Skip to main content

Are you a legal professional? Visit our professional site

Search for legal issues
For help near (city, ZIP code or county)
Please enter a legal issue and/or a location

Will Data Breach Notification Laws Be a Boon for Plaintiffs' Lawyers?

Article Placeholder Image
By Casey C. Sullivan, Esq. on January 18, 2017 1:00 PM

When a company experiences a data breach, Massachusetts wants the public to know. The commonwealth is currently expanding its public Data Breach Notification Archive to include information about security breaches effecting Massachusetts citizens -- going all the way back to 2007.

Massachusetts isn't alone. California, Oregon, and Washington all have laws allowing public access to data breach information. And those laws, some wager, could be great news for the plaintiff's bar.

Will Public Databases Increase Litigation?

Under Massachusetts law, when a company learns of a security breach involving the personal information of a Massachusetts resident, it's required to notify the state's Attorney General and Office of Consumer Affairs. (The laws on the West Coast work similarly.)

Shortly after the New Year, the Massachusetts Office of Consumer Affairs announced that it would make that information publicly available online, pursuant to an update to the state's public records law.

Legaltech News's Gabriella Orum Hernandez recently spoke to lawyers about the possible impacts of the law -- and several expected it to benefit plaintiffs' attorneys.

"It heightens the litigation risk," Nelson Mullins associate Bess Hinson told Hernandez.

Chris Dore, a partner at Edelson echoed that sentiment, saying that such public databases could be used to research data security violations and establish patterns of negligence. But, he said, they weren't likely to radically change the firm's strategy.

Will Standing Stand in the Way of Litigants?

Not everyone expected the databases to make much of a difference. Jones Day partner Mauricio Paez explained that any potential increase in litigation could be offset by the difficulty of showing standing in such cases. Last term's Supreme Court decision in Spokeo v. Robins, for example, emphasized that a breach of privacy alone isn't enough for standing, without showing some further, concrete harm.

Further, for major breaches, the databases might not be that helpful. "For those breaches that are candidates for private claims by the plaintiffs bar," Paez says, "those tend to be the very large breaches, and those are made public anyway because they're highly publicized."

Of course, lawyers might not just be the ones filling out data breach notices for clients, or litigating on behalf of affected consumers. With 14 percent of all law firms, and 26 percent of large firms, having experienced some sort of data breach according to the ABA's 2016 Techreport, it's possible that some firms might have their own breaches revealed in the databases as well.

Related Resources:

Find a Lawyer

More Options