In our legal system, where the law is precedent-based, external events tend to bring cases to court that test the parameters of legal areas. Negligent security is no different.
The victim of a negligent security case must establish that a property owner or commercial entity has a duty of care toward anyone lawfully on their premises. They must clearly demonstrate that said property owner took insufficient measures to mitigate the potential for harm, and that the harm suffered was predictable, otherwise known as the principle of foreseeability.
In high school, there was always that person on the debate team pushing the definition of every component involved in a topic. It turned out they almost always had a point. In negligent security, the issue of duty of care presents a similar challenge. If it seems exploitable, it’s because the question of who has it and how far it goes are never fully answered.
For example, professional services company Accenture was in the news recently after a U.S. district judge in Maryland ruled it may have failed in its duty of care during a massive cyberattack between 2014 and 2018. Large amounts of traceable personal data from clients such as Marriott Hotels, a key plaintiff, were exposed, leaving hundreds of millions of people vulnerable.
With the simplest definition in mind, it may seem like a stretch to consider this a matter of negligent security, not only because there are no physical premises to speak of. The circumstances of this case are shocking, yet our gut instinct might be to blame those whose data became exposed for carelessness or ignorance in putting it out there.
Yet this isn’t the same thing as your dad sharing a stupid photo on Facebook, or your neighbor sending a social security number through an unencrypted email. Data breaches are particularly serious due to their ability to compromise some of the most damaging and sensitive private information, and the impact doesn’t come cheap. A recent IBM study suggests the average cost of a data breach in 2020 was $3.86 million, with some cases going as high as $100 million.
The definition of duty of care when it involves handling corporate data or other business matters is little different from any other context. Companies using a product, in this case data management, should have a reasonable expectation of competence. This includes being protected from all foreseeable risks outside of their control. Cyberattacks and malware are arguably both foreseeable and preventable.
Taking a step back, consider more traditional cases of negligent security. A patron is injured on faulty or broken steps outside of an establishment, or when they slip on a wet floor inside or becomes sick after eating near a contaminated surface in a restaurant. A possible defense in these cases would center on personal responsibility, with property owners arguing they had taken measures to honor their duty of care, and instead the patron failed.
It is seldom, if ever, that simple. Placing a caution or “wet floor” sign in a place where the victim of an incident can argue they could not have reasonably seen it – too high up, too far away or not covering the entire area of risk – is not fulfilling a duty of care. The same goes for having a cleaning protocol that is inconsistently applied – that is, a waiter “usually” cleans off a restaurant table between patrons, but the one time someone fell ill, he had forgotten to.
Furthermore, when proper safety protocols don’t exist or the property owner does not make them clear, patrons will go off instinct and do what they think is safe. This may not be enough to protect them. An ounce of prevention is worth a pound of cure, as the saying goes. Property owners and commercial entities must examine every foreseeable avenue of potential liability to safeguard the public.
If you don’t know whether an incident affecting you or someone you know falls under this tort, the experienced negligent security attorneys at Circeo Fannin can help you explore your options.