Last Friday, a massive IT outage caused disruptions to businesses around the world, affecting everything from airlines to 911 operators to retailers. The problem arose when CrowdStrike, a cybersecurity firm, sent out a faulty software update that prompted some computer systems to crash. Although the update was eventually rolled back, the impact of the problem continued to ripple throughout the weekend, as passengers remained stranded in airports, hospitals struggled to reschedule canceled surgeries, and stores adjusted to unexpected closures.

Andrew D. Selbst, a visiting assistant professor of law at Harvard Law School, says it is “hard to predict” the extent of the legal fallout from the CrowdStrike situation. While traditionally, tech companies have generally not been liable for “buggy software,” CrowdStrike could potentially face high-dollar lawsuits from some of its business-to-business customers — subject to the terms of the contracts between the entities, he adds.

“For big businesses that used CrowdStrike, they may have been able to negotiate contracts that talk about how to distribute liability,” says Selbst. “But maybe for smaller companies, they were less likely to be able to push back on the form contract, which likely disclaimed all liability for things like this.”

What the situation does clearly illustrate, he says, “is how fragile our infrastructure is, because there are only a few companies that run much of the world’s software. That’s a problem we should be more concerned with than we seem to be.”

The vulnerability of everyday technology is increasingly obvious in another way, too: data breaches. Businesses and organizations invest billions of dollars each year in services by companies like CrowdStrike and others in the hopes of securing their digital information from hackers looking to steal passwords, identifying information, credit card numbers, and more.

Yet some estimates suggest that such attacks continue to rise precipitously. This month, customers of AT&T became the latest hacking victims to strike back, filing a class action lawsuit against the telecommunications company. The plaintiffs claim that AT&T’s cybersecurity measures were too lax, leading to a significant data breach that resulted in criminals obtaining their call and text records.

But it’s far from clear that the customers will see a payout, says Selbst. In an interview with Harvard Law Today, he explains how class action lawsuits may nonetheless promote better cybersecurity practices, and why deregulation is to blame for some of our tech woes.


Harvard Law Today: Companies spend hundreds of billions of dollars every year on technology from companies like CrowdStrike in the hopes of preventing data breaches. But we know that such breaches, like the one at AT&T, continue to happen. What kinds of recourse do customers have when their information is part of a data breach?

Andrew Selbst: The basic answer is not all that much. Self-help, for the most part. Let me give a little bit of an overview of the regulatory framework for data breaches. There are three different types of regulatory structures. One is breach notification laws: every state has different versions of a notification law. Usually, within a short period of time, a company has to notify everyone who’s been breached. Individuals then know their data is out there and can take protections, such as credit monitoring, and things like that.

Negligence lawsuits are the second type of framework. These are standard tort negligence lawsuits. Ultimately, they’re difficult to win. These are often the major class action suits you see.

The last regime is regulation. Regulators, particularly the FTC, have over the last 15 years or so really gone after the worst-of-the-worst in terms of data breaches. The FTC has a pattern of settling with these companies and keeping them under a consent decree for 20 years or so, which will allow them to keep monitoring. But with the FTC, you don’t get individual customers receiving damages or compensation. This is just a regulatory regime, and they receive fines payable to the federal government.

HLT: According to the lawsuit against AT&T, hackers obtained private call and text records. Does the type of data stolen matter in terms of the company’s legal liability?

Selbst: It would in some sense. First of all, if it’s personal data versus non-personal data, it will matter. Courts generally won’t find liability unless the plaintiff suffers what is legally recognized as an injury. Financial harm is nearly always considered an injury, and that can result from the theft of social security numbers, credit cards, etc. But you also have to ask if the injury has matured. A data breach in and of itself isn’t always an injury. In other words, some courts distinguish between risk of future harm, which they don’t think is an injury at all, while other courts treat risk of harm as an injury unto itself.

When it comes to something non-financial, like say I was sending racy texts to someone and I’m embarrassed, that isn’t going to be seen as an injury by courts, at least not from a data breach perspective. There are other privacy torts, but you would have to enforce those against the real offender — in this case, the hacker — whom we often can’t get to because they’re outside the country, for example.

HLT: What kinds of compensation do people typically receive in negligence lawsuits like the one against AT&T?

Selbst: Not much. Often, there will be a settlement that will involve a year or more of credit monitoring. But who, at this point, doesn’t have 20 years of free credit monitoring already? The settlements will also offer a few dollars here and there, but when you hear about these big cybersecurity incidents with big dollar figures, they’re fines. These are fines from the FTC to Facebook for Cambridge Analytica, or Equifax for their giant data breach. The money isn’t going to individuals. It’s going back to the government.

HLT: In what ways do companies protect themselves from liability related to data breaches?

Selbst: Generally, they have policies in place, like investing in cybersecurity. There are well-known ways to do the right thing here, like having policies in place about employee access to data, firewalls, etc. Often, breaches result from an employee who loses a laptop, or who answers the phone and is tricked into giving information, or clicks a phishing link, or something like that.

In a negligence regime, the argument is always that you didn’t do enough. But if you can say, ‘Hey, look, here’s the best practice document that the FTC publishes on its website, we did all of it,’ then there’s really no argument for negligence. The way I think about this is, you don’t have to outrun the bear. As long as you’re not the worst company around in cybersecurity, the FTC probably won’t go after you. I think everyone recognizes that. You just have to put reasonable protections in place.

HLT: Is the AT&T case just about monetary compensation for customers, or are there other possible motives for the lawsuit?

Selbst: Individuals are motivated by compensation, but there’s not a lot of effort that goes into signing onto a class action. But that’s not generally the point of class actions. People sometimes complain about how class actions are structured — that the lawyers end up making a lot more money than the individual plaintiffs a lot of the time. But class actions exist where individuals aren’t hurt enough that any lawyer will take the case for an individual, which necessarily implies the damages are relatively low. What it does is allow for private enforcement of some policy agenda, rather than government enforcement. And the way we incentivize that is allowing attorneys to have fees to incentivize bringing these cases.

I think the goal is that if AT&T gets hit with a giant lawsuit, then the next guy is like, ‘Okay, maybe it will be less costly for me to spend my money on cybersecurity than fight a lawsuit in the future.’

HLT: Hacking operations have become increasingly sophisticated and more common. How much should businesses be expected to be liable for these activities? Are data breaches becoming akin to a flash flood or a tornado — in other words, an “act of God” that can’t be entirely avoided?

Selbst: I would suggest that if we were in an environment where tornadoes occurred every three or four days, we would put some liability on the architects, too, to make buildings that can withstand tornados. So, just because data breaches are happening more often doesn’t suggest that the people who can really do something about it should be less liable. In tort law, there’s this concept of the “cheapest cost avoider,” which is the idea that you place liability on the person best able to most cheaply change the outcome or minimize the harm. In the end, that is the companies who are holding your data. I as an individual have no ability to stop anyone who’s holding my data from being hacked.

Ultimately, a negligence approach makes sense. It’s going to happen at some point. We can’t have zero risk. You can’t apply strict liability, which would be saying that whenever a company gets hacked, it’s liable, period. Negligence is a nice middle ground, where as a company you need to do what’s reasonable, and what’s reasonable can change over time.

“There’s been no real incentive [for companies] to minimize what data [they’re] collecting or holding on to. And the more data you have, the more likely you are to lose it.”

On the practical side, I don’t think companies are liable enough right now, because actual negligence suits are often dismissed on questions of injury or risk of future harm. For the millions of people whose data is being stolen, how many of them are actually going to be subject to identity theft? And how many will bring a tort suit? Then, what fraction of the actual damages will the company have to pay out when they settle? Right now, it’s much, much less than it would cost for them to invest more in cybersecurity. Additionally, the regulatory authorities are also woefully underfunded. The FTC needs probably 20 times the budget. Again, their strategy is to go after the worst-of-the-worst and to publish best practices. As long as you’re not the worst, you probably won’t face FTC authority. But that’s not a great way to run the system.

On the other hand, lots of states are adopting data protection laws that move closer to a data protection regime like they have in Europe. One of the ideas is to require “data minimization,” which is to say that you can’t just hold on to someone’s data forever if you don’t have an express purpose for it anymore. And you should not be collecting data that you don’t have good reasons to have in the first place. Right now, there’s been no real incentive to minimize what data you’re collecting or holding on to. And the more data you have, the more likely you are to lose it.

HLT: You have a background in computer science in addition to law. In general, do you think our laws are up to date enough to deal with the technology we increasingly rely on in our everyday lives?

Selbst: That’s a very complex question, and one about which there’s substantial disagreement. Even on a level of principle, I think more than blaming technology, I blame our current situation on the default deregulatory stance of government that we’ve had for 40 years. We have way too much deference to the technology industry — its leaders are treated as if they are these wizards that do things that we could never possibly understand. And as a result, we just give up and say, ‘Oh, well, there’s no way law can keep up with technology.’

What’s really going on is that there’s a policy choice to only react, to not even try to anticipate. We also too often ignore the fact that we actually do have a lot of laws that are written technologically-neutrally based on principle, based on values, and those laws still apply.

These days, I write a lot about AI. I wrote a paper with a couple of computer scientists, called The Fallacy of AI Functionality, where we were basically saying that a lot of people are putting out AI that just doesn’t work. But we already have law for this: we have consumer protection law that is supposed to stop things on the market that don’t work. We also have tort law. And yet everybody’s out there saying we need all these new laws. Well, no, we just need to use the laws we have — and enforce them. I think there are definitely some updates that need to be made to the law, but there is probably some looking at the current law that we need to deal with.