Data Breach Doesn’t Necessarily Lead to Negligence

A recent federal case from the Eastern District of Virginia shows that monetary loss based on a data breach doesn’t always lead to a negligence claim. The case is Deutsche Bank Nat’l Trust Comp. v. The Buck Law Firm, et al., and can be found here. The facts are not too complicated: Deutsche hired Buck and another company, Altisource Portfolio Solutions, Inc., to conduct a real estate settlement. An alleged hacker emailed fraudulent wiring instructions to Buck from a “mimicked” email address purportedly belonging to Altisource. Buck consequently wired the payoff funds to the account that it thought was owned by Deutsche, but in reality, was fraudulent.

Deutsche subsequently sued Buck, which then sued Altisource for contribution and indemnification. Buck argued that Altisource violated several Virginia common law duties it owed to Deutsche and should be responsible for any damages Buck was required to pay Deutsche.

The federal Court disagreed and noted that Virginia does not recognize “a common law duty to protect an individual’s private information from an electronic data breach …” Noting that this is an evolving area of the law and one that different states treat differently, the Court did allow Buck to amend its lawsuit to add claims for violations of Virginia and federal statutory law.

Businesses should expect to see more lawsuits filed in responses to data breaches, as aggrieved parties attempt to recoup losses resulting from poor data protection policies.