Do Data Breaches Count as Negligent Security?

There was a time when ‘negligent security' primarily referred to preventable security breaches at brick-and-mortar locations, but not anymore. The recent data breaches of major US retailers Target and Neiman Marcus show that cybercrime is leading to a type of personal injury or professional malpractice (financial loss) for consumers, and it's the retailers' responsibility to take the necessary steps to protect their customers.

For those who missed the data breach story over the holiday season, here's what you need to know: between November 27th and December 15th, up to 40 million of Target customers' debit and credit card information was hacked, and up to 70 million customers also had their names, home addresses, and email addresses compromised. Individuals and businesses were outraged by the breach, which led to some significant financial losses. Putnam Bank has already sued Target due to financial losses from reissuing cards and reimbursing customers for fraudulent purchases, and other banks are following suit.

As if that's not bad enough, the upscale Dallas-based retailer Neiman Marcus also recently discovered that they'd been hacked and that customers' card information had been compromised. Neiman Marcus says that it warned customers as soon as it became aware of the breach. Because thetiming of the Neiman Marcus correlates with the Target breach, it's now believed that Target, Neiman Marcus, and three other retailers were all hit in a coordinated cyber-attack.

The recent attacks raise new questions surrounding liability, and many consumers are wondering if Target and Neiman Marcus could have done more to protect their private information.

Target Was Warned about Security Risk

In the case of Target at least, the company had some warning that they were at risk for a security breach. According to a Seattle law firm that is filing a new complaint against Target, the retailer was warned by a security expert that its point-of-sale systems had weaknesses. Because Target failed to take any actions to address the weaknesses that ultimately led to the breach, they may be found liable for negligent security.

Target is also being criticized of—and sued for—failing to notify customers of the security breach until four weeks after it happened. That means that customers weren't on the lookout for fraudulent activity on their credit or debit cards until up to a month after their information was compromised, and some individuals (as well as their banks) were more likely to incur significant financial losses, as a result. Target is facing dozens of lawsuits from customers, as a result.

Andrew Winston is a partner at the personal injury law firm of Lawlor Winston White & Murphy. He has been recognized for excellence in the representation of injured clients by admission to the Million Dollar Advocates Forum, is AV Rated by the Martindale-Hubbell Law Directory, and was recently voted by his peers as a Florida "SuperLawyer"—an honor reserved for the top 5% of lawyers in the state—and to Florida Trend's "Legal Elite."