Liability of a Business for Failing to Secure Customer's Data
There's an emerging body of law of businesses being sued because of security breaches that allow access to customer's data. For a discussion of some recent court opinions on the subject, take a look at this post at the Privacy and Security Law Blog.
These cases arise under both contract and tort theories, including negligence. The application of Tennessee comparative fault principles - i.e., blaming the persons who actually steal the data rather than the company who fails to secure it - may lead to some interesting developments. First, comparative fault does not apply to breach of contract cases. Second, Limbaugh v. Coffee County Med. Ctr. would likely prevent the company from effectively blaming the computer hacker who stole the data. If Limbaugh logic applies to the data theft cases, then even if a company convinced the jury to put most of the fault on the hacker, the company would still be responsible for paying the judgment.
With more and more technology companies headquartering in Tennessee, we will likely see some decisions on these issues in the near future.