3 Things the Litigator Says You Should Know

Three bits of privacy-related legalese that every business should understand

Edward McNicholas, a litigator for law firm Sidley Austin, says that litigators' traditional tongue-in-cheek slogan is, "God bless the person who sues my client." Data breaches are a likely source of such blessings going into 2007. Here are three bits of privacy-related legalese that McNicholas says every business should understand.

1. Strict Liability Norm is a standard of law that essentially says, if you cause the

problem, you are responsible for the results—regardless of whatever mitigating circumstances you might identify. California SB 1386 is an example: If you experience a breach exposing unencrypted

customer data, you must disclose that breach and suffer the brand and reputational harms associated

with that disclosure. It does not matter what other defenses (firewalls and so on) you had in place. Strict liability norms are relatively unusual; they are a signal that the lawmakers aim to make an example of anyone who runs afoul of the law. McNicholas says SB 1386 aims to shift the cost of the breach away from consumers and onto businesses, even when the company itself was also a victim.

2. Invasion of Privacy Tort Claims. If you expose customers' private data, whatever class-action lawsuits you suffer may well be based on one of these three claims:

  • Public disclosure of private facts means what it sounds like.
  • Intrusion upon seclusion says, essentially, that you barged in on someone's private space "in a manner highly offensive to a reasonable person." This charge is about losing data that you shouldn't have stored in the first place.
  • Trespass to chattels. "Trespass is the primordial tort claim that keeps getting recycled with each new advancement of society," McNicholas says. A trespass to data could mean any interference with data at all, operating on the assumption that people are the rightful owners of their own personal data.

    Also see "How to compare and use legal hold software

    Whether that assumption will be born out in court is not clear, but until litigators sort that out, McNicholas says, you can expect this tort claim to appear "in creative lawsuits."

3. The T.J. Hooper case illustrates a concept that could come into play regarding

your information security.

The T.J. Hooper tugboat lost its cargo (a coal barge) in a storm off of New Jersey in 1928. At that time,

maritime radio was in the very earliest stages of adoption. The owner of the coal sued because the T.J.

Hooper did not have a radio, which could have forewarned the boat and forestalled the loss.

Because almost no boats had radios, the tug's owner argued it was unreasonable to expect a radio on

the T.J. Hooper. But Judge Learned Hand ruled for the plaintiff. Regardless of what is customary, Hand

wrote, "there are precautions so imperative that even their universal disregard will not excuse their

omission."

In other words, you may have information protection strategies and technologies that are as good as

anyone in your industry, but you may still get "T.J. Hoopered." In court, breach victims may convince the

judge that, for example, though no other manufacturing company protects data by requiring tri-factor

authentication for network access, you should have.

–Derek Slater

Related:
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!