Liability Roulette

When a judge last week dismissed Target’s attempt to dismiss a lawsuit about their 2013 breach, it set a very important precedent on data breaches – Target was shown to be responsible, at least in part, for the damage that was caused by the breach. According to the decision,  “Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs.”

If enterprises didn’t already have enough of an excuse to be worrying about breaches, this ruling adds to the worry. It serves as a reminder that not only will the organization have to pay for the breach in publicity; it will most likely be held legally liable if something goes wrong. As breaches seem to proliferate, these lawsuits will only become more common. P.F. Changs was dragged to court over their breach. Home Depot is facing “dozens” of lawsuits. And as the Sony hacking nightmare becomes darker, employees are considering a class action lawsuit against the company. With no credit card data involved, it is a precedent for all organizations, not just retail enterprises.

The legal tactics used in these cases have evolved along with the explosion of lawsuits. Today the enterprises themselves are not the only ones who should fear lawsuits. Target’s auditor was brought into the mess, as Target was certified as PCI DSS compliant before the breach. As we move forward, there may even be personal suits against individuals held responsible. And as the case law develops, clearer patterns will emerge – as of 2013, companies were still trying to decide whether these cases belonged in federal or state court.

With stock prices often affected only slightly by these breaches, successful lawsuits against breached organizations may actually be of great value. These data breach lawsuits may provide the extra kick needed to get retailers, in particular, to realize just how important security is.