Can You Be Sued for a Company Data Breach?

In 2021, a cyberattack against T-Mobile led to the exposure of millions of customers’ personal information. The mobile giant later settled a class action lawsuit admitting negligence. The price? $350 million. 

When a cybercriminal breaches a company’s IT systems and steals customer data, the legal ramifications can be felt for a long time. Civil liability following a cyberattack may include monetary compensation for economic losses incurred by your customers.

And it’s not just large enterprises that have to worry. Verizon’s 2023 Data Breach Investigations Report found that businesses with fewer than 1,000 employees experienced 699 incidents, while businesses with 1,000 employees or more dealt with 496 incidents. This may be the result of smaller businesses lacking proper defenses. 

But, as the costly T-Mobile data breach showed, even larger businesses with more resources aren’t immune. Data breaches can happen to anyone. 

Here’s what you need to know. 

Federal Data Privacy Law 

Other than the Privacy Act of 1974, which includes restrictions on agencies disclosing certain information without consent, the United States doesn’t have one comprehensive law regulating the protection of personal information. However, many industries are subject to specific data protection regulations, such as the Financial Modernization Act (The Gramm-Leach-Bliley Act), which directs financial institutions to protect the confidentiality of its customers’ personal information or face unspecified criminal or civil penalties. 

In addition, the Federal Trade Commission Act prohibits unfair or deceptive practices in the marketplace. The FTC can take actions against companies that fail to comply with their own privacy policies and for the unauthorized disclosure of personal data, possibly resulting in thousands of dollars in fines. 

Learn More: What is Zero Trust Security? 

Data Breach Laws in the Midwest 

What about individual states? Let’s look at a summary of data protection laws in our home bases of Wisconsin, Illinois, Indiana and Ohio. 

Wisconsin 

As noted in Wis. Stat. 134.98, a business operating in Wisconsin that experiences a data breach must notify the individuals whose personal information was accessed no later than 45 days following the date of discovery (unless the breach did not create a material risk of identity theft or fraud). 

Wis. Stat. 134.97 details requirements for the disposal of records containing personal information. Financial institutions, medical businesses and tax preparation businesses — or anyone under contract with such businesses — must erase or make such personal information unreadable before disposing of it.  

Individuals may sue businesses for damages resulting from the leak of personal information, including medical records, bank accounts and tax returns. Businesses may be fined up to $1,000 per violation. 

Illinois 

Like Wisconsin law, businesses operating in Illinois must notify individuals affected by a data breach within 45 days. The state’s Personal Information Protection Act says businesses are required to “implement and maintain reasonable security measures” to protect personal information from breaches. The state allows for civil penalties of up to $50,000 for each offense violating the law, with additional penalties for certain situations. 

Illinois also put privacy rules in place for biometric information. The Biometric Information Privacy Act requires businesses to protect biometric information, such as fingerprints, iris prints and voice scans, in the same manner as they would confidential and sensitive information. Intentional or reckless violations of this act could cost companies the greater of $5,000 or actual damages.

Indiana 

Businesses in Indiana are required to implement and maintain reasonable procedures to protect personal information from unlawful use or disclosure. 

Indiana requires businesses that own or license personal information to notify individuals when their unencrypted personal information has, or may have been, accessed as a result of the data breach. An intentional violation could result in a civil penalty of up to $150,000 per violation. 

Read More: What is the Average Recovery Cost of Cyberattacks?  

Ohio 

The Ohio Data Protection Act encourages businesses to put cybersecurity technology and policies in place by providing safe harbor protections. In other words, the law provides a legal defense if a business can show that it implemented reasonable information policies and security controls to protect customer data. 

Under safe harbor provisions of the law, damages cannot be imposed if a state court finds that a company had a reasonable cybersecurity plan when a breach occurred and followed it to the best of their ability. 

The obvious question is, what constitutes a reasonable and enforceable cybersecurity policy? The law provides several well-known and established best practice guidelines, beginning with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. 

What’s Your Risk of a Data Breach? 

Some insurance carriers provide cyber insurance to help protect your business against losses. But it’s important to understand exactly what an insurance policy handles and whether the insurer will cover costs for legal advice or defense during a lawsuit. That’s why it’s critical to take every precaution possible to protect your organization from a breach in the first place. 

A detailed cybersecurity policy and up-to-date IT protocols can protect you from an attack and the legal troubles that come with it. But it helps to know where you currently stand in your readiness. How prepared are you against cyberattacks? Click below and spend a few minutes taking our free cybersecurity risk assessment, and look for your results and actionable recommendations in your inbox after you’re finished.