When something bad happens, whether it is a data breach or some other type of attack, it is common for a retailer to meet with its counsel and, in addition to determining its legal obligations, ask the stupidest question any client can ask a lawyer, "Can I sue?" The answer to that question is, of course, always "Yes." The more difficult questions are, "Who can I sue?" and "Will I win"
Almost always with a data breach or hack some other party has contributed in some way, to either facilitate or exacerbate the breach. The question is, is it worth it to sue? Unfortunately, in most cases, the answer is no.
A few recent breaches may be illustrative. Last week, we wrote about a .pdf document of a company that was placed in a Web-accessible location that was not intended to be public. Think of this as leaving an important document in an unlocked office adjacent to your retail location. The public "can" but "shouldn't" go there.
The document would have remained blissfully obscure (security through obscurity), but a Google crawler "found" the document and then indexed it. The crawler essentially went through everything that is "accessible" and indexed words, phrases, etc., making it much easier to find. Although the crawler itself did not "publish" the document, it effectively allowed anyone searching for that type of document to find it. Absent the index, the document would likely have remained unknown. The damages from its exposure would have been minimal—if any. What the crawler did, essentially, was expose the secret to the world. So, the retailer meets with the lawyer and asks if it can sue.
The first issue is the practical problem of suing Google. Sure, it has deep pockets. Very deep pockets. That's a good thing, if you want to sue. But, because of those deep pockets, Google also has lots of lawyers. That's a bad thing, if you want to sue.
The next thing is to decide on what Google did "wrong," if anything. Typically, you can sue for things like publishing a defamatory statement or article, infringing a trade secret or, potentially, some type of tortious (wrongful) conduct. It doesn't appear that Google did any of these things.Technically, Google "published" the index of the document. But this document was already "published" online. Indeed, Google could not have prevented its crawler from indexing the document—once the crawler found it (although the document could later be removed from the index). Google had no idea that the document was sensitive, nor did it have a particular duty to the retailer to not index what it believed was "public" information.
So, did Google’s crawler "break in" to the retailer’s store? Was there a "trespass?" If so, Google may have both civil and criminal liability. If not, the retailer is out of luck. Should Google have known that this particular document was not intended to be public? The retailer certainly didn't "invite" Google to index its documents. The retailer did not give Google "permission" to post the index to its documents. The document could have contained really sensitive information, including PCI data, health data or worse. Does Google have no liability here, or is this the Wild West—if it can be found online, it can be posted for all to see.
The real problem here—from both a legal and a practical point of view—is that no humans are involved. If a "person" were to find a document in an unlocked or unsecured office, that person would likely be able to make a judgment about whether that document was supposed to be publicly accessible. But with billions of documents "accessible" online, it is simply not practical to have a human index them. Indexing is what Google does—and, usually, this indexing helps retailers. It is the crawling and indexing that enables users to find the retailer, locate products or services, find a local store, contact key personnel, respond to marketing pitches and even find coupons or specials. Indexing is good. But indexing becomes bad when the retailer—or some other third party—makes something "available" that it doesn't want indexed. But the crawler can't tell that. So even though the crawler, in some way, "took" a document it shouldn't have, and in a sense "published" that document, and did those things for commercial purposes (to help Google make money), it is unlikely that Google would have significant liability for these actions.
If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.