In Amicus, EPIC Proposes Duty to Protect Personal Data

July 3, 2019

In an amicus brief for the D.C. Circuit Court of Appeals, EPIC has recommended that courts recognize a common law obligation to protect the personal data that companies choose to collect. In Attias v. CareFirst, Inc., inadequate security practices allowed hackers to obtain 1.1 million customer records from D.C.'s largest health insurer. A lower court dismissed many of the privacy claims in the case. But EPIC argued to the appellate court that data breaches underscore the need for companies to be held liable for faulty security. EPIC said that courts should impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data that they collect. EPIC previously filed an amicus brief in this case supporting data breach victims. EPIC regularly files briefs defending consumer privacy.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.