When can data breaches get companies sued?

In recent years, many victims of IT security incidents have filed data breach lawsuits. When are companies being held accountable after data is stolen? 

In a 2009, Choice Escrow and Land Title LLC of Springfield, MO, suffered a data breach in which hackers stole the company’s online banking ID and password. The cyber criminals then used that information to transfer $440,000 of Choice Escrow’s money to a bank account in Cyprus.

Despite the stolen ID and password, the company blamed BancorpSouth, Inc., of Tupelo, MS, which was the financial institute where the account was held. Choice filed a lawsuit claiming the bank didn’t do enough to prevent the fraudulent transfer.

The company argued that the bank should have offered other types of authentication beyond simple password protection. However, the bank countered that it recommended Choice use “dual controls” — or requiring two people approve a transfer — which the company declined.

The court ruled in favor of BancorpSouth and threw out the data breach lawsuit, finding that bank offered enough protection and that it couldn’t be held accountable if a client declined additional protection. In addition, the court found that Choice regularly made wire transfers of over $400,000, with no real pattern to when they were made. Therefore, the bank had no reason to be suspicious of this particular transfer.

Bank lost earlier lawsuit

This ruling comes in contrast to a data breach lawsuit decision from last year, in which the court held a bank responsible for the theft of its client’s money. In that case, the court found the bank didn’t offer enough IT security to prevent fraudulent transfers, relying only on passwords and security questions.

A key argument made by the data breach victim was that the bank failed to use accepted best practices such as multi-factor authentication in its online security.

What it means for companies: When data breaches result in lost funds, you’re often on your own. While the second case shows a court may side with the company, that’s no guarantee.

Bottom line: IT departments need to make sure they’ve got security under control on their end, and that their companies thoroughly investigate the security of banks and other third parties — before they do business with them.

When can victims win a data breach lawsuit?

Unfortunately, companies can also find themselves on the other end of the data breach lawsuit question: If a company suffers a data breach, can the affected individuals sue for damages?

The answer: It depends on what kind of damages the customers, employees or other affected people actually suffer.

Many data breach lawsuits have been filed, but the majority have been thrown by the courts. In one case, a group of Aetna employees and job applicants tried to sue the company after a database was hacked, exposing those individuals’ Social Security numbers, phone numbers, addresses and employment histories.

One of the affected applicants filed a complaint and asked the court to approve a class action suit. However, the case was thrown out. The employee didn’t suffer any injury as a result of the breach — he was only exposed to “an increased risk” of identity theft, the judge said.

To hold the company liable for a data breach, the court ruled, the employee would have to show he suffered actual financial damage.

However, actually financial damage doesn’t just mean losses due to identity theft. In another case, a suit was filed against grocery chain Hannaford Bros. after 4.2 million credit card numbers were stolen from the company’s computer network.

Originally, Hannaford won the case because while some customers did have fraudulent charges made to their accounts, all of them were reversed by their respective banks.

However, an appeals court later overturned that ruling. The judge ruled that while actual fraud was prevented, many of the customers did suffer financial losses. Some of them paid for credit monitoring services, bought identity theft insurance or were charged by their bank to replace their credit cards. The judge ruled that Hannaford could be liable to cover those expenses and allowed those customers’ claims to move forward.

Handle data breaches the right way

The bottom line: Companies are much less likely to get into legal trouble if data breaches have no adverse impact on the people whose data is stolen.

That means companies need to respond to data breaches quickly and effectively. What’s the best way to respond to a data breach? The Better Business Bureau outlines these steps:

  1. Create a breach notification policy
  2. Train employees to recognize breaches
  3. Gather the facts immediately after a breach
  4. If financial info was taken, notify appropriate financial institutions
  5. Talk to outside counsel, and
  6. Notify affected employees.