A recent U.S. federal district court decision in California has underscored the duty of care software developers owe to individuals whose data is exposed in cyberattacks, even if they are not direct software users. The case involved Accellion, whose legacy file transfer software (FTA) was breached twice between late 2020 and early 2021. The breach led to the disclosure of sensitive personal information of millions of individuals, including Social Security numbers and medical records.
The plaintiffs asserted a class action lawsuit, arguing that their data, shared with FTA users like healthcare providers and financial institutions, was inadequately protected. Accellion countered with a motion to dismiss the case in the absence of a plausible claim against it, arguing that Accellion owed no duty to individuals who were not direct customers. Yet the court found that Accellion’s control over security updates and its financial gains from the FTA established a "special relationship" with affected parties, creating a duty of care.
The court identifies four criteria for a duty of care in data security breaches when determining negligence under California tort law: (1) consumer reliance on the product to safeguard data, (2) defendant’s exclusive control over the security of the product, (3) an identifiable group of affected consumers, and (4) defendant benefiting from its commercial activity.