Can You Sue a Business That Lets Hackers Steal Your Data?
Hackers are very much in the news these days, with the high profile attack on Sony Pictures in connection with The Interview.
While the hackers in that case targeted the movie studio's internal emails, memos, and even complete digital copies of then-unreleased movies, like Annie, most hack attacks are attempts to acquire personal information – such as credit card numbers – from individual consumers.
It seems that hardly a week goes by without news of yet another data breach. In 2014, for example, Forbes magazine reported:
- 40% of companies experienced a data breach.
- "Backoff" malware allowed hackers to steal consumer financial information, including credit card numbers, from point-of-sale terminals.
ZDNet reported on the following major hacks of 2014:
- About 80 million US households, and seven million small-to-medium-sized businesses, were affected by a data breach involving J.P. Morgan Chase.
- Private photos of Hollywood celebrities, including Jennifer Lawrence, were exposed due to a "brute force" hacker attack on iCloud accounts.
- The US Postal Service was attacked, allegedly by China, and the data of more than 800,000 employees was compromised.
- An estimated 110 million customer records were stolen from Target in late 2013 and into 2014.
- More than 145 million eBay users were affected by a data breach that involved email and postal addresses and login credentials.
- A data leak at Home Depot involved 109 million consumer records, including 53 million email addresses and 56 million credit card numbers.
- A data breach at 33 P.F. Chang's restaurants led to the disclosure of consumer credit and debit card information.
Data Breach Legislation
In response to all of these data breaches, federal and state governments have moved to increase protections for consumers.
As of September, 2014, 47 states, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have passed laws requiring private or government entities to notify people of security breaches involving personally identifiable information. Alabama, New Mexico, and South Dakota currently lack such laws.
Data Breach Lawsuits
Not surprisingly, consumers who have had their personal data stolen have turned to the courts for redress.
Two former employees of Sony Pictures filed a class-action lawsuit in December charging that the company failed to properly secure sensitive employee information, such as Social Security numbers, birth dates, salary information, and medical information.
Sony reportedly kept important passwords in unencrypted Word documents with names that included the term "passwords."
Consumer lawsuits based on data breaches rarely succeed, for a variety of reasons. For example, consumers may not be able to prove that they were actually harmed, but merely that they face the potential for harm.
Whether you can maintain a lawsuit for loss of your personal information may depend in part upon where you live, as shown by two Federal Court decisions in December.
In the Northern District of Illinois, a judge granted the defendant's motion to dismiss a class action lawsuit against P.F. Chang's. The plaintiffs in that case had made the argument that they'd been harmed by "overpaying" for food and drink at P.F. Chang's because, they claimed, the cost of dining "implicitly" included a fee for protecting personal information. The judge didn't buy this argument, in part because cash customers were charged the same as those that used credit and debit cards.
In the District of Minnesota, on the other hand, a judge allowed a putative consumer class action against Target to go forward.
If Your Data Has Been Stolen
If your own personal and private data, including your financial information, has been stolen from files maintained by your employer, former employer, or a business you patronize, you may want to consult a consumer protection attorney to determine whether you may have a claim.