Paul Rosenzweig recently published an article in New Republic that discusses what he believes is a rising trend in tort law that would establish a common law liability doctrine for consequential damages caused by inadequate or negligent cybersecurity measures.
Rosenzweig argues that the evidence for such a trend can be found in two recent federal appellate court cases: Patco Construction Company Inc. v. People’s United Bank (1st Cir. July 2012) and Lone Star Bank, et. al v. Heartland Payment Systems (5th Cir. Sept. 2013).
In Patco, the plaintiff company’s cyber profile was hacked, giving the attackers Patco’s banking credentials, which were later used to siphon large sums of money out of its People’s United account into an offshore account.
The appellate court found that People’s United Bank’s reliance on password authentication, its choice to overlook transaction-based alerts and unusually large offshore monetary transfers, and reliance on answers to security questions constituted “commercially unreasonable” conduct and reversed the district court’s decision. The case was remanded and soon thereafter settled out of court.
According to Rosenzweig, this case represents “the first time a financial institution (or any other commercial entity for that matter) had been obligated to settle a claim premised on its own ‘commercially unreasonable’ cybersecurity failures.”
In Lonestar, we see a similar appellate court ruling (although the bank wins in this second case). After Heartland Payment Systems was hacked in 2009 causing the credit card data of 160 million customers to be lost, the issuing banks sued Heartland to recover the losses from the fraudulent use of stolen data, the cost of replacing credit cards, and the cost of providing consumers with credit monitoring systems. The suit was initially dismissed by the district court. On appeal, the court found that the issuing banks had a viable negligence claim against Heartland for its cybersecurity shortcomings and reversed the lower court’s decision.
I’ll leave you with the closing to Rosenzweig’s article:
It is still too early to tell how this may all shake out. But for now, it looks like we stand at the dawn of a new era of cybersecurity tort liability. That would be a significant change, if it comes to pan.
1 Pingback