It seems like there's a news story about a data breach exposing people's personal information every day. This type of transgression puts people at risk of having their money and identities stolen. While this is terrible for both the website administrators and the customers, many website owners wonder if they could be held liable for damages caused by someone hacking into their site and stealing customer information. It depends on the particulars of the situation. Here's what you need to know.

Civil Liability Due to Negligence

People can file lawsuits against anyone for any reason. In the case of a data breach, a plaintiff may file a negligence suit against you. In this type of lawsuit, the plaintiff will allege you had a duty to him and her, you failed to live up to that duty, he or she was injured as a result, and your negligence was the proximate cause of his or her injury.

The first thing the court will look at is whether you had a duty to protect the customer's personal information. The answer will depend on the type of website you're running. People who have ecommerce sites where they sell products and services are required to comply with the Payment Card Industry Data Security Standard.

This is essentially a list of 12 things the business must do to protect customer information, such as installing a firewall and encrypting information sent over open networks. Failure to adhere to the PCIDSS can result in you being held liable for damages suffered by customers because of a data breach.

Unfortunately, things are not as cut and dried for people who own non-ecommerce websites that don't process payment information. In many cases, it will boil down to the type of information the site is storing. For example, sites that contain patient health data must be protected due to HIPPA laws that require healthcare providers prevent unauthorized access to patient records. However, a site that lets people listen to free music may not have a duty to secure customer data, since a play list isn't generally considered sensitive information.

Other Mitigating Factors

In addition to determining if you had a duty to protect customer data, the court will also look at whether or not you failed in that duty. If you took all the necessary precautions but the hackers got in anyway, then the court may not feel you are liable for the data breach. On the other hand, if you do something that significantly increases your chances of a data breach (e.g. used weak passwords), then you may be ordered to pay the plaintiff's damages.

If you're hit with a lawsuit as a result of someone hacking into your website and stealing customer information, contact an attorney for assistance.