The legal ramifications of a cyber-attack or data breach are important for companies to understand. Insurance can attempt to cover costs associated with a breach, but arguably, the best offense is a good defense. Companies need to invest in their own cybersecurity programs, proactive management of risks, and appropriate controls to mitigate those risks.
In this article I’ll share some insight on the unique legal environment of cybersecurity breach litigation. As an attorney and cybersecurity consultant, I’ll try not to lose you in the weeds of legalese. My goal is to help you formulate the right risk posture and encourage readiness within your company to appropriately manage your cyber risk.
Let’s jump in—
Circuit courts are divided when it comes to a litigant’s right to sue for data breach. This disjointed treatment leaves much to be desired and ultimately puts businesses in the dark when it comes to fully understanding the potential surface area of their cybersecurity risk liability.
The problem I’m going to address is legal standing in cybersecurity breach litigation.
A necessary explanation before we go any further:
Legal “standing” is the right under Article III of the U.S. Constitution to seek legal remedy. To have “standing” you generally need to demonstrate that (1) an injury occurred, (2) the injury is directly connected to the defendant, and (3) there is a likelihood of redress if given a favorable court decision.
Let’s break that down a little
“[…]the question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues.” Wrath v. Seldin, 422 U.S. 490 (1975).
As an example: If Tom Brady (in a celebratory gesture) throws his seventh Super Bowl trophy off the deck of his Yacht and it hits your boat, you have: (1) an injury (damaged boat); (2) a direct connection to the defendant (Tom Brady throwing his trophy); and (3) likelihood of redress (Court can require Tom to pay the amount it would take to remedy your injury). In this scenario you have standing to sue Tom Brady for Negligence.
Here’s a rehashing of the same hypothetical: If Tom Brady (in a celebratory gesture) throws his seventh Super Bowl trophy off the deck of his Yacht and it misses your boat, you do not have standing to sue Tom Brady for Negligence.
Essentially without an injury, there is no standing. The mere potential that an injury could occur is not enough. It seems pretty cut and dry—right?
Things get muddier with cybersecurity breach litigation
The courts are split when it comes to what satisfies the standing requirement for cybersecurity breach litigation. Their split hinges on whether the potential of a future harm is enough.
Specifically, the Sixth, Seventh, Ninth, and D.C. Circuit courts have found that the potential risk of identity theft, without any alleged misuse of data, satisfies Article III Standing requirements. In Galaria v. Nationwide mutual Insurance Co., the Sixth Circuit reasoned that “Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for […] fraudulent purposes[…].”
To relate these Circuit court decisions to our Tom Brady hypothetical, let’s slow time way down. A data breach is Tom throwing the trophy. When the trophy is hanging in the air (potentially injurious)—we don’t know where it will land—we just know that at some point it will land. Will it damage your boat? Will it land in the water? We don’t know. What we do know is there is a significantly greater chance that Tom Brady’s trophy will damage your boat than if he had never thrown it in the first place. These Circuit courts recognize the potential of future injury as being sufficient to satisfy Article III standing requirements in cybersecurity breach litigation.
The Third, Fourth, Eighth, and most recently the Eleventh Circuit Court found the opposite to be true, holding that the potentiality of future identity theft (injury) is too speculative to meet Article III requirements.
Oddly enough, the split Circuits’ opposite outcomes both cite to the same case for precedent—Clapper v. Amnesty International— in which the Court held that in order to establish Article III standing, a future injury must be “certainly impending”, not merely speculative.
It sure would be nice if the Supreme Court would chime in here and offer some clarity.
What this means for your business
To put it bluntly, you need robust cybersecurity practices in place. We don’t know what the Supreme Court will decide, but a good bet is to err on the side of caution.
The robustness of your cybersecurity controls is ultimately a business decision, but without a unifying interpretation of case law, the potential for breach litigation is enormous. Your clients, customers, employees, and partners might not need to show they were harmed by your breach at all— just that your company was the proximate cause of the breach.
All is not lost, folks! Being cyber-secure is a difficult, but not insurmountable task. Like all difficult things, having a great team beside you makes it so much easier. I’d put another football reference in here, but I’ve exhausted my football knowledge. You caught me.
Here are some things to consider:
How do you navigate cybersecurity issues without a senior security leader? We offer fractional CISO services and will help you build or improve your cybersecurity programs.
How are you currently determining what investments and controls to put in place? We’ve done this for clients of all shapes and sizes—from small businesses, to non-profits, to Fortune-200 companies.
Questions surrounding legal, IT, privacy, and cybersecurity don’t have to be as daunting and confusing as they may appear. We can help you focus your efforts to maximize impact and reduce risk in a tailored, efficient, and effective way. Contact firstname.lastname@example.org for information about how we can help with our expert team of Cybersecurity and privacy professionals.
About the Author
Alyssa Rogers is an attorney and cybersecurity consultant with experience in cybersecurity policy drafting, awareness campaign design and creation, privacy, third party risk management, and regulatory framework compliance. She has a Master’s degree in Cybersecurity Risk Management from Indiana University Bloomington, and a J.D. from Indiana University Maurer School of Law.