These days, conversations about enterprise risk are often dominated by the topic of cybersecurity. One aspect of this risk involves potential civil liability for cybersecurity problems, especially where personally identifiable information (PII) is exposed. The Sedona Conference, long considered a bellwether of e-discovery thought leadership, has set its sights on cyber liability. At a recent Sedona Conference dialogue bringing together a diverse group of judges, law enforcement officers, prosecutors, regulators, corporate counsel, cybersecurity consultants, plaintiff and defense lawyers (and probably others), several theories of cyber liability were discussed.
Data breach notification laws provide a rich source of potential claims where cybersecurity is breached. At last count, 46 states have enacted such laws, and these laws are based on varying definitions of PII. In addition, federal laws aimed at certain industries provide other definitions of PII. Examples of data elements included under the definitions of PII under these laws include social security numbers, driver’s license numbers and account numbers. Many times, companies have been sued for alleged failures to disclose required information about security breaches in a timely manner. However, because the definition of PII varies among state and federal laws, business enterprises face vexing challenges in assessing the scope of their legal obligations and in developing appropriate security safeguards for different data and systems in light of those obligations.