A couple weeks ago someone asked me what “area of law” is currently a big litigation area in civil law. My immediate response was data breach / data privacy. And within a couple days we all learned that Equifax had suffered a data breach and hackers had accessed up to 143 million customer account details, including names, Social Security numbers, driver licenses, and credit card numbers. Just take a look at the Identity Theft Resource Center’s website and you’ll see that data breaches are growing rapidly year in and year out. Just take a look at the list put out by WIRED of data breaches in 2017 and you’ll see names like Verizon and Chipotle. And, as the Equifax breach shows, no company appears safe.
Data breaches, like the Equifax breach, create numerous legal issues that produce a fair amount of litigation. First, if the hackers can be tracked down, you have companies suing the hackers. Second, you have class actions by the customers or consumers whose information was taken against the companies who were hacked. Those typical class-action lawsuits involve questions such as, what policies did the company have in place to prevent the hack and to detect the hack, did the company follow those policies, and how quickly did the company act upon learning of the hack. From what we know regarding the Equifax breach, the breached lasted for two and a half months and Equifax was aware of the potential breach point before it was hacked. So Equifax will be litigating whether its policies and actions were “reasonable” in light of industry standards and what it knew and when. Third, you may have a litigation fight between Equifax and its insurers if Equifax believes its insurance covered data breaches resulting from negligence. There the insurers will argue that language does not cover the breach while Equifax will argue the language does cover the breaches.