Data Breach: Who is Liable and How to Protect Yourself

February 15, 2022

As the consumer marketplace becomes more digital, data breaches and security problems are a significant concern for many companies. These breaches not only tarnish a company’s reputation, but they can…

As the consumer marketplace becomes more digital, data breaches and security problems are a significant concern for many companies. These breaches not only tarnish a company’s reputation, but they can also be costly and lead to prolonged legal problems. The cost of these data breaches is more than most people realize. For example, recent breaches have cost Desjardins Group over $53 million in costs after the personal information of 2.9 million members was leaked, and Norsk Hydro estimates that their costs after a leak could reach $75 million. In addition, both British Airways and Marriott have spent approximately $100 million after GDPR violations.

While these examples are some of the biggest data breaches to occur, the average cost of a data breach in 2020 was $3.86 million, which is an increase of 10% over the previous five years. Further, the average cost in 2021 jumped to $4.24 million. The large increase can mostly be attributed to changes in the workforce caused by COVID-19. The reality is that many companies were unprepared for this shift.

The costs of a data breach can increase substantially depending on whether there is legal fallout after a security breach. In many instances, there are. For instance, in 2020, the total number of major class action data breach lawsuits was twenty-five, and there were many more individual cases.

Legal action, including commercial litigation, can be taken if the following conditions are present after a breach under state and federal privacy laws.

  • The company did not implement reasonable security measures or safeguards in compliance with existing statutes or regulations.
  • The company did not mitigate or provide recourse for impacted individuals, such as credit monitoring after the data breach occurred.
  • The company failed to notify individuals in a timely manner consistent with the state’s data breach laws.

If any of these conditions are met, individuals can bring legal action against the company in the form of a lawsuit. Additionally, the company may be subject to governmental penalties and fines, disaster recovery expenses, investigation expenses, and mitigation expenses for impacted customers or employees. And on top of those expenses, the company often has to spend additional funds to build up brand credibility, which is usually destroyed after a data breach.

Unfortunately, the data holder is liable for all financial expenses related to a data breach. This remains true even if your data is stored on the cloud and the cloud provider is responsible for security failures (except in cases where health and medical information is breached). This is because most cloud provider contracts exclude consequential damages and cap direct damages. They are also generally barred by a standard provision disclaiming all liability for consequential damages. This means that the company is on the hook for all of the expenses. So the bottom line is that companies must know how to protect themselves in this type of digital climate.

How to Protect Your Company

The best way to protect your company from legal expenses related to a data breach is to prevent the breach in the first place or have policies and procedures in place that will ensure the company does not meet any of the conditions that can result in a lawsuit. Activities such as educating employees on vulnerabilities that can lead to a breach and shoring up your security measures may reduce your risk of a breach. Developing a data breach response plan that details how your company will coordinate to notify customers and accept responsibility can also reduce your odds of ending up in the middle of commercial litigation. You can also work with a managed security service provider and purchase cyber liability insurance to protect your company further.

But the reality remains that cybercriminals are smart, and their strategies continue to become more sophisticated. It may be beneficial to secure commercial litigation counsel to review your vendor contracts. This action could also further protect you and ensure your partners are held to the same security standards as you have come to expect. This type of legal expertise can help you identify the actions you would need to take immediately following a data breach to ensure that you follow all applicable laws and regulations. This activity is important since most data breach lawsuits resulting in commercial litigation stem from improper handling of the incident in its aftermath.

To learn more about how you can benefit from legal counsel related to data breaches, contact the Business Litigation experts at Grellas Shah today.