SCOTUS leaves door open for victims of data breaches to sue
Decision to allow Zappos lawsuit sends unmistakable signal to victims, Congress, shareholders
Bloomberg reported this week that SCOTUS has allowed a customer lawsuit against Amazon’s Zappos to continue over a 2012 cyberattack that compromised 24 million customers.
This leaves the door open on liability for data breaches -- and sends an unmistakable signal to Congress and regulatory agencies to get their act together.
Why It Matters
I have argued time and again we won't move the needle on cyber risk until companies are held liable for attacks and privacy compromises. In cyber, liability should not simply be a calculation of how much damages a victim incurs from actual fraudulent transactions made using stolen data on that victim. A company's inaction or incompetence allows or enables that data to be stolen. That can be a vendor who leaves known vulnerabilities open in their software. Or a company like Zappos/Amazon who failed to prevent the exploit of that data on their networks.
Today, a data breach takes place, nothing happens. The attacked company takes a short-term stock hit. Maybe a token executive gets fired. They hire an incident response company to clean up and strengthen their network security -- or so we hope, without any independent scrutiny. They typically buy you a few months of credit monitoring. And that's it. The government holds nobody accountable. And shareholders don't hold boards accountable, because the companies they oversee are not held criminally or financially liable for their inaction or incompetence. And customers -- very often without even having a say in their relationship or data with the attacked company (e.g., Equifax) -- are left compromised ten ways till Sunday.
This SCOTUS ruling is a clear signal companies might be liable even if no actual damages materialize. This is not a terribly unreasonable scope of liability. Stolen data can take years before turning into fraudulent charges or identities, and it can be extremely difficult to definitively correlate such incidents without access to the stolen data compromised in the first place.