Court Rules SilverPop Not Liable for Damages After Data Breach

Back in 2010 and 2011, I posted a number of blog entries about a breach at SilverPop. SilverPop was not particularly transparent/forthcoming about the scope of the breach, but it seemed to be pretty large.

Today, Ryan M. Martin of Winston & Strawn LLP writes:

A Georgia court recently agreed on a summary judgment motion that a digital marketing contractor was not monetarily responsible for an unauthorized intrusion into its computer network. In the case, Silverpop Systems, Inc., the digital marketing contractor, entered into a service agreement with Leading Marketing Technologies, Inc. (Leading Marketing) that permitted Leading Marketing to upload content to Silverpop’s web-based e-mail marketing tool so Silverpop could send out messages on Leading Marketing’s behalf. (Silverpop Sys., Inc. v. Leading Mkt. Techs., Inc., No. 12:-cv-02513-SCJ (N.D. Ga. Feb. 18, 2014).

In November of 2010, Silverpop’s web-based system was hacked, potentially affecting the security of the nearly 500,000 e-mail addresses Leading Marketing had uploaded to the system. After an investigation, Silverpop could not confirm whether any information was exported from its system. Silverpop informed Leading Marketing of the incident. Leading Marketing continued to use the services for several months while withholding payments to Silverpop. Silverpop filed a declaratory action seeking payment. Leading Marketing counterclaimed, arguing that it was justified in withholding payment since Silverpop had failed to keep the addresses secure. Leading Marketing presented a variety of legal claims in support of its argument, including negligence.

In finding for the vendor, the court found that Leading Marketing had failed to present evidence regarding the applicable standard of care regarding data breaches in its industry.