Don't Bet the Business

Imagine your business handles private information relating to clients or customers and, as seems to be so often the case these days, the information is somehow leaked onto the Internet through the unfortunate error of your IT vendor. 

Shortly thereafter comes the lawsuit asserting negligence, invasion of privacy and breach of contract. You did it, you had your customers’ private information, and it was your contractor that showed it to the world. So, do you concede liability and try to cut the best deal you can on damages?

Isn’t this the type of deep pocket class action case plaintiff’s attorneys live for? Not so fast says the lawyer. First, as to the most obvious claim, invasion of privacy, ask yourself this – can an action for invasion of privacy be based on negligent conduct? After all, you didn’t do this on purpose.

In Michigan, the answer as of quite recently is a resounding “No.” A claim for invasion of privacy through the disclosure of private information is deemed an intentional tort which cannot be based on mere negligent conduct. Hopefully, your lawyer knows that. 

So, what about the negligence claim? Surely that claim is escape proof and liability is assured – you were negligent weren’t you, or at least your contractor was? Again, not so fast. 

Whether a claim exists for negligence may well turn on the type of damages sought.  If the disclosure is discovered and addressed quickly, before the private information is viewed or actually used to cause true harm to your customers or clients, a negligence claim may fail because in Michigan an injury occasioned by one’s negligence must be actual and present. 

Accordingly, even if damages are claimed because of steps taken in anticipation of possible future harm (i.e., mischief that may occur in the future because of the unintentional disclosure today), those damages are not recoverable under Michigan law for simple negligence. Your lawyer should know that too.

So, what about a contract claim? It might not have the excitement of a tort action but surely a contract claim must have some teeth, right? After all, you would not have the information but for the contractual relationship with your customer or client. 

Once again, liability may turn on the type of damages sought. Under Michigan law, a party asserting a breach of contract must prove damages with reasonable certainty, and the claimant can only recover those damages that are a direct, natural and proximate result of the contractual breach.

So, once again, if the data breach is discovered quickly and remedial action is taken before the loss of private information can cause actual harm, the mere threat of future harm simply may not be enough and the contract action, too, should fail. I would hope your lawyer knows that too.

Think this is too hypothetical and not likely to happen? It did, I hope your lawyer knows that as well.