Could a Business be Liable for a Data Breach Even if There is No Harm?

Posted by Edward Sharkey on Tue, 05/14/2013 - 04:00

When a company stores its customers’ personally identifiable information (“PII”) in an electronic database, the company has a duty to guard that information with reasonable care. PII can be a name, address, phone number, Social Security number, or other information by which an individual may be identified or contacted. Businesses have been sued when the inadvertent dissemination of customers’ PII has led to identity theft.

In any lawsuit, the plaintiff must prove causation and damages. That is, the data breach must be proven to be the cause of some harm suffered by the plaintiff. Courts have dismissed data breach lawsuits when the plaintiff can allege no more than that identity theft occurred shortly after the data breach. A new case in the 11th Circuit, however, has shown plaintiffs a novel way to pursue data breach lawsuits, even if they cannot prove damages.

In addition to the typical negligence claims, the plaintiffs in the case sued the defendant - a health plan provider - for unjust enrichment, a claim that does not require proof of damages. The theory was that part of the premium paid for the health plan by customers was the cost to secure confidential data. If the company failed to do so, it received payment for a service that it did not deliver – a textbook example of unjust enrichment. The court ruled this was a viable theory of recovery, and it refused to dismiss the case.

The case also cast doubt upon whether the more common negligence claims would continue to be dismissed with regularity in the future. The court held that the plaintiffs’ allegations of a time and sequence connection between the data breach and the identity theft, coupled with allegations that they took “substantial precautions” to guard their PII and that they had never been victimized by identity theft before the data breach, should be enough to survive a motion to dismiss.

In this case, the PII was breached when two laptops belonging to the health plan provider were stolen. More often, data breach occurs as a result of computer hacking. In any event, it is imperative for businesses to take precautions to ensure the safety of customers’ PII. Any breach of confidential data could create a risk of time-consuming and costly litigation.

Our firm monitors the state of the law concerning data breach liability affecting businesses in Maryland, DC, and around the country. If you have a question concerning this or a related matter, please feel free to call.

Call Today (301) 657-8184

 Google+  View Edward Sharkey's profile on LinkedIn