Cybersecurity Standard For Liability Is Muddled

The Equifax case may set the standard for bad cybersecurity and bungled incident-response combined with the importance of the data and the number of people affected, according to an article in Lawfare. But, the authors observe, the lower limit for acceptable standards is unclear. They point out that all cybersecurity regimes are a series of processes that are subject to error, and no large-scale entity is impenetrable, so breaches can and will happen, even when care is exercised. Because each breach is different, there is as yet no coherent standard of care that courts look to for data protection. The attack motives also vary from theft to international espionage. In September, in northern California’s federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for breaches between 2013 and 2016, and in another ruling, upheld a class of health insurance company Anthem’s breach victims right to sue for a recently revealed second breach, not long after Anthem paid$115 million for the first breach.