Can Businesses Be Sued for Data Breaches?

Submitted by Erica Kastner on Thu, 09/ 19/ 19 - 09: 01 AM

Can Businesses Be Sued for Data Breaches?


Cyber security laws are a relatively new legal category that many businesses either are not aware of or struggle to keep up with in terms of compliance. These new laws define the preventative security measures businesses must have in place to consumer rights following a corporate data breach. To help businesses keep up with the ever-changing cyber security regulations landscape, we put together a list of some recent regulations that businesses should aim to comply with if they want to avoid lawsuits and penalties. 

Can businesses be sued for data breaches? Yes, there are certain cases that seem to offer legal precedent for individuals to sue businesses who haven't put the proper protections in place to prevent sensitive customer information from being accessed. For more information, keep reading!


Not a lot of time? Skip to what you need:

Federal Rulings

State-Level Rulings and Regulations

Other Regulations

Uphold the Law so the Law Upholds You

Federal Rulings

Some recent federal rulings surrounding cyber security show where the law is headed with regards to the rights both businesses and consumers have in the event of a cyber-attack.

Can Businesses Be Sued for Data Breaches? v. Stevens


This recent 2018 U.S. Supreme Court ruling shows how even when companies are hacked, they still might end up footing the bill one way or another.

When Zappos' website was hacked, they were sued by a customer named Theresa Stevens, who cited that since her information was stored in Zappos' database before the breach, Zappos was liable for damages.


Unfortunately for Zappos, this case affirmed the right for customers to sue companies when their data is stolen, even if that data is not used for anything sinister.


Mondelez v. Zurich Insurance


Though some companies are turning to cyber insurance as a means of protecting themselves financially in the event of a cyber-attack, the attack on snack food giant Mondelez proves how even cyber security insurance can fall short.

Mondelez tried to get coverage from their cyber security provider Zurich Insurance after a cyber-attack. Since the US government claimed the attack was due to a “cyber war” and was based in Russia, Zurich invoked a “war exclusion clause” and refused to cover Mondelez.


In a negative turn of events for Mondelez, this case affirmed the right for a cyber insurance company to deny coverage for a cyber-attack stemming from a cyber war by invoking a “war exclusion clause”. Mondelez is currently fighting this ruling in court.


Medidata Sols. Inc. v. Fed. Ins. Co.


After Medidata suffered losses from an email phishing campaign, it tried to get coverage from its insurer, Federal Insurance Company. Medidata claimed that its insurance policy with Federal Insurance Company contained a provision covering losses stemming from entry of data or changes to data elements in a computer system.

Federal Insurance Company claimed that it was not required to cover Medidata because the provision only applied to intrusions from hacking.


While other cases such as Interactive Communications Int’l, Inc. v. Great Am. Ins. Co. show that insurance won’t cover a business if the business can’t prove that computer fraud directly impacted it in the form of a loss, this case shows that businesses who can prove they suffered a direct loss from computer fraud are covered by their insurer.

Since Medidata couldn't prove that they suffered direct losses from the phishing campaign, they were therefore not covered by their insurer. 

RELATED: What is Phishing and How are Hackers Using It 


State-Level Rulings and Regulations

Does your business have consumers from states across the country? If so, keep reading, because some states have passed laws pertaining to consumer privacy that you need to know about.

Can Businesses Be Sued for Data Breaches?


Georgia Personal Data Security Act

Although this legislation never passed, it is a good example of the direction cyber security legislation is heading in states across the country.


Differing from previous Georgia law which handed out relatively low punishments to businesses in regard to how they deal with data breaches, this proposed law would considerably ramp up the requirements and subsequent penalties for businesses who are victims of a cyber-attack.

The law would modify when notices of certain security breaches are required and would provide for the contents of such notices.

For instance, if your company was affected by a data breach, you must reach out to the state's residents whose information was affected by the breach and fix your cyber security system no later than 45 days after the discovery of the breach.

Additionally, breach notices would be required to be sent to specific Georgia officials such as the Attorney General and the Governor. 


The Attorney General could impose a civil penalty of no more than $500 for each Georgia resident who did not receive the required notice.

Additionally, the Attorney General could issue an order compelling the business to provide any breach notice required under the legislation, or issue an order to recoup the reasonable costs incurred by the Attorney General's office while pursuing the business.


Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co.


Recall Total Information Management had tapes containing private information that accidentally fell off the back of a company van and were never recovered.

Additionally, there was no proof that the information on those tapes was published. Recall Total Information Management tried to get their insurer, Federal Insurance Company, to cover them for the loss.


The Connecticut Supreme Court affirmed that to be covered by their insurance company in the event of the loss of private information, businesses must have proof that the information was accessed and published by another party.

Since Recall couldn't prove that the tapes were accessed by somebody else or published anywhere, they couldn't get coverage from their insurer. 

Tips for Keeping Up With Cyber Security Regulations

Zurich Am. Ins. v. Sony Corp. of Am.


In March of 2014, the New York Supreme Court determined whether cyber security coverage existed for the PlayStation Network data breach. Although “publication” of confidential information occurred, coverage for Sony did not exist because the publication was carried out by a third-party, rather than the policyholder, in this case Sony. Sony appealed but later settled in 2015.


The New York Supreme Court affirmed that when there has been publication of private information, insurance policies only cover publication by the policyholder, not a third-party such as a hacker.

Since the hackers who breached Sony's system published their private information elsewhere instead of on any Sony-related platforms such as their website or social media accounts, Sony's insurer was granted the right to deny them coverage. 

RELATED: Why Small Businesses are More Prone to Cyber Attacks


California Consumer Privacy Act


The California Consumer Privacy Act, which goes into effect in January 2020, requires that companies be transparent with California consumers on what personal information they use and how it is used/shared.


Companies who do not comply leave themselves open to lawsuits in the case of a data breach. Additionally, California’s Attorney General has the authority to fine companies that don’t follow the new regulations.

For intentional violations, California's Attorney General can bring civil penalties of up to $7500 for each violation. For other violations, the maximum fine is $2500 per violation.

RELATED: Cyber Security Solutions Best Practices for Business


New York’s SHIELD (Stop Hacks and Improve Electronic Data Security) Act


Effective on March 21, 2020, the SHIELD Act will require all businesses who hold private computerized data on any New York residents to maintain certain security standards for that information, such as notifying victims of data breaches, or risk penalties.


Though victims whose information is stolen cannot sue the companies who have been hacked, the Attorney General may take action against businesses who violate the law to obtain civil penalties.

For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person who was entitled to but did not receive a breach notice.

For knowing and reckless data breach notification violations, the court may impose penalties beginning at $5,000 dollars or up to $20 per violation with a cap of $250,000. For data breach safeguard violations, the court may impose penalties of no more than $5,000 per violation.


Nevada Senate Bill 220


Effective as of October 1st of this year, Nevada Senate Bill 220 states that companies with websites or online services that collect certain information from Nevada consumers, such as home addresses, telephone numbers, or social security numbers, must disclose what information they gather and give those consumers an option to opt-out of selling their information.

If a Nevada consumer opts out, then the business cannot sell any of that information. Additionally, businesses with customers in Nevada must provide an online notice disclosing a few key aspects of its data policy, such as the categories of covered information it collects and categories of third parties with whom it shares consumer information.


Consumers affected by the sale of their information cannot take private action such as a lawsuit against said company, but that doesn’t stop the Attorney General from coming after said business. If he/she proves the business violated this act, the district courts can issue an injunction or penalty of no more than $5,000 per violation.

Other Regulations

Though these other rulings might not have been passed in the US or enacted by a court, the following cyber security regulations can have a real impact on your business if they are not followed.

Can Businesses Be Sued for Data Breaches?


Payment Card Industry Data Security Standard


This industry standard was put together by major credit card providers to reduce credit card fraud. If you are a company who processes data from major credit card holders, you must follow this standard and continue to stay up-to-date with regulations.

The image below, taken from the PCI DSS official website, summarizes some of the main requirements. 

Can Businesses Be Sued for Data Breaches?

Since the specifics of these regulations varies based on factors such as the type of business you own, visit this link to see what regulations you should follow based on the type of business you own.

Though the PCI DSS isn’t technically a legal ruling passed by a court system, it still has ramifications if it’s not followed. 


Penalties for non-compliance can include monthly penalties of $5,000-100,000 from your payment processors and credit card companies or in extreme cases, federal audits from the FTC. In the event of a data breach, businesses can be charged $50-90 per cardholder whose information has been endangered.

EU General Data Protection Regulation 


If your business doesn't have any customers within the European Union then you might not need to heed this message. For those that do, listen up.

While the EU GDPR isn't completely new and has been around since 2018, according to the EU’s GDPR website, this regulation applies to “all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location”.

There are internal record keeping requirements, especially for companies who process a lot of consumer data. In the case of these companies who process a sufficient amount of consumer data, the company should appoint a Data Protection Officer.

Additionally, businesses must make the terms of consent for accessing a consumer’s data short and simple, removing long blocks of text full of legal jargon. In the event of a data breach, the affected company must notify the victim within 72 hours.

Companies must be transparent about freely being able to provide consumers with access to the data that companies are keeping on them, and if the consumer wishes, the company must erase all data on the consumer from their database and stop third party companies from processing his/her data

Finally, data protection measures must be included from the onset of the design of a company instead of as an afterthought.


According to the EU’s GDPR website, non-compliant businesses could face “fines up to 4% of annual global turnover or €20 Million (whichever is greater)". However, this is the maximum fine that can be imposed for the most serious infringements.

There is a tiered approach to fines based on a number of factors such as the size of the business. However, it is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.”

Uphold the Law so the Law Upholds You

While this article doesn't highlight every single cyber security law that affects US businesses, these cases serve as good examples to highlight how even when a business is a victim of a cyber-attack or social engineering scheme, they can end up footing the bill by paying out lawsuits or covering the cost of the attack themselves.

Additionally, these laws and regulations show how states are increasingly passing laws that can punish businesses for non-compliance with new cyber security standards. With variances in cyber security laws on state, federal, and international levels, it is easy to become confused with how to comply with all the changes.

For some easy tips you can follow to stay current with cyber security regulations, click on the image below to download our free infographic.

Businesses cannot afford to avoid reading up on current cyber security laws. When conducting research, they should find common denominator actions from all the regulations that can be used as blanket protection. Businesses can also stay compliant with cyber security regulations by constantly monitoring the news and reviewing their cyber security policies.

Finally, when businesses ensure that they have multiple layers of cyber security in place, they are protected from hackers and also lessen the chance of losing a data breach lawsuit because of few preventative measures that were in place.

RELATED: What Should You Do During a Ransomware Attack? [Tips and Explanations]

If your business is unsure of how strong its cyber security measures are, consider looking into managed IT services.

Managed IT services can both provide your business with robust cyber security measures as well as help you find ways to stay compliant with the ever-changing landscape of cyber security regulations. 

For more cyber security content, follow our blog!

Get Your Questions Answered Now

Posted by Erica Kastner