Torts – or civil wrongs – evolved over a thousand years as
a means of preventing blood feuds, but they are constantly being applied
to new situations by the courts. Negligence, one of the most common torts,
has been around for several hundred years, long before the invention of
the automobile where we so often see it applied today.
Negligence does not require intentional wrongdoing, but simply: 1) a standard
of care; 2) deviation from that standard; 3) proximately causing; 4) damages.
The law requires you always take reasonable care.
Generally, an entity is not liable for the criminal acts of third parties,
but, if a relationship exists between parties, the failure to take reasonable
protections may constitute negligence. Common examples include a lifeguard
and swimmer, a driver and passenger, or even a business owner and customer.
Further, there is a duty to protect if contractually obligated to do so,
whether express or implied.
Thomas Watson, the President of IBM in 1943, once said, “I think
there is a world market for maybe five computers.” Today business
operates by storing consumer and employee information. There is a duty
to take reasonable care, outside of specific obligations HIPAA and the
PCI Industry put on health care providers and credit-card acceptors.
If a business does not follow reasonable IT security protocols, it may
be found negligent and liable for all damages that result. To avoid the
risk of suit, educate yourself on reasonable IT security precautions.
Does your business:
- Encrypt stored data?
- Require passwords?
- Have anti-virus software?
- Educate employees and enforce IT security policies?
- Receive IT security audits?
If you are not taking reasonable IT security precautions, you are risking
Most states have also passed laws that require disclosure of customer data
breaches. The Nebraska Financial Data Protection and Consumer Notification
of Data Security Breach Act, Neb. Rev. Stat. § 87-802, et. seq.,
provides any entity that does business in Nebraska and owns or licenses
personal data, when it becomes aware of a breach of security, must investigate.
If an unauthorized use is discovered, or even likely, the entity must
give notice to the Nebraska residents of the breach without unreasonable delay.
Personal data is defined as the customer’s name with: 1) a social
security number; 2) a driver’s license or state identification card
number; 3) an account number or credit/debit card number (with security
code, access code, or password that would permit access to the financial
account); 4) unique electronic identification number or routing code (in
combination with any required security code or password); or 5) unique
biometric data, such as a fingerprint, voice print, or retina or iris
image, or other unique physical representation.
In essence, under Nebraska law you must provide your customers with notice
of a breach they can then use in a lawsuit against you. Concerned?
Call Berry Law Firm for a
free consultation on how to reduce your business risks.