What do Yahoo, Equifax, Target, Home Depot, J.P. Morgan Chase, and the Democratic National Committee all have in common? Answer: they have all been the targets of recent, successful, and highly publicized data breaches. A recent survey by the Pew Research Center found that an alarming 6% of Americans have reported someone having impersonated them to file fraudulent tax returns; 15% reported that their Social Security number had been compromised; 16% reported their email accounts having been taken over by an unauthorized third-party; and a whopping 41% of Americans reported fraudulent charges on their credit cards. Data security—whether in terms of protecting confidential customer financial information, employee Social Security Numbers, or proprietary trade secrets—has become a major issue for both individuals and businesses of all sizes. The regularity of such high profile data breaches has resulted in substantial litigation wherein state and federal courts have been called upon to determine under what circumstances a business may ultimately be held liable for the inadvertent breach of sensitive employee or consumer data.
In Bradix v. Advance Stores Company, Inc., the Louisiana Fourth Circuit Court of Appeal became one of the first Louisiana state courts to address corporate data breach liability.[1v] Walter Bradix, IV was employed by Advance Stores Company, Inc. d/b/a Advance Auto Parts (“Advance”) when he received a letter notifying him that Advance had suffered a data breach in which employee names, social security numbers, gross wages, and certain tax information had been stolen by a third-party.[v] In response to the breach, Advance notified its employees, and provided free identity protection services for two years.[v1] Mr. Bradix filed a class action petition against Advance, seeking to recover under theories of negligence, breach of fiduciary duties, and invasion of privacy.[v11]
The Louisiana Fourth Circuit affirmed the trial court’s judgment dismissing all of Mr. Bradix’s claims against Advance, finding that, unless Mr. Bradix could prove that he had suffered actual damages beyond merely the theft of his data, he did not have legal standing to maintain an action against his employer.[v111] The court’s holding hinged in large part upon the fact that Mr. Bradix had only alleged that someone had stolen his personal information. He had not alleged that someone stole his identity; i.e., he had not alleged that the thief had actually used the stolen information to pose as Mr. Bradix for financial gain.[1x] The court dismissed Mr. Bradix’s claims in their entirety, finding that he had alleged only “theoretical injuries.”[x]
Similar to the Louisiana Fourth Circuit’s holding in Bradix, numerous federal courts around the country have held that a plaintiff may not maintain a cause of action against a company for failing to safeguard one’s personal data unless the plaintiff has suffered actual damages, usually in the form of being victimized by identity thieves.[x1] These cases generally hold that an increased risk or credible threat of impending harm resulting from a data breach is legally insufficient for an aggrieved plaintiff to maintain a cause of action against a company for failing to safeguard his or her personal information.[x11] Nevertheless, businesses are likely to face liability where a plaintiff alleges not merely that his or her data has been stolen, but also that he or she has actually been a victim of identity theft. Litigants routinely allege that a data breach was made possible by inadequate corporate data security practices, and, where a plaintiff has actually been damaged by the dissemination of his or her data, corporate liability may exist under theories of negligence, invasion of privacy, and others. For instance, the United States Court of Appeals for the Eighth Circuit recently held that a plaintiff had standing to sue a chain of grocery stores for damages allegedly caused by a data breach, where he alleged that fraudulent charges appeared on his credit card and that that data breach itself resulted from the defendants’ failure to employ adequate security safeguards.[x111]
Additionally, some courts have found that a company may be held liable simply for failing to properly safeguard an individual’s data, even absent allegations of actual damages or identity theft. In a recent case from the United States Court of Appeals for the Seventh Circuit, the court held that it made no sense to force aggrieved plaintiffs to wait until they had actually been defrauded to sue, in part because “the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the identity theft is not fairly traceable to the defendant’s data breach.”[x1v]
As this area of the law continues to evolve, the bar for stating a claim against a company following an inadvertent data breach continues to vary from one jurisdiction to another. Under Louisiana law, the precise scope of liability will remain unclear until either the other Louisiana appellate courts, the legislature, or the Louisiana Supreme Court have addressed the issue. What is clear is that there is likely to be further litigation in this area, given the relative frequency of corporate data breaches.
The best defense against data breach liability is prevention, beginning with a robust cybersecurity protocol and regular cybersecurity training for employees at all levels. If a data breach occurs, counsel should be consulted to ensure compliance with any applicable state laws creating notification obligations upon the company.[xv] In Louisiana, for instance, the Louisiana Database Security Breach Notification Law provides that failure to promptly disclose a data breach can give rise to additional liability.[xv1]
Associate in the firm's New Orleans office who practices primarily in the commercial litigation and oil & gas practice areas
For more information on data protection, check out:
 See, e.g., Selena Larson, Every Single Yahoo Account Was Hacked - 3 Billion in All, Cnn.com, Oct. 4, 2017, http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html; Margaret Brenna, U.S. Has High Confidence Russian Intelligence Agency Hacked DNC, DCCC, CBS News, Dec. 12, 2016, http://www.cbsnews.com/news/us-has-high-confidence-russian-intelligence-agency-hacked-dnc-dccc/; Seena Gressin, Attorney, Division of Consumer & Business Education, FTC, The Equifax Data Breach: What to Do, Fed. Trade Comm'n, Sep. 8, 2017, https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do; Taylor Armerding, The 16 Biggest Data Breaches of the 21st Century, CSOOnline.com, Oct.11, 2017, https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html.
 Kenneth Olmstead and Aaron Smith, Americans and Cybersecurity, Pew Res. Ctr., Jan. 26, 2017, http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/.
 See, e.g., 2017 Data Breach Litig. Report, Bryan Cave, LLP, available at https://d11m3yrngt251b.cloudfront.net/images/content/9/6/v2/96690/Bryan-Cave-Data-Breach-Litigation-Report-2017-edition.pdf (providing a comprehensive analysis of class action lawsuits involving data security breaches filed in federal courts).
[x1] See, e.g., Khan v. Children's Nat'l Health Sys., 188 F. Supp.3d 524, 524 (D. Md. 2016) (stating: The Court therefore concludes that in the data breach context, plaintiffs have properly alleged an injury in fact arising from increased risk of identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiff's personal data to engage in identity fraud).
[x11] See e.g., In re Science Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 27-28 (D. D.C. 2014) (discussing numerous cases and stating, "In sum, increased risk of harm alone does not constitute injury in fact" so as to confer legal standing to sue upon plaintiff).
[xv1] See La. Rev. Stat. Ann. § 51:3075 ("A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information").