How The Tort of Negligence Affects Data Breach Lawsuits

Although laws such as the CPRA (California Privacy Rights Act) and Illinois BIPA (Biometric Information Privacy Act), which provide private rights of action, have been enormously successful in helping plaintiffs sue for damages from a cybersecurity breach, for most U.S. plaintiffs these laws are useless. They only pertain to citizens of specific states: California and Illinois.

So, what do other plaintiffs do? Most fall back on the old lawyer favorite: the tort of negligence.

The good (or bad) news is that the common law tort of negligence is available to all citizens of every state. Although negligence is the most popular ground for litigation, it also has several issues that make using it difficult.

As every first-year law student knows, the tort of negligence has four elements:

  1. A duty
  2. A failure to meet that duty
  3. A connection between the duty and the injury (proximate cause)
  4. Damages

For example, if you are driving a car, you owe a duty to other drivers to do so safely. If you are texting while driving, you are violating that duty.

If you hit someone, then there is a connection between your action and the injury. There are also damages. In contrast, if another driver on the other side of the highway runs off the road while looking at the accident, there may not be a connection.


See also:


As you may remember from the Spokeo case, the Supreme Court focused on the damages element.

It reiterated the point in Ramirez vs. TransUnion. Justice Kavanaugh put it simply: “No concrete harm, no standing” (no lawsuit). Merely saying that a plaintiff’s stolen data may cause the plaintiff harm is not sufficient.

There must be real damages and a real connection. A good example of a case where the breach resulted in damages would be the theft of a Social Security number that resulted in the filing of a false tax return. The theft of a Social Security number alone would not be sufficient, because there may not be any damages.   

Despite the Supreme Court’s two rulings, other courts have whittled away the explicit requirement. One way that plaintiffs have avoided the restraint of Spokeo is to allege impending harm or substantial risk. General possible future harm, however, is probably not sufficient.

The concrete harm has not necessarily turned into an absolute bar. In Spokeo itself, the case was remanded back to the Ninth Circuit. The Ninth Circuit still held that the plaintiff had suffered sufficient actual harm to allow the case to proceed.

In Ramirez vs. TransUnion, the case did go forward, but with a smaller class. 

The Supreme Court’s impediments are just that – impediments not bars. Data breach litigation will continue to increase in 2022.

Last year, they were filed in a wide range of industries and against various organizations including e-commerce, finance, mortgage providers, technology and software Cloud companies, health care, wellness, retail, and fast-food.

Not just customers who are suing

There are also spin-offs. Forensic reports about a breach written in support of a legal defense should be privileged and immune from discovery as part of the work product doctrine. Some cases have found that they are not.

And it’s not only customers who are suing. Recently there have been derivative lawsuits against officers and directors from stockholders.

There have also been derivative lawsuits against directors of Marriott, Yahoo, and Home Depot. The most recent is against SolarWinds, which was filed in November 2021.

Besides stockholders, the SEC (Securities and Exchange Commission) has brought enforcement action against organizations, notably against the publishing company Pearson and the real estate title company First American.

The interesting thing about these lawsuits is that they were brought not for failure to disclose a breach, but for failure to disclose a weakness.

The point is that you do not need a major law like the GDPR (General Data Protection Regulation), CPRA or BIPA to file and win a lawsuit – with potentially catastrophic consequences for the organization in question. The U.S. courts can be just as ruinous as any EU agency.

U.S. organizations are just as much at risk as their EU counterparts, and it’s why we’ve created our Privacy as a Service solution.

The packages in the service contain advice, guidance, and more from expert lawyers, barristers, and information security and cybersecurity experts, who will guide you through the process of bolstering your data privacy processes and technologies.

You’ll receive help with compliance monitoring, breach notification processes, and data privacy management.