Peter Sullivan, Christopher Escobedo Hart and Colin Zick of Foley Hoag write:
How much does the question of harm matter in cybersecurity law? The answer is: It depends on who is bringing the claim.
Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action. One such limitation is the requirement of proving actual harm in private actions. As explained further below, the bar for enforcement is lower when federal regulators bring an action against an entity. Businesses must be mindful that the lack of actual harm may not be an avenue to dismiss these claims. Employing best practices is still paramount in helping businesses mitigate the risks that come from private party suits and government enforcement actions.
Read their full article that includes mention of notable court rulings and their implications on Security, Privacy, and the Law.