THE STATE OF DATA-BREACH LITIGATION AND ENFORCEMENT: BEFORE THE 2013 MEGA BREACHES AND BEYOND
By Evan M. Wooten1
Over the past year, data breach and security have come to dominate the privacy law landscape. High-profile breaches at numerous retailers leading into the 2013 holiday season brought widespread awareness to risks that businesses have been navigating for the better part of a decade, if not longer. Consumers awoke to the reality that electronic systems are under constant threat of intrusion from malware, hackers, and foreign states. Lawmakers reacted to consumer alarm and unrest with calls for accountability and reform. Industry groups, governmental entities, and information-sharing systems representing public and private bodies increased efforts to identify threats and enhance security. And, of course, litigation ensued.
After a brief overview, this article will explore (i) traditional data-breach litigation and public enforcement efforts; (ii) the state and federal response to recent high-profile breaches; and (iii) significant developments in case law and enforcement since the 2013 mega breaches. The 2014 holiday season brought more high profile breaches, bringing the issue back into focus and ensuring additional litigation. Data-breach lawsuits are nothing new, but there can be no question that the data-security landscape is changing. The question is, will changes in public perception and awareness auger different results in litigation and enforcement? Thus far, the answer has been mostly ‘no,’ but several developments warrant attention and bear watching in the future. Practitioners will want to familiarize themselves with existing law and keep close tabs on evolving issues.
DATA BREACH OVERVIEW