The evolving standards of data breach law

One of the more interesting facets of the rise of data breach class action lawsuits centers on the laws that plaintiffs choose as the vehicle of their cases. As we’ve discussed, there is currently a patchwork of laws, depending on the state and nature of the claim, from which to choose. Commentators, and maybe even Congress, are starting to take note.

For example, the Volokh Conspiracy's Stewart Baker has a recent interesting post about whether tort law by itself can effectively force companies to improve and maintain their cybersecurity. Baker thinks not, and his post begins this way:

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions. And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.

On the lawmaking side, two recent pieces — this one from Banker & Tradesmen and this one from the Phoenix Business Journal — demonstrate that those in the financial realm have begun to pay attention to the rise in data breach suits and are pushing Congress for uniform data breach standards.

Data Privacy and Cyber Security