Partner
Data breaches are no longer rare, headline-only events. Data breaches can happen to any business, regardless of size, from startups and small businesses to established companies. When customer data is stolen, whether by hackers, leaked by an employee, or accidentally exposed due to a website error, one question comes to mind: Who is responsible? Nowadays, companies collect more personal information than ever, increasing their reliance on cloud-based storage solutions. With this, the risk of data falling into the wrong hands increases. When breaches occur, responsibility and liability become a critical issue.
A data breach happens when sensitive information is accessed, disclosed, or stolen without authorization. Today, many businesses no longer store data in-house. Instead, data resides in cloud-based systems, which primarily involve three parties: the customer whose data is collected, the business that owns and uses that data, and a third-party provider, the data holder, that stores or processes it, like IBM Cloud or Azure, to name a few. A data breach can be highly consequential when the criminals access customer information and sell it or exploit it for fraud.
As a business, your data can be stolen in various ways. One of the most common is when hackers use malware, spyware, or tactics to break into your systems. Another type of data theft is through internal breaches, which can be just as damaging, whereby employees or contractors intentionally or carelessly expose sensitive data. Data theft can also happen through physical device theft, especially with payment systems, where skimming devices placed on ATMs or fuel pumps silently collect card information.
In most cases, U.S. law places responsibility on the data owner, the business that collects and uses customer information. Even if the breach happens through a cloud provider’s system, vendor contracts often limit the data provider’s liability and exclude indirect or consequential damages. This leaves the business that owns that data accountable for the losses.
However, there is one exception. Under Health Insurance Portability and Accountability (HIPAA), cloud providers and other data handlers can be held responsible for medical data breaches. Still, the data owner must notify individuals and regulators when protected health information is compromised.
As a business, your liability may significantly increase if you fail to use reasonable security measures, delay notifying the appropriate parties, or mishandle your response to the data breach. When this happens, you may be exposed to lawsuits, regulatory fines, investigation costs, and recovery expenses.
In the event of a data breach, speed is crucial. The longer a breach goes undetected, or if mistakes are made when handling it, the higher the cost. To reduce the risks, consider taking the following steps:
Speak with an attorney familiar with internet law to review contracts and advise you on the state and federal laws that the breach may implicate.
Preserve evidence and work with forensic experts before making system changes.
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
The United States does not have a single comprehensive federal data breach law, but several sector-specific statutes impose notification and security obligations. The Health Insurance Portability and Accountability Act (HIPAA, 42 U.S.C. § 1320d et seq.) requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services, and in some cases media outlets, following a breach of unsecured protected health information. Penalties can reach $1.9 million per violation category per year. The Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801 et seq.) imposes data security requirements on financial institutions; the FTC’s revised Safeguards Rule (16 C.F.R. Part 314) requires non-bank financial services companies to implement specific administrative, technical, and physical safeguards and to report certain breaches to the FTC within 30 days.
The FTC Act itself — particularly § 5 — has been used to pursue companies whose data security practices were unreasonable and resulted in consumer harm. The FTC does not need a specific data security statute to act; it treats failure to implement reasonable security measures as an unfair business practice. Several major FTC enforcement actions, including against LabMD and Wyndham Hotels, established that companies have an obligation to implement reasonable data security even absent a specific statutory requirement. Consent decrees from these actions impose 20-year security audit obligations and significant operational requirements.
All 50 states have enacted data breach notification laws, creating a complex compliance landscape for any business with customers in multiple states. California’s data breach law (Cal. Civ. Code § 1798.29 and § 1798.82) requires notification to affected California residents in the most expedient time possible, and in no event more than 72 hours for businesses covered by CalOPPA or the CCPA. California’s definition of covered personal information is among the broadest: it includes not only names combined with Social Security numbers or financial information, but also usernames and passwords, biometric data, and health information.
New York’s SHIELD Act (N.Y. Gen. Bus. Law § 899-aa) extends notification requirements to any business that owns or licenses computerized data including private information of a New York resident, regardless of whether the company is located in New York. The SHIELD Act also requires businesses to implement a data security program with reasonable administrative, technical, and physical safeguards. Colorado’s Consumer Protection Act (C.R.S. § 6-1-716) requires notification within 30 days of discovery for breaches affecting more than 500 Colorado residents. Navigating 50 different definitions of covered data, notification deadlines, and content requirements is operationally challenging — most businesses with national customer bases should maintain a breach response plan developed with legal counsel that maps state-by-state requirements.
One of the most underappreciated data breach liability risks is the third-party vendor scenario. If your payment processor, cloud storage provider, CRM platform, or shipping software suffers a breach that exposes your customers’ data, you — not just the vendor — may be legally responsible. Under most state breach notification laws, the duty to notify belongs to the entity that owns or licenses the data, regardless of who actually suffered the breach. Customers whose data was exposed by your vendor’s failure will look to you, because you are the entity with whom they had a relationship.
Contracts with third-party vendors who handle personal data should include: (1) representations and warranties that the vendor maintains adequate security practices; (2) audit rights or certifications (SOC 2 Type II, ISO 27001) demonstrating those practices; (3) a breach notification obligation requiring the vendor to notify you within a specific timeframe (24-72 hours is common); (4) indemnification for costs arising from the vendor’s breach; and (5) cyber insurance requirements. Vendor agreements that lack these provisions leave you bearing the entire cost of notification, remediation, and litigation from a breach you did not cause.
California’s Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA), creates a private right of action for California residents whose non-encrypted and non-redacted personal information is subject to unauthorized access as a result of a business’s failure to implement and maintain reasonable security procedures. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. This private right of action — unique among state privacy laws — enables class actions: a breach affecting 100,000 California consumers with $100 statutory damages generates $10 million in potential liability before litigation costs.
The CCPA/CPRA private right of action applies only to the specific scenario of a data breach caused by inadequate security. It does not require proof of actual harm; the unauthorized access itself is the trigger. The “reasonable security” standard is informed by the CIS Controls, NIST Cybersecurity Framework, and FTC guidance on data security. Businesses that have not implemented basic security controls — encryption at rest and in transit, access controls, multi-factor authentication, employee security training, and regular vulnerability assessments — are at significant risk of being found to have failed the reasonable security standard if a breach occurs.
The cost of a data breach is substantially lower for businesses that have a written incident response plan in place before a breach occurs. An effective plan identifies the core response team (CEO, legal, IT, communications), defines what constitutes a “breach” requiring formal response, maps the notification timelines for each applicable state and federal law, designates breach response counsel and a forensic investigator in advance, and includes template notification letters. The Ponemon Institute’s Cost of a Data Breach Report consistently finds that companies with incident response teams and tested response plans save an average of over $2 million per breach compared to those without them.
Cyber liability insurance is an important component of breach preparedness. A policy providing coverage for first-party costs (forensic investigation, notification, credit monitoring for affected individuals, public relations) and third-party costs (regulatory defense, class-action defense, settlements) can be the difference between a manageable incident and an existential one. Review your coverage limits against the volume of personal data you hold and the potential class-action exposure in states like California. The internet law attorneys at Revision Legal advise businesses on data security compliance and breach response. Contact us through our contact page if you need to review your data breach preparedness.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?