Recovering Data Breach Losses from Non-Contractual Parties
A post on Dykema’s The Firewall blog considers the question: Who bears the loss from a breach perpetrated by a data breach fraudster: the consumer whose data was compromised, the financial institution where the data was used, or the business that failed to protect the data?
The author, David B. West, writes that the answer depends on which law applies.
“While statutes require banks and their vendors to protect customers’ Personally Identifiable Information (“PII”), the obligation of other businesses to do so is not as well defined,” West explains. “Regulatory obligations to protect data vary by industry and geography.”
He also discusses relying on common law for data breach losses, recovering damages, and the need for consistent ability to recover losses.