Data Breaches and Legal Liability:

Responsibilities of Business
In this day and age of increasing digitalization, the risk of data breaches is becoming an
increasing issue for companies of all kinds. These violations can result in considerable
financial losses, damage to reputation, and legal repercussions. For this reason, it is
absolutely necessary for companies to have a solid understanding of the legal liabilities they
face and to implement preventative measures to safeguard against data breaches. In this
article, we will discuss the duties of businesses in the event of data breaches and throw light
on the legal repercussions that such organisations may face as a result of the breach.

Understanding Data Breaches

First things first: before we go into the legal ramifications, let's define what we mean when
we say there was a data breach. A data breach happens when unauthorised individuals gain
access to sensitive or secret information stored by a company or its clients. This information
could be anything from credit card numbers to personal health records. Personal information,
business records, intellectual property, and trade secrets are all examples of the types of
information that fall under this category.1 Data breaches can have far-reaching effects,
including significant financial losses, damage to reputation and trust, and even the possibility
of legal action being taken against the company.

Legal Liability of Businesses

When a data breach occurs, businesses may face legal liabilities from various angles. Let's
take a closer look at some of the key areas where businesses may be held legally responsible:

Data Security Obligations

Businesses have a legal obligation to maintain the privacy of their customers' information
both during the collecting of that information and while it is being stored. They are

1
California Department of Justice, "Data Breach Reporting Frequently Asked Questions," accessed July 2023,
https://oag.ca.gov/privacy/databreach/faqs.
responsible for establishing suitable security measures in order to protect the information
from being accessed or disclosed in an unauthorised manner. This protection includes
preventing the information from being leaked. In the event that these conditions are not
satisfied, there is the possibility of being held accountable through legal proceedings.

Breach Notification Requirements

In the event of a data breach, businesses are required to notify individuals as well as the
competent authorities under the laws that have been passed in many different jurisdictions.
These criteria for breach notification often dictate prompt and transparent disclosure of the
breach to any parties that may have been affected by it. In the event that these rules are not
complied with, there may be penalties and fines imposed. 2 It is absolutely crucial for
companies to have a comprehensive data breach response plan that details the actions to take
in order to swiftly notify affected individuals as well as the relevant authorities.

Privacy Laws and Compliance

In addition to the fundamental requirements that organizations have regarding the protection
of their data, they must also comply with the privacy laws and regulations that are unique to
their field or jurisdiction. For instance, the General Data Protection Regulation (GDPR) that
was passed by the European Union sets rigorous regulations on firms that deal with the
personal data of inhabitants of the EU. Infractions of laws pertaining to personal privacy can
result in serious punishments. Businesses need to ensure they have proper data protection and
compliance mechanisms in place, as well as a thorough understanding of the relevant laws
and regulations, in order to reduce their potential legal risk.3

Contractual Obligations

Contracts are frequently enacted between companies and their clients, business partners, or
suppliers. There is a possibility that these contracts will include stipulations pertaining to the
protection and security of data. It is possible for a company to be held accountable for breach
of contract if a data breach happens because the company did not meet its contractual

2
United States Congress, "Health Information Technology for Economic and Clinical Health Act (HITECH
Act)," Public Law 111-5 (2009).
3
Information Commissioner's Office, "Guide to the General Data Protection Regulation (GDPR)," accessed
September 2021, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/.
responsibilities in a timely manner. It is of the utmost importance for companies to examine
and comprehend the contractual duties pertaining to data protection that they have, as well as
to implement the required security measures in order to fulfil those commitments. 4

Negligence Claims

In certain circumstances, individuals who have been harmed or consumers who have been
affected may initiate claims of negligence against firms for failing to install proper security
measures. It is the responsibility of companies to safeguard the information that has been
entrusted to them; if they fail to do so, they may face legal repercussions. Businesses need to
make substantial investments in robust security measures, undertake regular risk assessments,
and keep themselves updated about developing cybersecurity risks if they want to reduce the
risk of being sued for negligence.5

Mitigating Legal Liability

While data breaches pose significant legal risks, businesses can take steps to mitigate their
liabilities:

Implement Robust Security Measures

To ensure the safety of confidential customer information, businesses should make

substantial investments in comprehensive security protocols. This includes making sure that
all security measures are kept up to date, utilising various encryption methods, and doing
regular security audits. Businesses are able to demonstrate their dedication to the protection
of sensitive information while simultaneously lowering the risk of data breaches by
continually analysing and enhancing the security mechanisms they have in place.6

Create a Data Breach Response Plan

It is absolutely necessary to have a comprehensive data breach response plan. This strategy
should specify the measures that are to be performed in the event that there is a data breach.
4
Millar, Aileen. "Breach of Contract." In Research Handbook on Remedies in Private Law, edited by Elise Bant
and Andrew Robertson (Cheltenham: Edward Elgar Publishing, 2019), 134-153.
5
Sotto, Philip Gordon, and Monique Bhargava. "Cybersecurity." In Thomson Reuters Practical Law Global
Guide 2020 (Thomson Reuters, 2020), 1-47.
6
Winkler, Dawn M. "Data Breach Prevention and Response: A Practical Guide." In The Cybersecurity
Handbook, edited by Thomas J. Mowbray and Samantha L. Rouse, 119-141. Hoboken, NJ: Wiley, 2020.
These activities should include activating incident response teams, alerting affected
individuals and authorities, and conducting forensic investigations. Businesses are able to
react quickly and effectively in the event of a data breach if they have a plan in place that has
been planned.7 This allows them to minimise the impact of the breach and demonstrate their
dedication to fixing the issue.

Stay Compliant with Data Protection Laws

Businesses have a responsibility to ensure that they are in compliance with all of the most
recent privacy laws and regulations that are relevant to their operations. In addition to
assisting in the prevention of data breaches, compliance with these rules will also
demonstrate their dedication to the protection of personal data. To accomplish this, it is
necessary to continuously monitor and evaluate the legal requirements, to keep policies and
processes up to date, and to provide personnel with the proper training.

Encrypt and Anonymize Data

The implementation of data encryption and anonymization strategies can give an additional
layer of protection to information that must be kept confidential. Even in the event that a
security breach occurs, the potential losses can be reduced to a manageable level by making
the data unreadable or unlinkable to specific individuals. To protect data from beginning to
finish, it is important to think about encrypting and anonymizing it both while it is stored and
while it is moving about.

Educate Employees and Users

One of the most common reasons for breaches in data security is human mistake. Employees
should receive consistent training on the most effective methods of data protection from their
employers. They should also educate their clients and users about secure data handling
practises, such as generating strong passwords and being cautious of attempts to phish for
personal information.8 Businesses have the ability to enable their workers and users to be

7
United States Computer Emergency Readiness Team (US-CERT). "Incident Response Assistance for
Healthcare and Public Health Sector." Accessed July 2023. https://us-cert.cisa.gov/resources/incident-response-
assistance-healthcare-and-public-health-sector.
8
Moore, Tyler. "Security Fatigue: How Users Avoid Security Software." Proceedings of the 2016 CHI
Conference on Human Factors in Computing Systems (2016): 4605-4615.
vigilant and contribute to the prevention of data breaches by cultivating a culture of data
security, offering education and awareness, and raising awareness of data security issues.

Conclusion

Data breaches have become an unfortunate aspect of doing business in the modern day, and
companies need to be ready to cope with the legal repercussions that these breaches bring
about. Businesses are able to safeguard themselves, their customers, and their reputations by
being familiar with their legal responsibilities and by adopting preventative actions to guard
against data breaches. Keep in mind that taking preventative measures is always preferable to
coping with the fallout of a data breach. Businesses can mitigate their legal liability and
ensure a safer digital environment for all parties involved by implementing stringent security
measures, having a well-defined data breach response plan, remaining compliant with data
protection laws, encrypting and anonymizing data, and educating employees and users.