Companies that suffer from cyber security breaches or cyber vulnerabilities increasingly face claims of failing to implement adequate cyber security measures, deceiving others around the extent of their data security measures, or inadequately notifying the individuals whose personal information may have been at risk.

The Legal Risks

At the federal regulatory level, the Federal Trade Commission (FTC), the Department of Health and Human Services, the Federal Communications Commission, the Consumer Financial Protection Bureau, the Commodity Futures Trading Commission, and the Securities and Exchange Commission have all taken action against companies that, in their view, violated federal laws covering data security.

The FTC, in particular, has authority to prevent “unfair or deceptive” trade practices under Section 5 of the FTC Act. It has taken the position that a failure to employ reasonable and appropriate data security practices constitutes an “unfair” practice under the statute, and that misleading consumers about data security risks or practices can constitute a “deceptive” practice.

State and city regulators, predominately state attorneys general, have also taken action against companies that allegedly employed insufficient data security practices, asserting that such practices violated laws prohibiting unfair or deceptive conduct, specific statutory data security requirements, and data breach notification laws.

Companies that experience a breach or vulnerability may also face private claims. Most commonly, such claims are brought by the individuals (such as consumers or employees) whose data was allegedly compromised in a data breach.