In December 2017, victims on the West Coast filed two class-action lawsuits in the wake of a data breach that affected over 120 million people.
The marketing company had bought personal information, such as phone numbers, mortgages, income, addresses, and number of children, from Equifax, which suffered its own major security breach in 2017. In October, a cyber-security company found much of this information parked on an Amazon Web Services’ cloud server. The lawsuits allege that Alteryx was negligent in both its handling of the data and in the manner it hid the breach from its customers.
A company spokesperson claimed that the stolen data “does not pose a risk of identity theft to any consumers.”
Data Breach Statistics
Since 2005, hackers have exposed well over a billion records. Furthermore, the number of attacks skyrocketed 40 percent in 2016, and experts predict that the number will continue to increase. Many cyber-thieves target medical and commercial businesses, because such records usually contain Social Security numbers, credit card information, and other data that can be sold very quickly for a large amount of money.
Other industries are at risk as well, because many cyber-criminals are not after money. Some want to embarrass a particular organization, some want to prove that an organization is vulnerable to cyberattack, and some want to simply prove to themselves that they have the required skill set.
So, at one time or another and for one reason or another, sensitive personal information will probably fall into the wrong hands. What legal options do victims have at this point?
Liability Issues in Data Breach Cases
Any entity with medical information, as well as certain kinds of non-medical information, has a duty to protect such data under the Health Insurance Portability and Accountability Act. HIPAA contains both data storage security requirements and notification requirements. Companies often overlook one or both of these mandates. For example, a company may not separate HIPAA-protected information from other non-protected information, and if hackers break into the system, company leaders try to hide the breach instead of reporting it promptly.
Violating HIPAA privacy laws often leads to stiff punishments in criminal court, and it often constitutes negligence per se, or negligence as a matter of law, in civil court.
Lawyers, like a personal injury lawyer, and many other professionals have an ethical duty to protect the information that their clients provide. If the professional’s conduct falls short of the ethical standard, it is usually easy for the jury to find a breach of duty and therefore hold the defendant liable for damages. After all, negligence is essentially a lack of ordinary care.
Plaintiffs must also establish actual damages in data breach lawsuits, and most courts have held that unauthorized release alone does not constitute damages. There must also be evidence of pecuniary loss, such as a thief who uses a stolen credit card or the necessity for additional identity theft insurance.