Public Pressure to Assume Liability for Data Breach

Identity Theft Damages


Connecticut'a Attorney General has a new way to impose legal liability on a company that loses sensitive customer data.

Only a small number of court decisions hold data holders liable for damages suffered by data subjects after a security compromise. One instance of such a decision is Bell v. Michigan Council 25 AFSCME [Michigan Ct. of Appeals, unpublished op. 2/15/05] . It upheld a quarter-million-dollar judgment against a small labor union after a thief stole member's identity data from the union. Members proved in court that the criminal committed identity theft against them.

That result required the union members to prosecute a lawsuit and prove their case.

Sometimes state legislatures enact a law that specifically requires a data holder to pay the costs of others in the wake of a data leak. A good example of such special legislation is Minnesota's HF 1758 (Plastic Card Security Act), which sometimes requires credit card retailers to reimburse the costs of card issuers when they cancel cards after a data leak at the retailer.

Now, following an incident at Countrywide Financial Corp (part of Bank of America), the Connecticut state attorney general seeks liability without the support of a judicial decision or special legislation. Continue Reading

--