Can I Sue for a Data Security Breach?

Use these links to jump to different sections:

• Look at Your Contract
• New York’s Data Breach Notification Law

It seems like every month there is a new report of a data breach by hackers at a major company. Individuals and businesses are so accustomed to sharing financial information over the Internet that we rarely stop to think about how data breaches may affect us. Unfortunately, in many cases a data breach is a precursor to identity theft—malicious attackers using your business information to commit fraud.

Even when there is no evidence of actual fraud, the mere fact that a data breach occurred may force you to take additional steps to protect your small business and personal data, such as canceling a credit card or changing passwords to dozens of online bank accounts. You are also left wondering if the stolen confidential information is a “ticking time bomb” that will come back to hurt you months or years down the road.

Given the potential financial harm arising from a data breach, are there any legal steps you can take against a company that failed to properly secure your personal information? The answer largely depends on the nature of your pre-existing legal relationship with the company that sustained the breach of security.

Look at Your Contract

Let’s say you hired an outside vendor to handle customer payments on your behalf. The vendor later informs you there was a data breach of sensitive information. The first thing you should do is review the terms of your contract to determine if there was a breach, and if so what remedies are specified.

Keep in mind that courts have been reluctant to fashion broader common-law remedies for data breaches, at least with respect to business victims. For instance, in April 2018 a federal appeals court rejected a data breach lawsuit brought by a group of banks against a grocery store that suffered a theft of more than 2.4 million customer credit and debit card numbers. The court said any relief would need to come through the “contractual remedies” provided by the banks’ common credit card networks system.

New York’s Data Breach Notification Law

That said, many states, including New York, do have laws on the books to punish companies that fail to make a timely disclosure of a data breach affecting its individual and business customers. Section 899-aa of the New York General Business Law states that anytime an unauthorized person acquires access to “computerized personal private information,” the entity responsible for securing that data must inform New York state officials “in the most expedient time possible and without unreasonable delay.” The business must also provide written or electronic notice to any New York resident that may be affected by the data breach.

The New York Attorney General’s office is charged with enforcing Section 899-aa. In some cases, it has sued to obtain financial compensation on behalf of consumers impacted by a data breach. In November 2017, the AG announced that Hilton agreed to pay $700,000 after the hotel admitted it waited more than nine months to disclose a data breach that affected nearly 400,000 customer credit card numbers.

If you are the victim of a data breach you should contact a law firm or New York attorney for legal advice. A lawyer can take legal action and explain privacy laws and cybersecurity contracts.

For more information on this area, see our business litigation overview.