Can Businesses Be Sued for Data Breaches?

Submitted by Erica Kastner on Thu, 09/ 19/ 19 - 09: 01 AM

 

Can Businesses Be Sued for Data Breaches?

CYBER SECURITY | 12 MIN READ

Running a business involves so many moving parts that it can become overwhelming to manage business-critical tasks. While main priorities like increasing revenue and improving customer service are top of mind, a consideration that many business owners struggle to keep at the forefront of their minds is the laws that they must comply with. 

More specifically, cyber security laws are a relatively new legal category that many businesses either are not aware of or struggle to keep up with in terms of compliance.

Besides the usual harm that comes from a data breach, such as reputation damage and financial loss, businesses now also have to worry about the penalties they could face for data breaches. 

These new cyber security laws define the terms of subjects ranging from the preventative cyber security measures businesses must have in place to the rights consumers have in the event that a business who has their personal information experiences a data breach.

To help businesses stay on track with the ever-changing cyber security regulations landscape, we put together a list of some recent regulations that businesses should aim to comply with if they want to avoid lawsuits and penalties. 

Not a lot of time? Skip to what you need:

Federal Rulings

State-Level Rulings and Regulations

Other Regulations

Uphold the Law so the Law Upholds You

Federal Rulings

Some recent federal rulings surrounding cyber security show where the law is headed with regards to the rights both businesses and consumers have in the event of a cyber-attack.

Can Businesses Be Sued for Data Breaches?

 

Zappos.com v. Stevens

Backstory

This recent 2018 U.S. Supreme Court ruling shows how even when companies are hacked, they still might end up footing the bill one way or another.

When Zappos' website was hacked, they were sued by a customer named Theresa Stevens, who cited that since her information was stored in Zappos' database before the breach, Zappos was liable for damages.

Outcome

Unfortunately for Zappos, this case affirmed the right for customers to sue companies when their data is stolen, even if that data is not used for anything sinister.

 

Mondelez v. Zurich Insurance

Backstory

Though some companies are turning to cyber security insurance as a means of protecting themselves financially in the event of a cyber-attack, the attack on snack food giant Mondelez proves how even cyber security insurance can fall short.

Mondelez tried to get coverage from their cyber security provider Zurich Insurance after a cyber-attack. Since the US government claimed the attack was due to a “cyber war” and was based in Russia, Zurich invoked a “war exclusion clause” and refused to cover Mondelez.

Outcome

In a negative turn of events for Mondelez, this case affirmed the right for a cyber security insurance company to deny coverage for a cyber-attack stemming from a cyber war by invoking a “war exclusion clause”. Mondelez is currently fighting this ruling in court.

 

Medidata Sols. Inc. v. Fed. Ins. Co.

Backstory

After Medidata suffered losses from an email phishing campaign, it tried to get coverage from its insurer, Federal Insurance Company. Medidata claimed that its insurance policy with Federal Insurance Company contained a provision covering losses stemming from entry of data or changes to data elements in a computer system.

Federal Insurance Company claimed that it was not required to cover Medidata because the provision only applied to intrusions from hacking.

Outcome

While other cases such as Interactive Communications Int’l, Inc. v. Great Am. Ins. Co. show that insurance won’t cover a business if the business can’t prove that computer fraud directly impacted it in the form of a loss, this case shows that businesses who can prove they suffered a direct loss from computer fraud are covered by their insurer.

Since Medidata couldn't prove that they suffered direct losses from the phishing campaign, they were therefore not covered by their insurer. 

Read More: What is Phishing and How are Hackers Using It 

 

State-Level Rulings and Regulations

Does your business have consumers from states across the country? If so, keep reading, because some states have passed laws pertaining to consumer privacy that you need to know about.

Can Businesses Be Sued for Data Breaches?

 

Georgia Personal Data Security Act

Although this legislation never passed, it is a good example of the direction cyber security legislation is heading in states across the country.

Outcome

Differing from previous Georgia law which handed out relatively low punishments to businesses in regard to how they deal with data breaches, this proposed law would considerably ramp up the requirements and subsequent penalties for businesses who are victims of a cyber-attack.

The law would modify when notices of certain security breaches are required and would provide for the contents of such notices.

For instance, if your company was affected by a data breach, you must reach out to the state's residents whose information was affected by the breach and fix your cyber security system no later than 45 days after the discovery of the breach.

Additionally, breach notices would be required to be sent to specific Georgia officials such as the Attorney General and the Governor. 

Penalties

The Attorney General could impose a civil penalty of no more than $500 for each Georgia resident who did not receive the required notice.

Additionally, the Attorney General could issue an order compelling the business to provide any breach notice required under the legislation, or issue an order to recoup the reasonable costs incurred by the Attorney General's office while pursuing the business.

 

Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co.

Backstory

Recall Total Information Management had tapes containing private information that accidentally fell off the back of a company van and were never recovered.

Additionally, there was no proof that the information on those tapes was published. Recall Total Information Management tried to get their insurer, Federal Insurance Company, to cover them for the loss.

Outcome

The Connecticut Supreme Court affirmed that to be covered by their insurance company in the event of the loss of private information, businesses must have proof that the information was accessed and published by another party.

Since Recall couldn't prove that the tapes were accessed by somebody else or published anywhere, they couldn't get coverage from their insurer. 

 

Zurich Am. Ins. v. Sony Corp. of Am.

Backstory

In March of 2014, the New York Supreme Court determined whether cyber security coverage existed for the PlayStation Network data breach. Although “publication” of confidential information occurred, coverage for Sony did not exist because the publication was carried out by a third-party, rather than the policyholder, in this case Sony. Sony appealed but later settled in 2015.

Outcome

The New York Supreme Court affirmed that when there has been publication of private information, insurance policies only cover publication by the policyholder, not a third-party such as a hacker.

Since the hackers who breached Sony's system published their private information elsewhere instead of on any Sony-related platforms such as their website or social media accounts, Sony's insurer was granted the right to deny them coverage. 

Read More: Why Small Businesses are More Prone to Cyber Attacks

 

California Consumer Privacy Act

Outcome

The California Consumer Privacy Act, which goes into effect in January 2020, requires that companies be transparent with California consumers on what personal information they use and how it is used/shared.

Penalties

Companies who do not comply leave themselves open to lawsuits in the case of a data breach. Additionally, California’s Attorney General has the authority to fine companies that don’t follow the new regulations.

For intentional violations, California's Attorney General can bring civil penalties of up to $7500 for each violation. For other violations, the maximum fine is $2500 per violation.

Read More: Cyber Security Solutions Best Practices for Business

 

New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act

Outcome

Effective on March 21, 2020, the SHIELD Act will require all businesses who hold private computerized data on any New York residents to maintain certain security standards for that information, such as notifying victims of data breaches, or risk penalties.

Penalties

Though victims whose information is stolen cannot sue the companies who have been hacked, the Attorney General may take action against businesses who violate the law to obtain civil penalties.

For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person who was entitled to but did not receive a breach notice.

For knowing and reckless data breach notification violations, the court may impose penalties beginning at $5,000 dollars or up to $20 per violation with a cap of $250,000. For data breach safeguard violations, the court may impose penalties of no more than $5,000 per violation.

 

Nevada Senate Bill 220

Outcome

Effective as of October 1st of this year, Nevada Senate Bill 220 states that companies with websites or online services that collect certain information from Nevada consumers, such as home addresses, telephone numbers, or social security numbers, must disclose what information they gather and give those consumers an option to opt-out of selling their information.

If a Nevada consumer opts out, then the business cannot sell any of that information. Additionally, businesses with customers in Nevada must provide an online notice disclosing a few key aspects of its data policy, such as the categories of covered information it collects and categories of third parties with whom it shares consumer information.

Penalties

Consumers affected by the sale of their information cannot take private action such as a lawsuit against said company, but that doesn’t stop the Attorney General from coming after said business. If he/she proves the business violated this act, the district courts can issue an injunction or penalty of no more than $5,000 per violation.

Other Regulations

Though these other rulings might not have been passed in the US or enacted by a court, the following cyber security regulations can have a real impact on your business if they are not followed.

Can Businesses Be Sued for Data Breaches?

 

Payment Card Industry Data Security Standard
(PCI DSS)

Outcome

This industry standard was put together by major credit card providers to reduce credit card fraud. If you are a company who processes data from major credit card holders, you must follow this standard and continue to stay up-to-date with regulations.

The image below, taken from the PCI DSS official website, summarizes some of the main requirements. 

Can Businesses Be Sued for Data Breaches?

Since the specifics of these regulations varies based on factors such as the type of business you own, visit this link to see what regulations you should follow based on the type of business you own.

Though the PCI DSS isn’t technically a legal ruling passed by a court system, it still has ramifications if it’s not followed. 

Penalties

Penalties for non-compliance can include monthly penalties of $5,000-100,000 from your payment processors and credit card companies or in extreme cases, federal audits from the FTC. In the event of a data breach, businesses can be charged $50-90 per cardholder whose information has been endangered.

EU General Data Protection Regulation 

Outcome

If your business doesn't have any customers within the European Union then you might not need to heed this message. For those that do, listen up.

While the EU GDPR isn't completely new and has been around since 2018, according to the EU’s GDPR website, this regulation applies to “all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location”.

There are internal record keeping requirements, especially for companies who process a lot of consumer data. In the case of these companies who process a sufficient amount of consumer data, the company should appoint a Data Protection Officer.

Additionally, businesses must make the terms of consent for accessing a consumer’s data short and simple, removing long blocks of text full of legal jargon. In the event of a data breach, the affected company must notify the victim within 72 hours.

Companies must be transparent about freely being able to provide consumers with access to the data that companies are keeping on them, and if the consumer wishes, the company must erase all data on the consumer from their database and stop third party companies from processing his/her data

Finally, data protection measures must be included from the onset of the design of a company instead of as an afterthought.

Penalties

According to the EU’s GDPR website, non-compliant businesses could face “fines up to 4% of annual global turnover or €20 Million (whichever is greater)". However, this is the maximum fine that can be imposed for the most serious infringements.

There is a tiered approach to fines based on a number of factors such as the size of the business. However, it is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.”

Uphold the Law so the Law Upholds You

While this article doesn't highlight every single cyber security law that affects US businesses, these cases serve as good examples to highlight how even when a business is a victim of a cyber-attack or social engineering scheme, they can end up footing the bill by paying out lawsuits or covering the cost of the attack themselves.

Additionally, these laws and regulations show how states are increasingly passing laws that can punish businesses for non-compliance with new cyber security standards. With variances in cyber security laws on state, federal, and international levels, it is easy to become confused with how to comply with all the changes.

For some easy tips you can follow to stay current with cyber security regulations, click on the image below to download our free infographic.

Tips for Keeping Up With Cyber Security Regulations

Businesses cannot afford to avoid reading up on current cyber security laws. When conducting research, they should find common denominator actions from all the regulations that can be used as blanket protection. Businesses can also stay compliant with cyber security regulations by constantly monitoring the news and reviewing their cyber security policies.

Finally, when businesses ensure that they have multiple layers of cyber security in place, they are protected from hackers and also lessen the chance of losing a data breach lawsuit because of few preventative measures that were in place.

If your business is unsure of how strong its cyber security measures are, consider looking into managed IT services.

Managed IT services can both provide your business with robust cyber security measures as well as help you find ways to stay compliant with the ever-changing landscape of cyber security regulations. 

RELATED: What Should You Do During a Ransomware Attack? [Tips and Explanations]


Subscribe To Our Blog

Posted by Erica Kastner


LinkedIn