A couple weeks ago someone asked me what “area of law” is currently a big litigation area in civil law. My immediate response was data breach / data privacy. And within a couple days we all learned that Equifax had suffered a data breach and hackers had accessed up to 143 million customer account details, including names, Social Security numbers, driver licenses, and credit card numbers. Just take a look at the Identity Theft Resource Center’s website and you’ll see that data breaches are growing rapidly year in and year out. Just take a look at the list put out by WIRED of data breaches in 2017 and you’ll see names like Verizon and Chipotle. And, as the Equifax breach shows, no company appears safe.
Data breaches, like the Equifax breach, create numerous legal issues that produce a fair amount of litigation. First, if the hackers can be tracked down, you have companies suing the hackers. Second, you have class actions by the customers or consumers whose information was taken against the companies who were hacked. Those typical class-action lawsuits involve questions such as, what policies did the company have in place to prevent the hack and to detect the hack, did the company follow those policies, and how quickly did the company act upon learning of the hack. From what we know regarding the Equifax breach, the breached lasted for two and a half months and Equifax was aware of the potential breach point before it was hacked. So Equifax will be litigating whether its policies and actions were “reasonable” in light of industry standards and what it knew and when. Third, you may have a litigation fight between Equifax and its insurers if Equifax believes its insurance covered data breaches resulting from negligence. There the insurers will argue that language does not cover the breach while Equifax will argue the language does cover the breaches.
Fourth, as a publically traded company, Equifax and its top executives and board could have to defend against shareholder suits in which shareholders may allege breach of fiduciary duties for failure to take action or put policies in place to prevent or further limit the data breach. Fifth, banks and other financial institutions may sue Equifax for “damages” they suffered resulting from the breach, such as having to put holds on consumer credit cards, issuing new credit cards, and having to reimburse customers for fraudulent purchases. Overall, Equifax will have lots of civil litigation ahead of it.
In addition to litigation, lawyers are needed to help other companies create and implement data privacy policies that can avoid breaches like that suffered by Equifax. Simply put, once a breach happens, other companies are on notice to take steps to make sure they have reasonable policies in place to prevent similar breaches. This creates additional legal work as lawyers decide what is sufficient to qualify as “reasonable” so that a company’s policy is sufficient to protect against being considered negligent if a data breach does occur.
In the end, a data breach appears to mean that a parade of lawyers will be coming to address the many legal issues arising from the breach.