The Duty To Safeguard Personal Data From Future Theft

The chief judge of the U.S. District Court for the Northern District of Georgia recently ruled that several consolidated lawsuits against Equifax over the data breach that occurred in 2017 may move forward. The lawsuits were filed by 96 people on behalf of a proposed class of all consumers whose personal and financial data was stolen in the breach.

The data breach affected more than 146 million consumers—nearly half of all Americans. Over a three-month period in 2017, cybercriminals stole at least 146.6 million names, dates of birth, and 145.5 million Social Security numbers, as well as 99 million addresses, 17.6 million driver's license numbers, 209,000 credit card numbers, and 97,500 tax identification numbers.

Lawyers for Equifax argued that exposure of personal information was not an injury and that the data breach had not led to any "actual harm" and only "speculative future harm." The chief judge disagreed because the affected consumers allege they have been harmed either by experiencing identity theft or by having to take measures to protect themselves from the "serious and imminent risk of fraud and identity theft" they all face as a result of the breach. 

The chief judge was not convinced by Equifax's argument that it could not foresee criminal acts committed by outside parties and should not be liable for them. The judge noted that Equifax made public statements showing that it knew its data was valuable to cybercriminals and susceptible to hacking. Equifax had experienced previous breaches and ignored warnings from cybersecurity experts that its systems were "dangerously deficient" and faced "a substantial risk of an imminent breach," according to the judge.

The chief judge called the data breach "unprecedented" and rejected Equifax's request to dismiss the lawsuits. He concluded that "Equifax owed the plaintiffs a duty of care to safeguard the personal information in its custody." He stated that the "defendants knew of a foreseeable risk to its data security systems but failed to implement reasonable security measures." Robin McDonald "Judge OKs Equifax Lawsuits Over Massive Data Breach" (Jan. 28, 2019).


Contrary to Equifax’s assertions in the lawsuit above, Equifax’s CEO Mark Begor recently testified before Congress, when asked, that he was not willing to disclose his personal identification information in the hearing because of the harm that could follow from the release of that information. He admitted he has been a victim of identity theft in the past. So, just like the judge and everyone else, the Equifax leadership acknowledges the harms that can follow a data breach.

Because organizations have a duty of care to safeguard personal data in their possession, they can be held liable if they do not take measures to address cyber vulnerabilities.

The first step is to have either the internal IT department or a third-party cybersecurity firm audit the cybersecurity protections and practices. This audit should look for all areas where the organization is exposed to cybercrime, including network security software and employee cybersecurity practices.

Then, work with internal IT or third-party cybersecurity to develop a plan for shoring up these vulnerabilities. Organizations may not be able to fix every weakness immediately; however, it is essential to create a step-by-step plan for working toward complete protection that addresses the most pressing vulnerabilities first. Begin taking action on the plan immediately, using all available resources.

Review the plan annually to consider if there are new cyberthreats that should now be included. If a new risk has arisen, decide where in the plan it needs to be added based on the level of risk it poses.

If cybercriminals do access employee or customer data while the organization is in the process of implementing the cybersecurity plan, showing that the organization assessed vulnerabilities and was engaged in implementing all available resources to fix them, starting with those that pose the greatest risk, may help lessen the damages assessed in a lawsuit

Finally, your opinion is important to us. Please complete the opinion survey:

My Risk Solutions Login

Forgot Password?