Sixth Circuit's Decision on Privacy Claims over Data Breaches

But small to midsize businesses often fail to appreciate the risk of a data breach to their own business. They may believe that they are not targets because of their size or because they do not hold valuable information. Their “not in my business” assumption is wrong. Indeed, because security measures adopted by small and medium size businesses may not be as up-to-date as those used by national and multinational corporations, and because of the value of data held by every business, regardless of its size, these smaller entities may be just as likely to have their systems targeted as the big corporations. Businesses — regardless of their size — could incur high costs in responding to a breach with a forensic investigation, remediation, notification, and reputation damage control, as well as potential fines under breach notification statutes.

Still, businesses could take heart that there was a relatively low risk of tort litigation brought by those individuals whose data had been exposed. Some states, such as New York, do not recognize a common law right to privacy from which a tort claim could arise. It does, however, recognize statutory privacy claims, but only in strictly limited cases, such as for invasion of privacy in advertising or for a commercial purpose, or where a unique relationship between parties (such as doctor/patient or attorney/client) creates a duty. See, e.g., Messenger v. Gruner & Jahr Printing & Publishing, 94 N.Y.2d 436 (2000); Foster v. Svenson, 128 A.D.3d 150 (1st Dept. 2015); Farrow v. Allstate Ins., 53 A.D.3d 563 (2d Dept. 2008). See also, Civil Rights Law §§50 and 51. Federal privacy statutes also provide for recovery only in limited circumstances. As such, once the direct costs of responding to a breach had been borne, the risk of subsequent litigation was low.