skip to main content

Responding to a Cyber Attack – Your Liability

Add Kmart and Dairy Queen to the list of cyber attack victims.  Both companies confirmed earlier this month that they had suffered such breaches.  JPMorgan’s CEO, whose company suffered its own breach earlier this month, said: “This is going to be a big deal and there will be a lot of battles.”
If you find yourself fighting one of these battles, do you know your obligations if you lose? 
In such case, your primary obligation is to notify all individuals whose personal identifiable information (“PII”) has been compromised. 
State data notification laws require companies who have suffered data breaches to provide this notification.  Each state has its own data notification law, intended to protect the state residents.  Thus, although your company may be located in Pennsylvania, if you have customers in all 50 states and you suffer a cyber attack that affects all of those customers, then you must abide by each one of these 50 state laws.
Again, while each state has a different law with different requirements and penalties, here is a general overview of these laws:
Who Must Be Notified: The state resident who has had his/her PII breached. 
What You Must Do: Provide notice in the most expedient time possible without unreasonable delay.  In some states, you are also required to notify certain governmental agencies and/or consumer reporting agencies.
What is the Penalty for Failing to Provide Notice: Some states allow the person who has had his/her PII compromised to pursue damages against the company.  Other states allow for the state attorney general to assess penalties, including fines.
Just following the requirements of a state’s data notification law does not absolve a company of all liability.  Most of the lawsuits filed against companies who have suffered cyber attacks are filed under state common law claims.  This means that, like a lawsuit stemming from a car crash, your liability depends on whether you acted reasonably in the prevention of and response to a cyber attack.  The damages assessed against you are based on how much the victims have suffered.
Even though you may not escape liability under state common law, you still need to abide by these state data notification laws.  A failure to do so will increase your liability by: (1) exposing you to the penalties under these specific laws; and, (2) showing a court that you failed to act reasonably in responding to a cyber attack.
If you have questions about a particular state’s data notification law or about your potential liability in the event of a cyber attack, contact a member of our Emerging Technology’s Practice Group.
Also, if you know of someone who may be interested in receiving these weekly tips, contact to be added to the distribution list.