US Appeals Court Lowers Bar for Data Breach Lawsuits
Under federal law you have to show that you have been damaged in order to sue, even in the case of a data breach. The courts continue to reevaluate where the bar is to sue.
The 4th US Circuit Court of Appeals has lowered the bar, again, for people who want to sue a company that has been breached. While this is not a guaranteed win for plaintiffs, it makes lawsuits more risky for breached companies.
The case involves Elephant Insurance Company (really, that is their name) and 3 million people.
Up until now the courts have ruled that having your data stolen is not sufficient to prove damages. You had to prove actual damages. Courts have lowered that bar before by saying that your loss didn’t have to be great, but their had to be a loss.
While courts have said that the loss of private data such as medical records is considering actual damages, other records like your drivers license, maybe not.
In this case, the hacker put the data up for sale on the dark web, so the court said that increases the risk of actual fraud. Thieves, the court says, wouldn’t pay for that stolen data if they didn’t have other data to match up with it to use.
The company tried to say that since you had to be a dark web “customer” in order to buy the data, somehow that lessened the risk. The court disagreed.
That does suggest that you should monitor the dark web. It could be an early warning that you may be getting sued. We can help with that monitoring.
For lawyers, if the data is NOT available on the dark web that may help the company being sued.
This suggests that there is a difference between possession by the crooks and public availability, such as on the dark web. CISOs should track and document what becomes public using techniques such as screenshots, hashes, timestamps and linkage to where it came from in their company. A lot of times this is going to be hard because the hacker is not going to let you look at the data unless you buy it from them.
In any case, this does change the equation when responding to data theft breaches.
Credit: CSO Online
by 