We use the internet every day, but we don't always think about the sheer breadth of information we share with strangers assuming they are taking steps to protect that knowledge. As much as we like to think that businesses are taking all the steps necessary to protect our private information from hackers, and they often are, many times this simply isn't the case. Just recently Yahoo--having already announced in September that they had suffered a breach of over 500 million accounts back in 2014--announced that there was another attack in 2013 that saw over a billion accounts breached and data stolen from them.
Just by the numbers, this is the largest hack announced in history by a wide margin. In fact, Yahoo set the previous record with the first hack it announced earlier this year. Before that, the social networking website MySpace set another record earlier in 2016 as they announced that a Russian hacker named ""Peace" had stolen 360 million accounts--although this record has obviously been trounced twice over by Yahoo. To put the seriousness of the Yahoo breach in context, in 2015 there were an estimated 3.2B internet users worldwide. This means, depending on how many users had multiple acounts, nearly a third of all internet users could potentially have been hacked. To make things worse, Yahoo still doesn't even know how they were hacked. According to Yahoo, the data stolen includes names, emails, addresses, phone numbers, birthdays, passwords, as well as security questions and answers.
This is coming at a time where hacking has been at the forefront of people's minds, just over a month ago, a hacker was arrested for breaking into over 83 million JPMorgan accounts. In fact, nearly 700 data breaches have been reported this year alone. Oracle, Verizon, DropBox, LinkedIn, Wendy's, Snapchat and even the IRS have reported data breaches in 2016. Verizon is especially notable on this list as they had the misfortune of buying Yahoo this year for nearly $5B. While this may well be a savvy business move, it has certainly multiplied there data breach headaches. There has even been speculation that Verizon will ask for a whopping $1B rebate on their purchase.
So the question is, how and when can you sue when a business fails to protect your private information? How can you protect your own business from ending up with Yahoo's headache?
Data Breach Laws On the Rise Nationwide
While there is some federal law dealing with how personal information, and breaches stealing that information, must be dealt with the area is primarily an issue handled by state law. As of today, 47 states have individualized laws dictating how companies must approach a data breach. The laws themselves all tend to differ notably on fine points from state to state but all include who the law covers, what constitutes personally identifiable information (a fancy term for private information that could be used to identify you), what constitutes a breach (usually a hack accessing your private information), how and when a breach needs to be reported (often, and what is exempted from the rules. California was the first to enact a data breach statute back in 2002, with the law taking effect in 2002. The only states which currently have no data breach statutes are New Mexico, South Dakota, Kentucky, and Alabama.
Not only are there data breach statutes in almost every state, expansion of data breach laws are on the rise with 26 states proposing or passing expanding data breach laws in 2016. Just earlier this year, Tennessee enacted what is likely the strictest data breach law in the nation. Tennessee wasn't alone, California, Illinois and Nebraska also expanded their data breach laws in the past year.
Due to the substantial variation in state laws, preparing a business to comply with all the requirements of different data breach statutes can be a challenge. If your business is working out of a single state then compliance with any data breach can be as simple as consulting an attorney about the laws of your state. However, when your business is operating across multiple states the situation becomes a bit more complicated. As a general rule, a business in this situation is going to have to comply with the strictest requirements of all the states they work in. However, unlike many other restrictions such as those from employment law, privacy breach is interesting in that the statutes are often strict in different ways. There can be times when reporting is necessary in one, many, or all of the states you operate in. It is important for companies operating in many states to have a clear data breach policy in place and, if possible, have a team trained to know how to respond to any given data breach. It's also important to ensure that your data security measures are up to date and, at a minimum, match with the standards of your industry.
Yahoo Already Facing Lawsuits Over Data Breaches
It's probably not surprise that the biggest hack of personal information in history has already led to lawsuits. The first two lawsuits were both filed in California and alleged that Yahoo did not adequately follow California's data breach statutes by waiting so long to reveal an over two year old hack. They also argue that yahoo was grossly negligent both in how it protected its user's information and in reporting the breach--only discovering the incident years after it occurred. These lawsuits have snowballed into many more lawsuits across the country, including a class action lawsuit in California.
Where a company fails to comply with the rules of a state's data breach statute there can often be a cause of action on the behalf of a consumer who's personal information has been accessed. However, due to the varying nature of these statutes, exactly when there has been such a violation can be hard to pin down without a lawyer's help.
Generally, where a business doesn't act with reasonable care (usually by keeping up with the industry standards for protecting information such as encrypting personal information) or notify customers as soon as possible after they learn that their data has been breached there can be a lawsuit. However, once again, the exact rules will vary depending on where you live.
A common hurdle with data breach cases has been that the breach itself doesn't always represent a harm. Often courts will require that there have been actual damages caused by the breach, beyond the theft of identity and personal information itself, before they will allow somebody to move forward with a lawsuit. Sometimes, where particularly sensitive information such as credit card numbers or social security numbers are taken, a court will consider a hacker accessing the data a damage in and of itself. However, this approach has been a fairly recent development within the courts and only certain jurisdictions have adopted it. Early in 2016, the 7th Circuit expanded this theory further than nearly any court had gone before. Building on an earlier data breach case against Neiman Marcus, the court ruled that a class action data breach lawsuit against PF Chang's could move forward based on a theory that future injuries were imminent and the breach posed a substantial risk of harm. What's more, they treated the costs associated with the remedial steps that those potentially affected by the breach took, preventing any more loss of information from being stolen, as present damages allowing a case to move forward.
While the trend seems to be towards making data breach lawsuits more consumer friendly, they are still complicated. However, with data breaches breaking records left and right--in a bad way--now is an important time to know your rights and protect your business. When a third of all internet users may be at risk in a single breach you never know if your account is one that has been targeted.
Authored by Jonathan Lurie, LegalMatch Legal Writer