A California district court has handed down a ruling that could impact the way data breach cases are handled around the country – and whether or not your business is held liable if and when cyber crime happens.
Here’s a summary of the case and a look at how it might apply to you if and when you’re victimized by a data breach.
The Ruling: Data Breaches are NOT Evidence of Insufficient Cyber Protection
The court case involved two LinkedIn users who sued LinkedIn after it suffered a data breach in 2012. They alleged that the breach violated LinkedIn’s terms of service, which promised to protect users’ information with technology that adhered to “industry standards.”
They sought damages from LinkedIn, citing the company’s data breach as evidence that it failed to adhere to the protections it promised in its user agreement. Further, the two sought to recover the fees they paid as premium members of the LinkedIn community, the value of which they said LinkedIn failed to provide.
The court, however, disagreed. It ruled that…
1. The security measures LinkedIn provided were, in fact, up to industry standards. Data breaches are, unfortunately, too common to be considered the result of poor data security measures; in other words, the court’s ruling acknowledges that even industry-standard data protection measures cannot be relied on to protect against all data breaches.
2. The plaintiffs’ membership payments had no relationship to their privacy expectations. Because LinkedIn offers the same privacy and data protection measures to all its members, regardless of membership type, data security expectations are not affected by membership fees. Instead, the court ruled, those fees gave the plaintiffs access to additional networking opportunities and tools, which were not affected by the data breach.
3. In order for LinkedIn to be held liable for the loss the plaintiffs’ experienced, the loss must have occurred after the breach. In this case, the court noted, the alleged loss involved payments made before the breach occurred.
What the LinkedIn Data Breach Ruling Means for Your Business
So how might this ruling affect your business’s cyber liability obligations to your clients? In a number of ways:
- Your liability may be affected by your contracts. LinkedIn was found not to have liability in part because its contract specifically outlined what kind of protection it was responsible for providing its customers. That contract wording played a role in ensuring that LinkedIn was not found liable for (and thus responsible for paying damages associated with) the data breach.
- You need to be familiar with industry standards for data security. While this case pointedly did not define what counts as “industry-standard” for data security, the court likely wouldn’t have excused LinkedIn of liability if it had provided subpar or insufficient protection to its customers.
- You can’t afford to skip Data Breach Insurance. While LinkedIn was ultimately found not to be liable for wrongdoing, this case serves as a reminder that such a ruling can only come after a legal battle, which includes lawyers’ fees, court costs, and lots of time and energy. Data Breach Insurance covers all those costs for you, thus allowing you to protect your business assets if and when someone challenges your data security efforts.
Writtten by Brenna Lemieux - check her out at Google+ or Twitter