' Matthew Garry | MTTLR

My Data Has Been Breached—Can I Sue?

Earlier this week, Facebook announced that 50 million user accounts had been compromised in a data breach. This is just the latest episode in a series of high profile and far-reaching data breaches in which consumers’ sensitive personal and financial information has been exposed or stolen. Discourse about issues relating to data protection frequently center on prevention: how to make systems more secure from hacking and other cyber attacks, or how to improve detection speed when such attacks are successful. However, there is another aspect of digital data breaches that deserves attention: liability. What legal options do affected consumers have? Can one of the 50 million people whose accounts have been hacked sue Facebook for negligence? In similar situations, the answer has been no. Part of the problem is that the duty to provide data privacy and security does not neatly fit into any established category in tort law. The common law does not recognize a general cause of action resulting from the accession or theft of a consumer’s private information. Plaintiffs may thus find it necessary to argue that special circumstances mean the company owes consumers a specific duty, like a fiduciary duty. For example, a class-action lawsuit against Equifax for a 2017 data breach was brought on the theory that the company had a duty to protect personal information. The strength of the plaintiffs’ legal claim is being tested—Equifax has filed a motion to dismiss that awaits ruling in the Northern District of Georgia. If Equifax succeeds in defeating the claim that it owed a duty, the plaintiffs will be in serious trouble. This is because the common law generally...