Fighting the Cyber Bully: A Company’s Legal Obligation

cybersecurity legal opinion

Data breaches have become increasingly more common within the last decade. Most of these intrusions have caused a great deal of consumer scrutiny and could potentially affect a company’s future business potential. These data breaches have affected some major corporate enterprises and it is important for them to consider their legal obligations from a Cybersecurity and data breach perspective. Take for example the below listed data breaches and compromises:

  • In 2007 TJ Maxx was subject to an intrusion where 94 million records were compromised;
  • In 2010, Sony Playstation Network suffered an intrusion where 77 million records were compromised;
  • In 2013, Target was subject to an intrusion where 70 million records were compromised; and
  • In 2014, JP Morgan Chase fell victim to an intrusion where 76 million records were compromised.

Unfortunately, although these corporations are obviously victims of serious crimes, these breaches have pushed the onus onto businesses to develop security measures to protect consumer information. Failing to develop potential safeguards can ultimately lead to great distrust amongst the public, or, in certain circumstances, even litigation.

After Target’s 2013 data breach, the company faced a class action for its failing to protect customer data and ultimately settled for $10 million. Such a suit leads to the question: how exactly does a corporate entity become responsible for the nefarious acts of a third-party?

Typically, if the state has not adopted legislation placing the affirmative duty upon the corporate entity to adopt security measures for the protection of consumer information (please note: Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada have all passed such legislation), a court will view the failure to provide sufficient protection of consumer information under a typical negligence standard. A court will, therefore, consider

  1. whether the corporation owed any particular plaintiff a duty of reasonable cybersecurity care and
  2. whether that duty of care was breached.

Courts have also been given some guidance by the federal government, which released the 2014 NIST Cybersecurity Framework. President Barack Obama, by executive order, established a set of voluntary “industry and best practices to help organizations manage cybersecurity risks.” This framework has ultimately given plaintiffs a way to illustrate a corporate entity failed to exercise a reasonable standard of care. 

Although it may surprise business owners and corporate boards that maintain records of private customer information that the business can be held responsible for intentional intrusions by third parties, it should be noted that not only is the issue here legal culpability, but consumer trust is also at stake as well. The judgment or settlement that the business can face is only a fraction of damage that the entity can experience. As reported by Deloitte in a recent study, “Consumers are very clear in their message to businesses and third-party organisations (sic): the number one issue that would make consumers reconsider using an organisation (sic) is if the organisation (sic) lost their data or failed to keep it safe.” The study later reported that many consumers that felt the entity was responsible for the breach refrained from engaging in any future business relations with the hacked entity.

Consequently, businesses should be aware of the NIST framework when adopting a security system to guard against potential breaches. By doing so, it will provide the entity with the best defense for illustrating it did not breach any form of duty of care to its customers. Although such intrusions are illegal intentional acts, companies must remember that the law has always found a party must take actions to prevent reasonably foreseeable acts, and it is difficult to say that in the modern age that cyber intrusions are unforeseeable.

Legal disclaimer: The materials available on this post are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this Web site or any of the e-mail links contained within the site do not create an attorney-client relationship between Osprey Security and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.


Leave a Reply

Your email address will not be published / Required fields are marked *