Ira: The future of cyber liability in Indiana

June 14, 2017
Back to TopCommentsE-mailPrintBookmark and Share

By Adam Ira

ira-adam-mug Ira

There is no shortage of headlines reporting on major data security breaches across the United States. It is no surprise that the wheels of justice have turned slowly in defining the scope and extent of liability for data security breaches. However, the law is catching up to the feverish pace of the information age. Accordingly, if your company has not done so already, it may be worth considering (1) preparing an emergency plan of action for a data breach; (2) training employees on cybersecurity best practices; and (3) procuring a cyber-liability insurance policy.

A pending case in the Southern District of Indiana may test the limits of cyber liability in Indiana. Class action was brought against Scotty’s Brewhouse (see 1:17-cv-1313-TWP-MJD), in which plaintiffs argue that the alleged breach by Scotty’s of their personally identifiable information, or PII, has caused them undue financial hardship by delaying receipt of their tax returns due to IRS delays to investigate fraud, among other damages listed. The complaint alleges Scotty’s should have been aware of increased so-called “spoofing” fraud because, among other things, the FBI had issued a public service announcement regarding amplified “spoofing” attempts. According to the complaint, spoofing fraud has been increasing recently, and the basis of the plaintiffs’ claims is that Scotty’s allegedly failed to adequately train its employees in cybersecurity protocols. The plaintiffs’ suit could prove to be a thermometer for how state common law may develop in the data breach age.

That said, it is possible that Indiana’s Economic Loss Doctrine could effectively bar liability for a data breach. In short, the doctrine bars liability under a theory of negligence for a loss which is purely economic in nature (i.e. no actual damage to person or property). It is difficult to conceptualize the mere loss of one’s PII as a distinct and palpable injury. It could be argued that the mere loss of one’s identity does not constitute an “injury” for purposes of tort liability. In contrast, one could be injured when they must pay for credit monitoring because they have been made aware of a malicious third-party’s possession of their PII.

The most commonly “breached” information is personally identifiable information such as Social Security numbers, birth dates or driver’s license numbers. An invasion of privacy claim could have more traction where there is a loss of more than mere PII (i.e. photographs proliferated after iCloud breach). However, is one’s PII truly “property” that can be injured? Certainly, it would be trespassory for an individual to physically steal W-2s from a mailbox. That said, then it’s logical to conclude it is likewise a trespass for hackers to bypass cybersecurity measures to obtain the same information from an electronic database. One theory is that an entity holding PII in a database may hold a bailment over the “electronic property” and could potentially be liable for its loss to and misuse by a third party.

Utilizing the crystal ball to look into the future, it is possible that data breach claims may follow suit of asbestos and black lung claims, and one way to equitably compensate victims of data security breaches would be to establish a fund similar to the Black Lung Disability Trust Fund or the quagmire of asbestos litigation. This could provide a certainty of recovery to those with legitimate claims and a certain finality of liability for those involved in the loss of PII. However, currently, there is far less certainty as to the risk presented by a data loss to a company’s bottom line. The Scotty’s data breach litigation may well shed light on these uncertainties.

That said, in the wake of the recent WannaCry cyberattack that spread rapidly worldwide, it is worthwhile to examine the current risks facing your business and re-evaluate your company’s plan of action. The WannaCry ransomware cryptoworm utilized what is believed to be a software program of National Security Agency origin to rapidly deploy a program to encrypt the data of infected computers that were not current with Windows updates. The WannaCry cryptoworm was spread essentially “through the air” on wireless networks, much like influenza would spread on a crowded bus.

If your business is without a plan of action, precious customer data may be lost while your staff watches helplessly. Who will unplug the servers? Who will obtain Bitcoin(s) to pay off a ransom? Ransomware is typically time sensitive, and the value of the ransom increases with time, so if your staff utilizes time figuring out what Bitcoin is and how to obtain it, it may cost your company more. If your company hasn’t already, explore implementing a plan of action.

• Identify who to call in the event of a data breach to manage mitigation, communication with clients and forensics/experts.

• Consider not only reactive measures to a breach, but proactive measures that can help prevent or mitigate the damage, which could include staying abreast of recent trends in social engineering schemes (phishing, spoofing, etc.).

• Utilize the FBI as a resource for education on proactive measures. They are often willing to send agents to work with companies that may be targets for hackers to develop proactive measures to prevent a breach.

Another important measure may be for your company to obtain a cyber-liability insurance policy. While the policy would be the last line of defense to protect your company’s bottom line, cyber-liability policies are still relatively new, and the scope and breadth of coverage can vary significantly from carrier to carrier. However, generally, a cyber-liability policy can potentially provide coverage existing policies cannot in the event of a data breach for notification expenses, defense against regulatory enforcement, credit monitoring, business interruption, data loss, fraudulent transfers and extortion (terms, conditions, coverages vary from policy to policy and state to state per each state’s requirements). On the bright side, cyber policies are becoming more cost effective as the pool of insured rapidly expands due to more frequent and sophisticated cyberattacks.•


Adam Ira is an attorney at Kightlinger & Gray’s Indianapolis office. A founding member of the firm’s Data Security Practice Group, he also represents clients in a broad spectrum of state and federal litigation and general liability defense for retail and hospitality industries. The opinions expressed are those of the author.


Post a comment to this story

We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
You are legally responsible for what you post and your anonymity is not guaranteed.
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
Subscribe to Indiana Lawyer
  1. The voices of the prophets are more on blogs than subway walls these days, Dawn. Here is the voice of one calling out in the wilderness ... against a corrupted judiciary ... that remains corrupt a decade and a half later ... due to, so sadly, the acquiescence of good judges unwilling to shake the forest ... for fear that is not faith ..

  2. So I purchased a vehicle cash from the lot on West Washington in Feb 2017. Since then I found it the vehicle had been declared a total loss and had sat in a salvage yard due to fire. My title does not show any of that. I also have had to put thousands of dollars into repairs because it was not a solid vehicle like they stated. I need to find out how to contact the lawyers on this lawsuit.

  3. It really doesn't matter what the law IS, if law enforcement refuses to take reports (or take them seriously), if courts refuse to allow unrepresented parties to speak (especially in Small Claims, which is supposedly "informal"). It doesn't matter what the law IS, if constituents are unable to make effective contact or receive any meaningful response from their representatives. Two of our pets were unnecessarily killed; court records reflect that I "abandoned" them. Not so; when I was denied one of them (and my possessions, which by court order I was supposed to be able to remove), I went directly to the court. And earlier, when I tried to have the DV PO extended (it expired while the subject was on probation for violating it), the court denied any extension. The result? Same problems, less than eight hours after expiration. Ironic that the county sheriff was charged (and later pleaded to) with intimidation, but none of his officers seemed interested or capable of taking such a report from a private citizen. When I learned from one officer what I needed to do, I forwarded audio and transcript of one occurrence and my call to law enforcement (before the statute of limitations expired) to the prosecutor's office. I didn't even receive an acknowledgement. Earlier, I'd gone in to the prosecutor's office and been told that the officer's (written) report didn't match what I said occurred. Since I had the audio, I can only say that I have very little faith in Indiana government or law enforcement.

  4. One can only wonder whether Mr. Kimmel was paid for his work by Mr. Burgh ... or whether that bill fell to the citizens of Indiana, many of whom cannot afford attorneys for important matters. It really doesn't take a judge(s) to know that "pavement" can be considered a deadly weapon. It only takes a brain and some education or thought. I'm glad to see the conviction was upheld although sorry to see that the asphalt could even be considered "an issue".

  5. In response to bryanjbrown: thank you for your comment. I am familiar with Paul Ogden (and applaud his assistance to Shirley Justice) and have read of Gary Welsh's (strange) death (and have visited his blog on many occasions). I am not familiar with you (yet). I lived in Kosciusko county, where the sheriff was just removed after pleading in what seems a very "sweetheart" deal. Unfortunately, something NEEDS to change since the attorneys won't (en masse) stand up for ethics (rather making a show to please the "rules" and apparently the judges). I read that many attorneys are underemployed. Seems wisdom would be to cull the herd and get rid of the rotting apples in practice and on the bench, for everyone's sake as well as justice. I'd like to file an attorney complaint, but I have little faith in anything (other than the most flagrant and obvious) resulting in action. My own belief is that if this was medicine, there'd be maimed and injured all over and the carnage caused by "the profession" would be difficult to hide. One can dream ... meanwhile, back to figuring out to file a pro se "motion to dismiss" as well as another court required paper that Indiana is so fond of providing NO resources for (unlike many other states, who don't automatically assume that citizens involved in the court process are scumbags) so that maybe I can get the family law attorney - whose work left me with no settlement, no possessions and resulted in the death of two pets (etc ad nauseum) - to stop abusing the proceedings supplemental and small claims rules and using it as a vehicle for harassment and apparently, amusement.