Can I Sue for a Data Security Breach?

Use these links to jump to different sections:

• What are Your Options Following a Data Breach?
• Look at Your Business Contract for Potential Legal Remedies
• State Laws Require Timely Data Breach Notification
• Get Legal Advice from an Experienced Data Privacy Lawyer

It seems like every month there is a new report of a data breach by hackers at a major company.

Individuals and businesses are so accustomed to sharing personal and financial information over the Internet that we rarely stop to think about how data breaches may affect us.

Unfortunately, in many cases, a data breach is a precursor to identity theft—malicious attackers using your business or customer information to commit fraud.

What are Your Options Following a Data Breach?

Even when there is no evidence of actual fraud, the mere fact that a data breach occurred may force you to take additional security measures to protect your small business and personal data. You may need to cancel payment cards or change passwords to dozens of online bank accounts.

You are also left wondering if the stolen confidential information—account numbers, social security numbers—is a “ticking time bomb” that will come back to hurt you months or years down the road.

Given the potential financial harm arising from a data breach, are there any legal steps you can take against a company that failed to properly secure your personal information? The answer largely depends on the nature of your pre-existing legal relationship with the company that sustained the breach of security.

Look at Your Business Contract for Potential Legal Remedies

Let’s say you hired an outside vendor to handle customer payments on your behalf. The vendor later informs you there was a data breach of sensitive information. The first thing you should do is review the terms of your contract to determine if there was a breach—and, if so, what remedies are specified.

Keep in mind that courts have been reluctant to fashion broader common-law remedies for data breaches, at least with respect to business victims.

For instance, in April 2018, a federal appeals court rejected a data breach lawsuit brought by a group of banks against a grocery store that suffered a theft of more than 2.4 million customer credit and debit card numbers. The court said any relief would need to come through the “contractual remedies” provided by the banks’ common credit card networks system.

State Laws Require Timely Data Breach Notification

That said, all states have laws on the books that punish companies that fail to make timely disclosures of data breaches that affect their individual and business customers.

For example, under Section 899-aa of New York’s General Business Law, anytime an unauthorized person acquires access to “computerized personal private information,” the entity responsible for securing that data must inform New York state officials “in the most expedient time possible and without unreasonable delay.”

The business must also provide written or electronic notice to any New York resident that may be affected by the data breach.

The Attorney General’s office is charged with enforcing Section 899-aa. In some cases, it has sued to obtain financial compensation on behalf of consumers impacted by a data breach. In November 2017, the AG announced that Hilton agreed to pay $700,000 after the hotel admitted it waited more than nine months to disclose a data breach that affected nearly 400,000 customer credit card numbers.

Get Legal Advice from an Experienced Data Privacy Lawyer

If you are the victim of a data breach, you should contact an attorney or law firm specializing in data protection for legal advice. A lawyer can advise you on your options for legal action and explain your state’s privacy laws and cybersecurity contracts.

For more information on this area, see our overview of technology transactions and related legal content regarding cyberattacks and data privacy.