1. Target Corporation Data Breach (2013)

Target Corporation

What happened:

Hackers infiltrated Target’s payment system through a third-party vendor and stole credit/debit card data of over 40 million customers, along with personal data of more than 70 million individuals.

Legal issue:

The key legal focus was not only the breach itself but delayed detection and delayed notification.

• Target detected suspicious activity during the breach period but failed to act quickly.
• Notification to consumers and banks was not immediate after initial detection.

Legal obligations involved:

Under U.S. state data breach laws:

• Companies must notify affected individuals “without unreasonable delay.”
• Must inform financial institutions when payment data is compromised.

Outcome:

• Target faced multi-million-dollar settlements with banks and consumers
• Paid significant costs in credit monitoring and litigation settlements
• Shareholder lawsuits alleged failure of reasonable cybersecurity governance

Legal principle established:

Delay in identifying and communicating a breach can itself constitute negligence, even if the breach originated externally.

2. Equifax Data Breach (2017)

Equifax Inc.

What happened:

A vulnerability in Equifax’s web application framework was exploited, exposing sensitive data of approximately 147 million individuals (names, Social Security numbers, birth dates, etc.).

Legal issue:

Equifax failed to:

• Patch a known vulnerability in time
• Notify regulators and consumers promptly after discovery

Breach notification obligation focus:

Under U.S. state laws and FTC enforcement principles:

• Timely breach disclosure is required once discovery is made
• Companies must maintain “reasonable security practices”

Outcome:

• Global settlement exceeding hundreds of millions in penalties and compensation
• Required long-term credit monitoring for affected individuals
• Executive accountability actions and congressional scrutiny

Legal principle:

Failure to maintain reasonable security and delayed notification after discovery constitutes unfair and deceptive practice under consumer protection law.

3. Yahoo Data Breach Disclosure Delays (2013–2014 incidents disclosed later)

Yahoo

What happened:

Yahoo suffered two massive breaches:

• One affecting ~1 billion accounts (2013 breach disclosed in 2016)
• Another affecting all user accounts (~3 billion, disclosed later)

Legal issue:

The central issue was extreme delay in breach notification (several years).

Legal obligations:

Although breach occurred before GDPR, U.S. securities law and consumer protection law required:

• Disclosure of material cybersecurity incidents to investors
• Timely consumer notification when personal data is at risk

Outcome:

• Reduction in Yahoo’s acquisition price by Verizon by approximately $350 million
• Securities litigation and regulatory investigations
• Shareholder claims for misleading disclosures

Legal principle:

Cybersecurity incidents become “material information” under securities law, and failure to disclose them timely can constitute investor fraud.

4. Marriott International / Starwood Breach (GDPR Enforcement)

Marriott International

What happened:

Hackers accessed Starwood guest reservation systems (later acquired by Marriott), exposing data of up to 339 million guests globally.

Legal issue:

Regulators found failures in:

• Due diligence during acquisition (inherited vulnerability not properly assessed)
• Delayed detection of the breach
• Delayed notification to regulators and individuals

Applicable law:

Under the EU General Data Protection Regulation (GDPR):

• Notification to supervisory authority required within 72 hours of awareness
• Individuals must be informed if risk is high

Outcome:

• Significant GDPR fine imposed (reduced on appeal but still substantial)
• UK and EU regulators emphasized accountability of acquiring companies for legacy security failures

Legal principle:

Under GDPR, liability attaches not only for breach occurrence but for failure to detect, assess, and promptly notify once discovered.

5. Uber Data Breach Concealment Settlement (2016 breach disclosed in 2017)

Uber Technologies Inc.

What happened:

Hackers accessed personal data of 57 million users and drivers. Instead of notifying regulators, Uber paid hackers to delete the data and kept the breach undisclosed for over a year.

Legal issue:

This case centered on:

• Failure to notify regulators and affected individuals
• Attempted concealment of breach

Legal obligations:

Under FTC consumer protection standards:

• Companies must not engage in deceptive practices
• Data breaches must be disclosed when they pose risk to consumers

Outcome:

• Multi-million-dollar settlement with U.S. Federal Trade Commission
• Additional penalties imposed by state regulators
• Executive resignations and criminal charges against involved personnel (in related proceedings)

Legal principle:

Intentional concealment of a breach is treated as fraudulent and deceptive conduct, significantly increasing liability.

6. Anthem Data Breach (Health Data Notification under HIPAA)

Anthem Inc.

What happened:

Cyberattack exposed sensitive health data of nearly 80 million individuals, including medical identification numbers and personal details.

Legal issue:

Violation of health-sector breach notification obligations under:

• HIPAA Breach Notification Rule (U.S. law)

Requirements involved:

• Notify affected individuals without unreasonable delay
• Notify Department of Health and Human Services
• Provide public notice in major media if large-scale breach occurs

Outcome:

• One of the largest HIPAA settlements in history
• Strengthened regulatory expectations for encryption and access controls
• Required long-term corrective action plan and monitoring

Legal principle:

In healthcare, breach notification is treated as a patient safety issue, not just a privacy issue, increasing regulatory strictness.

Core Legal Principles Derived from These Cases

Across jurisdictions and industries, these cases establish consistent doctrines:

1. Timeliness is legally critical

Delays—even after discovery—can be independent violations.

2. “Reasonable security” and “reasonable delay” are flexible but enforceable standards

Courts and regulators evaluate:

• Industry standards
• Company size
• Technical safeguards

3. Notification duties extend beyond individuals

They often include:

• Regulators
• Financial institutions
• Investors (in publicly traded companies)

4. Concealment dramatically increases liability

Active concealment (as in Uber) leads to harsher penalties than accidental delay.

5. Sector-specific rules matter

• Healthcare (HIPAA): strict reporting timelines
• EU (GDPR): 72-hour rule
• U.S. states: “without unreasonable delay” standard