Can I Sue for a Data Security Breach?
Legal remedies for a New York business victimized by data theft
on July 24, 2019
Updated on February 8, 2021
It seems like every month there is a new report of a data breach at a major company. Individuals and businesses are so accustomed to sharing financial information over the Internet that we rarely stop to think about how data breaches may affect us. Unfortunately, in many cases a data breach is a precursor to identity theft—malicious attackers using your business information to commit fraud.
Even when there is no evidence of actual fraud, the mere fact that a data breach occurred may force you to take additional steps to protect your business, such as canceling a credit card or changing passwords to dozens of online accounts. You are also left wondering if the stolen data is a “ticking time bomb” that will come back to hurt you months or years down the road.
Given the potential financial harm arising from a data breach, are there any legal steps you can take against a company that failed to properly secure your personal information? The answer largely depends on the nature of your pre-existing legal relationship with the company that sustained the breach.
Look at Your Contract
Let's say you hired an outside vendor to handle customer payments on your behalf. The vendor later informs you there was a data breach. The first thing you should do is review the terms of your contract to determine if there was a breach, and if so what remedies are specified.
Keep in mind that courts have been reluctant to fashion broader common-law remedies for data breaches, at least with respect to business victims. For instance, in April 2018 a federal appeals court rejected a data breach lawsuit brought by a group of banks against a grocery store that suffered a theft of more than 2.4 million customer credit and debit card numbers. The court said any relief would need to come through the “contractual remedies” provided by the banks' common credit card networks system.
New York's Data Breach Notification Law
That said, many states, including New York, do have laws on the books to punish companies that fail to make a timely disclosure of a data breach affecting its individual and business customers. Section 899-aa of the New York General Business Law states that anytime an unauthorized person acquires access to “computerized personal information,” the entity responsible for securing that data must inform New York state officials “in the most expedient time possible and without unreasonable delay.” The business must also provide written or electronic notice to any New York resident that may be affected by the data breach.
The New York Attorney General's office is charged with enforcing Section 899-aa. In some cases, it has sued to obtain financial compensation on behalf of consumers impacted by a data breach. In November 2017, the AG announced that Hilton agreed to pay $700,000 after the hotel admitted it waited more than nine months to disclose a data breach that affected nearly 400,000 customer credit card numbers.
For more information on this area, see our business litigation overview.