' My Data Has Been Breached—Can I Sue? | MTTLR

My Data Has Been Breached—Can I Sue?

Earlier this week, Facebook announced that 50 million user accounts had been compromised in a data breach. This is just the latest episode in a series of high profile and far-reaching data breaches in which consumers’ sensitive personal and financial information has been exposed or stolen. Discourse about issues relating to data protection frequently center on prevention: how to make systems more secure from hacking and other cyber attacks, or how to improve detection speed when such attacks are successful.

However, there is another aspect of digital data breaches that deserves attention: liability. What legal options do affected consumers have? Can one of the 50 million people whose accounts have been hacked sue Facebook for negligence? In similar situations, the answer has been no. Part of the problem is that the duty to provide data privacy and security does not neatly fit into any established category in tort law. The common law does not recognize a general cause of action resulting from the accession or theft of a consumer’s private information. Plaintiffs may thus find it necessary to argue that special circumstances mean the company owes consumers a specific duty, like a fiduciary duty. For example, a class-action lawsuit against Equifax for a 2017 data breach was brought on the theory that the company had a duty to protect personal information. The strength of the plaintiffs’ legal claim is being tested—Equifax has filed a motion to dismiss that awaits ruling in the Northern District of Georgia.

If Equifax succeeds in defeating the claim that it owed a duty, the plaintiffs will be in serious trouble. This is because the common law generally does not see data theft as a harm in and of itself. Plaintiffs must allege something additional like identity theft. Thanks to the economic loss doctrine, plaintiffs who fail to establish a cognizable duty owed by the company usually can’t sue for negligence even if they have suffered financial harm as a result of a data breach. These issues are real: In 2015, a Pennsylvania state court cited the economic loss doctrine when it tossed out a lawsuit brought on behalf of more than 62,000 past and present employees of the University of Pittsburgh Medical Center following the theft of personal information from the Center’s computer system. The Pennsylvania court went on to say that given the prevalence of hacking, it would be untenable to impose a general duty to protect the confidential information of employees from data breaches. It is true that such a duty would be a huge burden on companies everywhere, but perhaps they are functionally and economically in a better position than consumers to protect data.

So what is to be done? Is the status quo desirable? One potential solution would be through contracting. User terms of service could include a clause imposing liability on the data-keeping organization in the event a user’s confidential information is accessed or stolen by an unauthorized third party. But the prospects for such a solution are grim. In the digital era, consumers must essentially accept the terms dictated by the service provider; it’s a stretch to believe Facebook will negotiate one-on-one with users regarding its terms of service. The practical justifications for avoiding individual negotiations are obvious, but the consequence is that the contracting channel is likely foreclosed as a means of strengthening the legal rights of victims of data theft.

A more viable alternative would be the legislative creation of duties, causes of action, and remedies for general data breaches. Many states have laws requiring companies to give notification of data breaches, though fewer have granted private causes of action. While there are good reasons to be cautious about imposing broad liability, concerns about creating a general duty for companies to protect the data they collect from consumers could be overblown. The negligence standard merely demands reasonable precautions and efforts to protect data; in the inevitable event of a data breach, any company that has taken reasonable steps to prevent and contain such breaches will not be held liable. This would strike the proper balance between recognizing the impossibility of preventing all data breaches and providing consumers with some recourse when their personal information is accessed or stolen.*

*Matt Garry is an Associate Editor for the Michigan Technology Law Review. He can be reached at mbgarry@umich.edu.


  1. Promo.com and Canva have both compromised me email. What can I do?

  2. If your information was cyber attacked why can’t you get a settlement if your information may be used in present or future gain.

  3. Facebook shared all my private info i want tangibles

  4. I am hopeful that companies be held liable for ensuring basic protectiona to avoid the theft of personal information. This issue is unaddressed and under=discussed among law and policy makers. All businesses that require your information should be liable for its safety to include fines, penalties &/or forfeitures in the event these protections are not found to be in use. I have had to pay attorney fees, identity theft protection costs, and purchase programs and/or apps to feel only somewhat guarded. This issue can ruin ones credit, reputation, and holdings such as for property. The implications are as distressing as any unplanned attack or assault and can interfere with rights to privacy as are protected in various facets of law. In addition to our civil rights, & reasonable expectation of privacy. All are being lost due to non attentiveness and a wavering economy but ALL can be lost to this crime.

  5. Hi, I had a data breach with Fema in 2017 and attorneys I called said they could not take my case. I recently got a letter from this insurance co that my name and ss was part of a data breach , what can I do?

  6. in new york a cracked sidewalk will get you 10000.00 if you trip every concrete sidewalk has cracks so your example seems lacking

  7. I can’t find anywhere what to do if an employee at a company willingly and knowingly gives unauthorized access to someone’s account because another person is in the store threatening her. My information was given to someone else just to get the person out of the store and now Verizon is harassing me for it. I explicitly told them not to give anyone else access to my account!

  8. I have 100s of calls on my cell but more at home phone im disable and i hate pick up the phone i been missing my dr officers family etc because they have so many #s all day and night help im going insane



  1. The Horrible Hidden Costs of a Data Breach - DIGISTOR - […] In an article for the Michigan Technology Law Review, Matt Garry identifies the main reason why not all companies…

Submit a Comment

Your email address will not be published. Required fields are marked *