referenced paper):
The chapter goes on to detail other legal nuances, including the contractual relationships between consumers and breached companies, credit card companies and the banks that issue the cards, and the challenges plaintiffs’ attorneys face declaring breach victims as part of a legal Class. Despite its detail and complexity, the paper’s analysis paints a clear picture of a US Court system reluctant to penalize enterprises for data breaches, setting a very high bar for plaintiffs to recover damages successfully.
In Part 2 of this post (coming soon to a theater near you), we’ll discuss how the Ashley-Madison breach and, more importantly, the Federal Trade Commission’s action against Wyndham may be tipping the legal balance away from the breached enterprises as we head toward 2016, adding an increasingly hostile legal landscape to the list of concerns keeping InfoSec professionals and their corporate management awake at night.
[1] I was unable to find a direct link to the white paper/chapter, but it’s readily available via a “Private Data Security Breach Litigation in the United States Douglas H. Meal” Google search.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply