Legal Liability for Security Lapses and Breaches

J. Klosek (USA)


Privacy Law and Regulation, Security Technology, Electronic Commerce, Data Collection, Personal Records and Privacy


Around the world, computer systems are facing threats from a variety of sources and for a number of different reasons. Some threats, such as those posed by cyber terrorists, are quiet sinister in nature, while others, such as those posed by juvenile hackers, may not be accompanied by evil intent, but may be just as damaging. Still, other intrusions may result from the competitive practices of commercial enterprises. As a result of such risks, entities of all sizes and industries are being called upon to implement adequate technical, organizational, and structural measures to ensure the security of their computer systems, and most significantly, the personally-identifiable information (“Personal Information”) that is processed through their systems. In addition to facing extremely negative publicity, losing customers and revenues, entities that fail to provide adequate security to Personal Information in their possession are increasingly vulnerable to a variety of legal remedies including governmental enforcement actions and breach of contract claims, as well as private party and/or governmental claims that they have violated applicable privacy legislation by failing to protect the Personal Information in their possession. Using recent, relevant case examples, this paper shall explore the potential for legal liability for security lapses and breaches. Instead of viewing the potential liability of the hacker or other individual who actually perpetrates the harm, this paper shall examine the potential liability of the entity that has permitted the harm to occur by failing to implement proper technical, organizational and structural measures.

Important Links:

Go Back