Skip to content

Legal issues (What mattered legally)

Browse cases by recurring legal questions. For each issue below, a short explanation is followed by a representative legal case with a link to a publicly available court or agency paper (opinion, order, complaint, or settlement).

Common issues in security cases

  • Reasonable security
    What it is: The legal baseline for data security—what regulators and courts treat as “reasonable” or “adequate” so that failure to meet it can support enforcement or liability. Often framed under FTC Section 5, contract, or negligence.
    Case: FTC v. Wyndham Worldwide Corp. — U.S. Court of Appeals, Third Circuit, Opinion (Aug. 2015). Court affirmed FTC’s authority to pursue “unfair” practices based on unreasonable cybersecurity; addresses what notice and baseline the FTC can enforce.

  • Governance & oversight
    What it is: Duties of boards and senior management to oversee cyber risk, implement reporting and controls, and avoid “bad faith” or conscious disregard that could support derivative or fiduciary claims.
    Case: Firemen’s Retirement System of St. Louis v. Sorenson (Marriott) — Delaware Court of Chancery, Opinion (2021). Derivative suit after Starwood breach; court dismissed for failure to plead demand futility and emphasized the line between a breach and actionable board failure.

  • Disclosure / materiality
    What it is: When a cyber incident or risk is “material” and must be disclosed to investors (or others), and what internal controls and procedures are required for accurate, timely disclosure.
    Case: In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc. — SEC Administrative Order (Apr. 2018). SEC found Yahoo failed to disclose a known breach and misled investors; $35 million penalty and cease-and-desist on disclosure controls.

  • Unfairness / deception
    What it is: FTC Section 5 theories: “unfair” practices (substantial injury, not reasonably avoidable) and “deceptive” practices (false or misleading statements about security or privacy).
    Case: In the Matter of Drizly, LLC — FTC Complaint (Oct. 2022). Alleged unfair security practices and deceptive privacy/security statements; Consent Order imposed program and data-retention terms.

  • Causation & damages
    What it is: What plaintiffs must prove to link a breach or security failure to concrete harm (e.g., fraud, mitigation costs, lost time) and recover damages rather than speculative or future injury.
    Case: In re Target Corporation Customer Data Security Breach Litigation — U.S. District Court, D. Minn., Memorandum and Order on motion to dismiss (Dec. 2014). Court allowed many consumer and financial-institution claims to proceed, addressing causation and cognizable injury in a breach context.

  • Standing
    What it is: Whether plaintiffs have Article III standing to sue—in particular, whether they have suffered a “concrete” and “particularized” injury that is “fairly traceable” to the defendant’s conduct, not merely hypothetical or procedural.
    Case: In re Target Corporation Customer Data Security Breach Litigation — U.S. District Court, D. Minn., Memorandum and Order on motion to dismiss (Dec. 2014). Order discusses concrete injury, traceability, and standing in data-breach litigation.

  • Class certification
    What it is: Whether a breach or security case may proceed as a class action under Rule 23 (numerosity, commonality, typicality, adequacy, and predominance), or whether a settlement class may be certified for approval.
    Case: In re Equifax Inc. Customer Data Security Breach Litigation — U.S. District Court, N.D. Ga., Final Order and Judgment (Jan. 2020). Court approved settlement class and consumer relief; illustrates class treatment and remedies in a large breach MDL.

  • Remedies / injunctive terms
    What it is: What defendants must do or refrain from doing after a finding or settlement—e.g., security program requirements, audits, data minimization, and reporting to regulators.
    Case: Cease and Desist Order — Capital One, N.A. — OCC Enforcement Action (Aug. 2020). Consent order requiring technology-risk and cloud governance improvements, board and management accountability, and reporting. See also In the Matter of Drizly, LLC — Consent Order (FTC) for program, retention, and compliance terms.

Each case page calls out which issues actually drove the outcome.

Last updated: