Can You Sue a Business That Lets Hackers Steal Your Data?

Hackers are very much in the news these days, with the high profile attack on Sony Pictures in connection with The Interview.

While the hackers in that case targeted the movie studio’s internal emails, memos, and even complete digital copies of then-unreleased movies, like Annie, most hack attacks are attempts to acquire personal information – such as credit card numbers – from individual consumers.

Notable Hacks

It seems that hardly a week goes by without news of yet another data breach. In 2014, for example, Forbes magazine reported:

• 40% of companies experienced a data breach.
• “Backoff” malware allowed hackers to steal consumer financial information, including credit card numbers, from point-of-sale terminals.

ZDNet reported on the following major hacks of 2014:

• About 80 million US households, and seven million small-to-medium-sized businesses, were affected by a data breach involving J.P. Morgan Chase.
• Private photos of Hollywood celebrities, including Jennifer Lawrence, were exposed due to a “brute force” hacker attack on iCloud accounts.
• The US Postal Service was attacked, allegedly by China, and the data of more than 800,000 employees was compromised.
• An estimated 110 million customer records were stolen from Target in late 2013 and into 2014.
• More than 145 million eBay users were affected by a data breach that involved email and postal addresses and login credentials.
• A data leak at Home Depot involved 109 million consumer records, including 53 million email addresses and 56 million credit card numbers.
• A data breach at 33 P.F. Chang’s restaurants led to the disclosure of consumer credit and debit card information.

Data Breach Legislation

In response to all of these data breaches, federal and state governments have moved to increase protections for consumers.

As of September, 2014, 47 states, the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have passed laws requiring private or government entities to notify people of security breaches involving personally identifiable information. Alabama, New Mexico, and South Dakota currently lack such laws.

Data Breach Lawsuits

Not surprisingly, consumers who have had their personal data stolen have turned to the courts for redress.

Two former employees of Sony Pictures filed a class-action lawsuit in December charging that the company failed to properly secure sensitive employee information, such as Social Security numbers, birth dates, salary information, and medical information.

Sony reportedly kept important passwords in unencrypted Word documents with names that included the term “passwords.”

Consumer lawsuits based on data breaches rarely succeed, for a variety of reasons. For example, consumers may not be able to prove that they were actually harmed, but merely that they face the potential for harm.

Whether you can maintain a lawsuit for loss of your personal information may depend in part upon where you live, as shown by two Federal Court decisions in December.

In the Northern District of Illinois, a judge granted the defendant’s motion to dismiss a class action lawsuit against P.F. Chang’s. The plaintiffs in that case had made the argument that they’d been harmed by “overpaying” for food and drink at P.F. Chang’s because, they claimed, the cost of dining “implicitly” included a fee for protecting personal information. The judge didn’t buy this argument, in part because cash customers were charged the same as those that used credit and debit cards.

In the District of Minnesota, on the other hand, a judge allowed a putative consumer class action against Target to go forward.

Case Studies: Lawsuits And Data Breaches

Case Study 1: Sony Pictures a Class-Action Lawsuit

In the high-profile case of Sony Pictures, where hackers targeted the movie studio’s internal communication and unreleased movies, two former employees filed a class-action lawsuit. They alleged that Sony failed to secure sensitive employee information, such as Social Security numbers, birth dates, salary information, and medical records.

The lawsuit highlighted the company’s practice of keeping important passwords in unencrypted Word documents, which exposed the data to potential theft.

Case Study 2: P.F. Chang’s vs. Northern District of Illinois

In the Northern District of Illinois, a judge dismissed a class-action lawsuit against P.F. Chang’s. The plaintiffs argued that they had suffered harm by overpaying for food and drink at the restaurant, claiming that the cost of dining implicitly included a fee for protecting personal information.

However, the judge ruled against the plaintiffs, stating that cash customers were charged the same as those who used credit and debit cards, undermining their argument.

Case Study 3: Target: Putative Consumer Class Action

In the District of Minnesota, a judge allowed a putative consumer class action against Target to proceed. The lawsuit stemmed from a data breach that affected millions of customers. The plaintiffs alleged that their personal and financial information had been compromised, leading to potential harm.

Unlike the P.F. Chang’s case, the judge in this instance determined that the lawsuit had merit and could move forward.

If Your Data Has Been Stolen

If your own personal and private data, including your financial information, has been stolen from files maintained by your employer, former employer, or a business you patronize, you may want to consult a consumer protection attorney to determine whether you may have a claim.