The landscape of damages is continually evolving in data privacy and security litigation. The conventional wisdom used to be that the resulting loss from a data breach was different than that sustained in traditional torts. As the Third Circuit explained in Reilly v. Ceridian Corporation, “a hacker cannot change or injure bodies; rather, any harm that may occur may be redressed in due time through money damages with no fear that the litigants will be dead or disabled from the onset of the injury.”
But what if the actions of a hacker inflict physical harm? What if a data breach results in bodily injury? Could an entity that suffered a data breach be liable for wrongful death or other personal injuries?
Once thought to encompass only financial harm, as hackers and threat actors become more emboldened, the type of injuries that stem from these cyber-attacks are evolving. In September of 2020, for example, a Duesseldorf hospital was struck with ransomware. Local police established contact with the threat actor and were able to decrypt the data, but not before the hospital was forced to turn away emergency patients, one of whom died as a direct result of treatment delays.
More recently, in February 2021, hackers remotely accessed a Florida water treatment plant and changed the levels of lye in the drinking water to dangerous levels. The intrusion and resulting change in the lye levels was discovered before it could inflict any bodily damage, but the levels were high enough to seriously and detrimentally affect the health of the town’s residents if the drinking water had reached their homes.
As these recent examples demonstrate, threat actors CAN cause changes to computer systems that can lead to substantial physical injury. Such injuries will almost certainly result in new claims for damages with large verdict potential. For example, the family of a patient who dies because of a healthcare provider’s security failures might bring wrongful death and survival claims, including, among others, claims for pain and suffering, lost past and future income, medical expenses and loss of consortium. Physical injuries caused by the untoward effects of hacking of infrastructure could result in mass tort litigation or a multitude of plaintiffs asserting hefty physical and economic losses.
Depending upon the security measures in place, or the lack thereof, individuals suffering from physical injury because of a data breach might well be positioned to request and be granted substantial punitive damages as well. Defendants will certainly have to defend against such allegations.
Death or bodily injury resulting from a data breach will not only raise new and critical issues relating to liability and causation but will drive up settlement and verdict values. If history is any indication, as critical infrastructure and healthcare (and those are just two examples) become increasingly digitalized and more reliant on computer systems, and as threat actors become more sophisticated and emboldened, the types of harms resulting from a data breach will only continue to evolve and increasingly threaten human health, not just financial well-being.
If you have any questions, or would like more information, about the possibility of a cyber-attack leading to bodily or personal injury claims, please contact John Mullen (; 610.608.8785), Paulyne Gardner (; 267.930.2098) or Claudia D. McCarron (; 267.930.4787).