A data breach is a specific event in which secure or confidential information is released without authorization to an environment that is not secure. In many cases, this involves either an intentional theft of the information in the database of some entity, usually a business, or an accidental leak of sensitive information due to an error.
Data breaches often involve electronic means of communication and data storage, such as hard drives, digital video or audio files, laptops, wi-fi connections, and phone and smartphone chips.
Types of information that are often targeted in a data breach include:
- Personal information, such as names, addresses, including email addresses, phone numbers, and social security numbers
- Business records, business assets, confidential information such as trade secrets and related information
- Bank account records, credit card information, and other financial data
- Medical health records
Clearly, data breaches can sometimes result in additional unpleasant issues for victims such as identity theft or a loss of business profits.
What Are Some Examples of Data Breaches?
In the United States, most states are actively enforcing new privacy laws, with updates occurring as technology evolves. There is stricter scrutiny on companies and higher risk of litigation about data practices and data breaches. Examples of data breach related issues may include, but are not limited to:
- Remote/Hybrid Work Vulnerabilities: The remote hybrid work model can cause risks related to unsecured devices as well as unapproved applications, requiring company-wide protection training.
- End of Third-Party Cookies: There is a move toward eliminating tracking cookies, which will force marketers to rely on privacy-safe solutions and first-party data.
- AI and Data Privacy: Because AI models are trained on datasets, there are concerns related to automated profiling, user content, and data scraping, especially with large language models, and social media platforms.
- Children’s Privacy Protection: There are laws being enacted around the world requiring companies to verify parental consent and avoid tracking children who are under the age of 13.
- Consent Fatigue and Transparency: There is a push towards universal op-out mechanisms as well as more transparent and straightforward data collection practices, as users are tired of or are ignoring cookie banners.
- Biometric Data Security: Biometric identification methods, such as fingerprints and facial recognition, are being scrutinized by regulators and courts.
- Data Broker Scrutiny: Data brokers are being targeted by regulators based on how they collect, purchase, as well as sell consumer data, especially when they do not have explicit consent.
Actionable Trends for Businesses
- Data Mapping: Businesses should be aware of the data that they possess, where that data is stored, and what parties the data is shared with.
- Consent Management: Businesses should implement reliable mechanisms to track user consent in order to meet any legal requirements.
- Privacy by Design: It is important for companies to embed privacy into products that involve AI from the start.
- Proactive Compliance: Regular auditing and scanning for vulnerabilities will help a business avoid compliance breaches.
As the potential examples of and issues related to data breaches will continue to evolve as technology evolves, along with the laws that apply to them, it is always important to consult with a local lawyer to find out the most up-to-date rules and requirements. These types of laws can also change when there are changes in presidential administrations, so seeking legal advice is very important.
Who Can Be Held Liable for a Data Breach?
Responsibility for a data breach is usually classified as two different types, external factors and internal factors. External factors for data breaches typically involve:
- Theft by a hacker or a business competitor
- Corporate espionage
- Negligence or breach of duty by a data privacy management firm
Internal factors that may be the cause of data breaches include:
- Faulty internal security measures
- The negligence of an employee
- Breach of fiduciary duty on the part of an employee or business partner
- Failure to keep current with electronic security measures
Some data breaches may involve both kinds of factors, such as when an employee collaborates with an outside hacker and provides data or passwords. The issue of who might be held legally liable is more complicated.
Are There Any Legal Remedies for a Data Breach?
There are already many breach notification laws in the United States that require businesses to notify people whose data have been exposed in a breach. For example, all 50 states have data breach reporting laws. They have varying criteria for determining whether a breach has occurred and for the kind of notice to victims that is required.
Data Breach Reporting and Notification
Most state’s laws require businesses to comply with the law of a given state if any breach compromises the personal information of a resident of that state. So, one thing a business must do is to consider the scope of the data they collect and store. They need to be able to determine whether they would have obligations to notify under the law of any given state.
In addition to notifying the affected individuals, many states compel a business to notify the state Attorneys General offices and the credit reporting agencies. The requirement depends on how many identified individuals in the state received notification of a breach.
Under certain circumstances, a business may have the option of giving substitute general public notice rather than individual notice. In most cases, usually substitute notice is a notice in a prominent place on the website of the business and published in the media, for example, in print, on television, and on radio.
Substitute notice would be allowed if any of the following is true:
- The business does not have contact information for some of the identifiable individuals
- The number of identified people is particularly high
- The cost of individual notifications would be excessive
In these situations, a business may have the option of giving substitute notice or may even be required to provide substitute notice, either in addition to or instead of individual notices.
Data Breach Reporting for Specific Industries
Federal Laws governs obligations to report data breaches in specific industries, including:
- The Health Insurance Portability and Accountability (HIPAA) Act: HIPAA provides notification requirements for a security breach that compromises protected health information held by an entity covered by HIPAA or its business associates.
- The Gramm-Leach Bliley Act (GLBA): The GLBA requires covered financial institutions to notify customers whose personal information is compromised by a security breach.
- The Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers: This rule, recently issued by the Federal Deposit Insurance Corporation (FDIC), requires FDIC-supervised banking organizations to notify the FDIC within 36 hours of determining that they have suffered a computer security breach that meets certain criteria.
What Can I Do if I Am a Victim of a Data Breach?
The victim of a data breach who suffers damage that can be compensated could file a lawsuit for negligence against a business that experiences the breach. Every person and business owes its customers, clients and business partners a duty of care, which arguably includes a duty to take reasonable steps to protect sensitive data.
If a person or business fails to do at least as much as a reasonable person would do to protect the security of its databases, this could be considered a breach of the duty of care. In other words, if the person or business should have put better protection in place but failed to do so, this could be considered negligence, and it could result in financial liability.
Another circumstance that might lead to a finding of negligence is if, when a breach occurs, the person or business does enough to reduce harm to the people affected. Arguably, a person or business has a duty to take steps to reduce the harm to people whose data is stolen.
This duty might include the duty to notify the person promptly, to investigate immediately and to remediate the damage to the extent possible. Again, failure to take steps to reduce the harm could be viewed as negligence giving rise to liability for damages.
Failure to give notice of a data breach as required by state or federal law, as noted above, could be offered as evidence of negligence.
If a party whose data has been exposed in a data breach is able to prove liability for negligence in a court of law, this may lead to various legal consequences. These could include paying an award of money damages to compensate the victim for their economic losses. In many cases, criminal charges may be applied for hacking and other violations.
A person who is a victim of a data breach and has suffered losses as a result would want to consult an attorney, who would investigate how the breach occurred, who was responsible and whether negligence on the part of the business itself in failing to protect its database or responding to a breach caused the person’s losses.
Other possible legal theories that might serve as the bases for a civil lawsuit are breach of contract and breach of warranty.
What Can a Business Do To Protect Itself From Data Breach Issues?
Some experts recommend that an entity that maintains a database of personal information or sensitive or confidential business information develop active defenses and a response plan for breaches. For example, they might want to have a breach coach who can practice their breach response, doing so in a manner that maintains its confidentiality, of course.
Experts also recommend that an entity with a valuable database have cyber security liability insurance. Cyber security liability insurance could be especially helpful for a business that does any of the following:
- Collects payment information from online sales
- Maintains a database of sensitive personal information on current, past or prospective customers, clients or patients
- Stores employee information in digital form, including Social Security numbers and medical information
- Makes heavy use of technology for daily operations
Do I Need a Lawyer for Data Breach Legal Issues?
Data breaches can be very serious and can cost a company profits, lost contacts, and a loss of private information. It can also put customers and clients in an unsafe position, such as vulnerability to identity theft and other problems.
You may need to hire a business lawyer in your area if you have any legal issues or conflicts involving a data breach. Your lawyer can provide legal advice and guidance to help you with your claim. Also, if you need to file a lawsuit, your attorney can represent you in a court of law.
