Little else is as stressful for a company than handling the aftermath of a data breach. Not only does the company have the obligation of making notifications to clients about the data breach, but it may also be confronted by data breach lawyers with at least one lawsuit, or even a class action. There are steps that can be taken to help a company avoid data breach litigation.

Preparation for a Data Breach is Key to Mitigating Problems Down the Road

Every company large and small should be prepared for a data breach because it is only a matter of time until they are victimized by cyber criminals. Companies can prepare themselves for data breach situations by having a plan on how they will handle a data breach situation. Running practice drills of a data breach scenario can also be helpful for the company to identify potential pitfalls and shortcomings, which can be addressed in advance of the real thing.

The action plan should cover both how to technically contain a data breach and a public relations campaign that details what will and will not be said to the press about the data breach situation as well as what will be communicated to the consumers who may have been exposed in the data breach. What words are used in the media are critically important since the lawyers will likely try to use what is said to their advantage later in court. Know how the data breach situation will be handled by your company before it happens.   

Understand the Company’s Rights and Obligations Under the Law

Companies need to know what their rights and obligations are under the law before a data breach occurs. Knowing the law on these matters will give the company better footing on how to handle the aftermath of the situation. Companies that do not know or understand data breach law often fail to notify consumers whose data may have been exposed in a breach in a timely manner, which can result in significant penalties for the company.

Data breach law requires companies to take action quickly upon discovery of a data breach. The company is responsible for quickly shutting down the breach, and then is responsible for notifying victims within a reasonable time after the breach is discovered. It is better to own up to the data breach and let those who are affected by the breach know as soon as possible that their personal identifying information or credit card information has possibly been exposed.

Get Prepared With the Help of an Experienced Data Breach Attorney

One of the best strategies for a company to have concerning data breaches is to be prepared. Knowing in advance what you will have to do, what you will need to say, and how you can manage the aftermath of a data breach can go a long way towards helping your company avoid data breach litigation. Reach out to the data breach lawyers at Revision Legal today to help prepare your data breach prevention and response plan. Contact us using the form on this page or call us at 855-473-8474.

Image credit to Abdul Wajid.

The Legal Framework for Data Breach Liability: What Plaintiffs Must Prove

When a company suffers a data breach and customers file suit, what do the plaintiffs actually need to prove to recover damages? Understanding the plaintiff’s burden helps companies understand what their legal exposure looks like and where preparation can make the most significant difference.

Negligence: The Core Claim

The primary tort theory in data breach litigation is negligence. Plaintiffs must establish: (1) a duty to protect personal information; (2) breach of that duty through inadequate security measures; (3) causation connecting the security failure to the breach; and (4) damages. Courts generally recognize that companies owe a duty of care to individuals whose personal information they collect and store, particularly when they have represented that the information will be protected.

The breach element is often contested. Plaintiffs typically argue that the defendant failed to implement industry-standard security practices, failed to patch known vulnerabilities, or failed to encrypt sensitive data. Expert testimony on the adequacy of the company’s security program is common in litigation. Companies that have documented, implemented, and tested security programs aligned with recognized frameworks—such as NIST Cybersecurity Framework or ISO 27001—are in a substantially better defensive position than those without formal programs.

The Standing Problem: Why Many Data Breach Cases Are Dismissed

Perhaps the most significant legal battleground in data breach class actions is Article III standing. The U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, 568 U.S. 398 (2013), requires plaintiffs to demonstrate a concrete and particularized injury that is “certainly impending” or there is a “substantial risk” that the harm will occur. Many data breach class actions have been dismissed at the pleadings stage because plaintiffs could not demonstrate that they had suffered actual harm—or a sufficiently certain future harm—from the breach.

Courts are divided on whether the increased risk of identity theft, the cost of credit monitoring, and the loss of the “value” of the personal information itself constitute sufficient injury. The Seventh Circuit, in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), held that a substantial risk of harm from stolen credit card data is sufficient for standing. Other circuits have taken stricter approaches. This circuit split continues to evolve as data breach litigation matures.

Contractual and Statutory Claims

Beyond negligence, data breach plaintiffs frequently assert: breach of implied or express contract (arguing that the company’s privacy policy constituted a promise to protect data); violations of state consumer protection statutes (which may provide statutory damages without requiring proof of actual harm); and violations of specific sector regulations (HIPAA for healthcare, GLBA for financial institutions, FERPA for educational institutions). Some state consumer protection statutes, such as California’s Consumer Legal Remedies Act and the CCPA’s limited private right of action, provide statutory damages that can aggregate into significant class action exposure without requiring individual proof of harm.

Regulatory Enforcement: The FTC’s Role

The Federal Trade Commission has broad authority under Section 5 of the FTC Act, 15 U.S.C. § 45, to take action against companies whose data security practices constitute unfair or deceptive trade practices. The FTC has used this authority to bring enforcement actions against companies including LabMD, TJX Companies, and Uber. FTC consent decrees typically require companies to implement comprehensive security programs and submit to third-party security audits for periods of 10–20 years—a significant ongoing compliance burden.

The FTC’s “Start with Security” guidance, while not binding, reflects the agency’s views on what constitutes reasonable data security. Following these guidelines—which include encrypting sensitive data, implementing access controls, and maintaining robust patch management programs—reduces the risk of both a breach and a subsequent enforcement action.

The Insurance Question: Cyber Coverage Is Not Optional

Companies that hold significant amounts of personal data should carry dedicated cyber liability insurance. Standard commercial general liability policies typically exclude data breach and cyber incidents. Dedicated cyber policies cover first-party costs (breach investigation, notification, credit monitoring, public relations) and third-party claims (legal defense, settlements, regulatory fines where insurable). The cyber insurance market has grown significantly, and coverage is available at reasonable premiums for most companies. An experienced data breach attorney can help evaluate whether your current coverage is adequate for your risk profile.

Contact the data breach attorneys at Revision Legal to review your data security program and breach response plan. We work with companies before a breach to reduce liability exposure and with companies after a breach to manage their response. Contact us today.