Beware of the checks your on-line privacy and security policies write. If your you-know-whats can’t cash them, plaintiffs might.
Increasingly, plaintiffs are filing lawsuits after “hackers” access their personal information through undersecured websites or electronic databases. Almost every company holds some type of customer information in electronic form. As companies enhance their web presences, many have posted security and privacy policies. If you’re a business owner, you likely have one (if you don’t, you should). And if you’ve ever used the internet (if you haven’t, you’re not reading this article), you’ve seen links to these at the bottom of web pages, and you’ve probably ignored them. I certainly have.
Here’s the problem for businesses – hackers are hard to find and are usually judgment proof. If your data security is breached, and if your customers want to sue somebody, they are going to sue you.
Most of these high profile lawsuits have been premised on traditional negligence principles, but courts have come to varied conclusions about a business’s duty to protect its customer information from hacking. This initial resistance to the imposition of traditional tort liability has led to two things: (1) some states have created statutory duties in this context; and (2) plaintiffs’ lawyers have gotten pretty creative, with some success.
In Baidu, Inc. v. Register.com, Inc., a search-engine operator, Baidu, Inc., sued Register.com, its traffic-routing services provider, after a hacker gained access to Baidu’s account and directed its web traffic elsewhere. Imagine the business next door diverting all of your phone calls to it. Baidu sued.
Baidu asserted breach of contract, negligence and gross negligence claims. Register.com moved to dismiss, arguing that its security policy contained a broad limitation of liability provision. And it did. But it also contained statements about how Register.com protected its customers’ information and employed security measures to guard against data breaches.
Baidu argued that Register.com’s failure to follow its own policies constituted a breach of contract and gross negligence. The Southern Distinct of New York agreed. The court held that the limitation of liability provision barred an ordinary negligence claim, but not the breach of contract and gross negligence claims. The court stated that if Baidu proved what it had alleged, “then Register failed to follow its own security protocols and essentially handed over control of Baidu’s account to an unauthorized intruder, who engaged in cyber vandalism. On these facts, a jury surely could find that Register acted in a grossly negligent or reckless manner.”
A few months later, the case settled for an undisclosed sum.
While we’re well settled into the internet age, the age of data security litigation is in its infancy. One way to protect your company is to give considerable thought to your security and privacy policies, and then to abide by them. You can’t guarantee elimination of all data breach exposure, but you can put your company in a position to refute the simple, but powerful argument that carried the day in Baidu – that you didn’t do what you said you were going to do.
Just as when you’re writing actual checks, you’ve made certain there is money in the bank (I hope), ensure that your operations are consistent with your security and privacy policies. Or you might need more money in the bank.