How a lawyer proves company liability after a data breach

In today’s digital landscape, data breaches represent not just technological failures but potential legal liabilities that can devastate businesses. At Mason LLP, our data breach lawyers understand that establishing company liability after a data breach requires methodical investigation, legal expertise, and strategic application of evolving federal statutes. This comprehensive guide explores how skilled legal counsel builds cases against negligent organizations.

The evolving landscape of data breach liability

When a data breach occurs, affected individuals often seek accountability from the companies entrusted with their sensitive information. Proving liability, however, isn’t straightforward. It requires demonstrating that a company failed to meet its legal obligations regarding data protection, and that this failure directly caused damages.

Key federal laws governing data protection

Several federal laws establish the legal framework for data breach liability cases:

• Gramm-Leach-Bliley Act (GLBA) – Requires financial institutions to explain their information-sharing practices and to safeguard sensitive data.
• Health Insurance Portability and Accountability Act (HIPAA) – Sets national standards for protecting sensitive patient health information.
• Federal Trade Commission Act (FTC Act) – Prohibits unfair or deceptive practices, which the FTC has interpreted to include failure to maintain reasonable data security measures.
• Computer Fraud and Abuse Act (CFAA) – Addresses unauthorized access to protected computers.
• California Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA) – While state laws, these California regulations often set de facto national standards.

The four pillars of proving liability

At Mason LLP, we approach data breach liability cases by establishing four critical elements.

1. Duty of care

The first step is demonstrating that the company owed a duty of care to protect the data in question. This duty may arise from:

• Statutory obligations under laws like HIPAA or GLBA
• Contractual promises made in privacy policies or terms of service
• Industry standards for cybersecurity practices
• FTC guidance on reasonable security measures

For example, healthcare providers must comply with HIPAA’s Security Rule, which requires implementing technical, physical, and administrative safeguards to protect electronic protected health information (ePHI).

2. Breach of duty

Once the duty is established, we must prove the company breached this duty. This often involves demonstrating:

• Negligent security practices – Failure to patch known vulnerabilities, weak encryption, or inadequate access controls
• Non-compliance with industry standards – Deviations from frameworks like NIST’s Cybersecurity Framework or ISO 27001
• Procedural failures – Lack of security testing, employee training, or incident response planning
• Prior knowledge of vulnerabilities – Evidence the company was aware of security issues but didn’t address them

In the landmark case FTC v. Wyndham Worldwide Corp., the court held that Wyndham’s failure to implement reasonable security measures constituted an unfair practice under the FTC Act.

3. Causation

The third element requires establishing that the company’s breach of duty directly caused the data breach and resulting damages. This typically involves:

• Forensic evidence tracing the attacker’s entry point to a specific security failure
• Expert testimony explaining how proper security measures would have prevented the breach
• Timeline analysis showing when vulnerabilities were known and when they were exploited
• Exclusion of alternative causes that might have contributed to the breach

Causation can be particularly challenging when sophisticated attackers are involved, but a history of security warnings or prior incidents can strengthen this element.

4. Damages

Finally, we must demonstrate that the breach resulted in actual damages to the affected individuals. These may include:

• Financial losses from identity theft or fraud
• Costs of credit monitoring and identity protection services
• Time spent addressing breach consequences
• Emotional distress and privacy violations
• Diminished value of personal information

Recent court decisions have expanded the concept of damages in data breach cases. In McMorris v. Carlos Lopez & Associates, LLC, the Second Circuit outlined factors for assessing the risk of future identity theft as a form of injury.

Building the case: Mason LLP’s approach

At Mason LLP, our approach to proving company liability follows a structured methodology:

Discovery and investigation

We begin by conducting extensive discovery to uncover evidence of negligence:

• Document requests for internal security policies, risk assessments, and audit reports
• Depositions of IT personnel, executives, and security officers
• Subpoenas for third-party vendors with access to systems
• Retention of forensic experts to analyze the breach and identify its cause

Establishing the reasonable standard of care

We meticulously document what constitutes “reasonable” security measures by:

• Analyzing industry frameworks like NIST and CIS Controls
• Consulting with cybersecurity experts who can testify about standard practices
• Reviewing regulatory guidance from agencies like the FTC and OCR
• Examining similar companies’ security practices and breach responses

Demonstrating notice and knowledge

A powerful component of proving liability is showing that the company knew or should have known about its security deficiencies:

• Prior security audits highlighting unaddressed vulnerabilities
• Employee complaints or concerns about security practices
• Industry alerts about relevant threats the company ignored
• Previous incidents that should have prompted improved security

Calculating and documenting damages

Our team works with economic experts to quantify the full extent of damages:

• Aggregate financial impact across all affected individuals
• Statistical models for estimating future risk and harms
• Comparative analysis with similar breach cases and settlements
• Documentation of remediation costs borne by victims

The impact of state laws

While federal statutes provide the backbone for data breach liability, state laws often extend protection:

• The Illinois Biometric Information Privacy Act (BIPA) has led to substantial settlements for improper handling of biometric data
• The California Consumer Privacy Act (CCPA) provides a private right of action for certain data breaches
• New York’s SHIELD Act expanded data breach notification requirements and mandates reasonable security measures

Strategic considerations for companies

For organizations seeking to mitigate liability exposure, Mason LLP recommends:

1. Implementing a comprehensive security program aligned with frameworks like NIST CSF
2. Documenting security decisions and risk assessments
3. Maintaining appropriate cyber insurance coverage
4. Developing robust incident response plans
5. Conducting regular security training for all employees
6. Engaging third-party security assessments to identify vulnerabilities

Establishing accountability: Mason LLP’s approach to data breach liability

Proving company liability after a data breach requires sophisticated legal strategy, technical expertise, and a thorough understanding of evolving federal and state regulations. At Mason LLP, we combine these elements to build compelling cases that hold negligent organizations accountable.

Our experienced team stays at the forefront of this rapidly developing area of law to deliver exceptional representation. Contact us online or call (202) 429-2290 to learn more.