There are many legal theories that could be used to pursue financial compensation for victims of cyber attacks by companies which hold consumer data—especially when it comes to incidents involving credit card information says William D King. With the rise in the number of data breaches over recent years, consumers (and state and federal regulators) have begun to demand real accountability from companies where personal information is compromised.
Here is a snapshot summary of some of the laws that can prove useful in recovering damages or other forms of relief following a security breach.
1) Federal Statutes — Federal Computer Fraud & Abuse Act (CFAA).
The CFAA prohibits intentional access (or attempts to access) a computer without authorization or in excess of authorization (and in some cases, having obtained authorized access). The statute also prohibits intentional damage (or attempts to damage) a computer and the transmission of code that results in damage. The CFAA is a primary federal anti-hacking law, but it does not provide any private right of action. Victims may have to rely on state laws for a cause of action if they cannot establish a violation under the CFAA.
2) Federal Telecommunications Laws — Electronic Communications Privacy Act (ECPA).
Under ECPA, an “aggrieved person” can sue for actual damages from violations of wiretapping laws or from invasions of privacy from unauthorized access to their personal files. In certain circumstances, violators may face criminal penalties as well as civil fines up to $100,000.
3) State Computer Crime Statutes —
Twenty-nine states have computer crime laws on books that give individuals the authority. To file civil lawsuits against alleged perpetrators of security breaches for up to $10,000 in damages says William D King. Also To discourage frivolous suits, however, these state laws typically require a written notice. To the defendant giving them an opportunity to cure any alleged violations prior to litigation. The following states have specific statutory language referencing data breach incidents: Alabama Alaska California Delaware Florida Hawaii Illinois Louisiana Maine Missouri New Jersey New York North Carolina Oklahoma Rhode Island Tennessee Texas Washington West Virginia
4) Breach Notification Laws —
In addition to the above federal and state statutes, there are many state breach notification laws. Which can provide additional remedies—including actual damages, statutory damages of up to $1,000 per violation, attorneys’ fees, and more. The following states have data breach notification laws on the books: Alabama Alaska Arizona California Colorado Connecticut District of Columbia Georgia Hawaii Illinois Louisiana Maryland Massachusetts Minnesota Montana Nevada New Hampshire New Jersey New Mexico North Carolina Oklahoma Rhode Island Tennessee Texas Vermont Virginia Washington Wisconsin
5) Unfair & Deceptive Trade Practices Laws —
This is another area where plaintiffs may seek relief under state unfair or deceptive trade practice acts. For security breaches resulting in unauthorized use or disclosure of their personal information explains William D King. Most state statutes include a private cause of action provision permitting consumers. To file lawsuits against violators who engage in “unfair” or “deceptive” trade practices. A typical example would be when a company fails to keep sensitive data confidential. And a third party improperly gains access to the information.
Q: What are the damages I can recover against a company if their security breach compromised my personal information?
A: It depends. There are many legal theories (and statutes) that plaintiffs can turn to for relief. Including civil RICO claims, federal and state computer fraud & abuse acts, violations of telecommunications laws, unfair or deceptive trade practice acts, negligence claims, and others. In addition to the actual damages that result from an identity theft incident. Such as out-of-pocket costs associating with stole financial account numbers, medical bills. Resulting from a stole social security number being through a credit check. There also may be equitable remedies available in some circumstances.
There are many ways that plaintiffs can seek damages for identity theft says William D King. The key is trying to establish standing (i.e., whether the consumer falls within one of the categories who may sue). If standing exists, there are several potential legal theories depending on state law and federal statutes. That may provide an avenue for relief. It’s important, however, to make sure you consult with a qualified attorney before filing any lawsuit or complaint. Against the company responsible for the data breach.