• Login
    • Advanced search
    • Title
    • Channel
    • Module
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Blockchain
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
Hogan Lovells Engage 5.6.14
      • Title
      • Channel
      • Module
    • Hit ENTER to search in content
    • Advanced search
    • Login
  • Home
  • Industry
    •  

      • Aerospace, Defense, and Government Services
      • Automotive
      • Consumer
      • Manufacturing and Industrials
      • Education
      • Energy and Natural Resources
      • Financial Institutions
    •  

      • Insurance
      • Life Sciences and Health Care
      • Private Capital
      • Real Estate
      • Sports, Media and Entertainment
      • Technology and Telecoms
      • Transport and Logistics
  • Practice
    • Corporate & Finance

      • Banking and Loan Finance
      • Blockchain
      • Business Restructuring and Insolvency
      • Capital Markets
      • Corporate Governance and Public Company Representation
      • Infrastructure, Energy, Resources, and Projects
      • Leveraged and Acquisition Finance
      • Mergers and Acquisitions
      • Pensions
      • Private Equity, Venture Capital and Investment Funds
      • Real Estate
      • Real Estate Investment Trusts (REITs)
      • Tax
      • Transfer Pricing
    • Global Regulatory

      • Administrative and Public Law
      • Antitrust and Competition
      • Communications, Internet, and Media
      • Education
      • Energy Regulatory
      • Environment and Natural Resources
      • Financial Services
      • Food Law
      • Gaming Law
      • Government Contracts and Public Procurement
      • Government Relations and Public Affairs
      • Health
      • Immigration
      • International Trade and Investment
      • Medical Device and Technology Regulatory
      • New Nuclear
      • Pharmaceuticals and Biotechnology Regulatory
      • Privacy and Cybersecurity
      • Space and Satellite
      • Strategic Operations, Agreements and Regulation
      • Transportation Regulatory
    • Intellectual Property

      • Copyright
      • Designs
      • Domain Names
      • IP and Technology Transactions
      • IP Enforcement
      • Patents
      • Trade Secrets and Confidential Know-how
      • Trademarks and Brands
      • Unfair Competition
    • Litigation, Arbitration, and Employment

      • Business and Human Rights
      • Construction and Engineering
      • Corporate and Securities Litigation
      • Employment
      • International Arbitration
      • Investigations, White Collar, and Fraud
      • Products Law
      • Risks, Disputes, and Litigation
  • Comparative guides
  • Engage Premium
  • Login
  • Register
  1. News
  2. Data breach response liability: Jury finds defendant not negligent for response to data breach

Data breach response liability: Jury finds defendant not negligent for response to data breach

19 April 2022
    • Share by email
    • Share on
    • Twitter
    • LinkedIn
    • Get link
    • Get QR Code
    • Download
    • Print

In a first of its kind trial, a defendant accused of negligently responding to a data breach was cleared of all liability by a jury last month.  After two hours of deliberation, the jury rejected plaintiff’s claim that the defendant, a law firm, failed to meet its standard of care by not sufficiently analyzing its breached server, leaving the plaintiff, who was a client of the firm, responsible for approximately $1.3 million in data analysis and related legal bills.  The trial has implications for obligations a company owes after suffering a cyberattack, although those implications may be more limited given the unique posture and facts of the matter.

On March 31, 2022, a federal jury in Kansas City cleared law firm Warden Grier LLP of liability to one of its clients, Hiscox Insurance, after Warden Grier suffered a data breach.  After discovering the breach, Warden Grier identified which of its files relating to Hiscox may have been impacted and provided Hiscox access to those files.  However, Warden Grier declined to do any further analysis of the data, such as analyzing any personally identifiable information (PII) in the Hiscox files to determine whether individuals needed to be notified of the breach, leaving that responsibility to Hiscox.

Hiscox sought over $1.3 million in compensatory damages, as well as punitive damages, to cover data analyses and legal bills it incurred resulting from the data breach, arguing that Warden Grier was negligent by failing to analyze the Hiscox PII.  In Hiscox’s view, Warden Grier was responsible for analyzing the breached data and for telling Hiscox which individuals had been impacted. 

Warden Grier’s counsel argued to the jury that Hiscox was confusing the roles of “service providers” and “data owners.”  Here, Warden Grier argued it was a “service provider” under applicable data breach laws and industry norms, and thus its role was to provide Hiscox with access to impacted data, which it had done.  Warden Grier further argued that as a “data owner”  Hiscox was responsible for analyzing the data, identifying individuals who had to be notified, and carrying out the notification.  Therefore, according to Warden Grier, Hiscox was not harmed because the analysis it performed was analysis it was required to do.  After less than two hours of deliberation, the jury returned a verdict in favor of Warden Grier.

The jury’s decision to clear Warden Grier of liability has implications that extend beyond the facts of this case and provide guidance to companies and practitioners alike:

  • The trial reaffirms what many practitioners previously believed: service providers may have a responsibility to provide data owners with access to data impacted in a breach, but the responsibility to analyze the data and make notification decisions usually lies with data owners, absent contractual terms shifting that responsibility.
  • While this case occurred in the context of an attorney-client relationship, the decision may be indicative of how juries would view the division of responsibility between service providers and data owners in other relationships. 
  • The case underscores the importance of thinking ahead about the allocation of responsibility and costs between data owners and vendors and addressing that allocation—such as through specific, delineated contractual responsibilities and indemnification clauses. 
  • Importantly, this case does not provide guidance on the standard of care related to data security measures before a breach.
Contacts
Allison Holt Ryan
Partner
Washington, D.C.
Adam Cooke
Counsel
Washington, D.C.
Lance Murashige
Senior Associate
Washington, D.C.
Joe Cavanaugh
Associate
Washington, D.C.
Courtney Helt
Associate
Washington, D.C.
Keywords data breach, liability, standard of care, cyber attack, service provider, data owner
Languages English
Topics Risks, Disputes and Litigation, Technology Litigation and Disputes
Countries United States
Delete Comment ?

Are you sure want to delete comment ?

Get link
Embed
Share by email
Get QR Code

Scan this QR Code to share this content