Skip to Content
CONTACT US
Menu Toggle
How Poor Data Security Policies Lead to Regulatory Fines & Lawsuits 
Press Room In the News Newsletters Events
subscribe to legal alerts

subscribe to our blogs

sign up now

connect with us

advanced Search

FILTER BY: SORT BY:

Media Contacts

Charles B. Jimerson
Managing Partner

Jimerson Birr welcomes inquiries from the media and do our best to respond to deadlines. If you are interested in speaking to a Jimerson Birr lawyer or want general information about the firm, our practice areas, lawyers, publications, or events, please contact us via email or telephone for assistance at (904) 389-0050.

Other Articles in Communications & Media Industry Legal Blog

How Poor Data Security Policies Lead to Regulatory Fines & Lawsuits 

June 12, 2025 Communications & Media Industry Legal Blog, Professional Services Industry Legal Blog, Technology Industry Legal Blog

Reading Time: 6 minutes


In a digital-first economy, data has come to be regarded as a valuable asset for any business. But that valuable data can quickly become a liability. In fact, the number of hacked accounts surged by 800% in 2024, reaching 5.5 billion — or 180 accounts every second. [1] 

For most businesses, gathering sensitive data is integral to their business cycle, from customer onboarding to payment to management of their people. An instance of neglect can result in devastating consequences for a company, whether it’s a data leak, breach, or uninformed security measures. 

Beyond the technical harm and embarrassment, it is the legal aspect of the incident that is the hardest to deal with. The situation is even more complex for small and midsize business owners for whom one single incident can cost a company everything.  

The Hidden Risk: Weak Data Policies and Their Financial Toll 

Companies today manage more sensitive data than ever before, including customer email addresses, credit card numbers, and employee health records. As the volume of data increases, so does the responsibility to protect it. 

Without strong internal policies and employee training, small missteps can lead to major consequences. Weak passwords, unsecured file transfers, or falling for phishing scams may seem minor, but they often result in data breaches. These breaches can cause far more than reputational damage; they often trigger significant financial penalties and legal claims. 

Real-World Example: AD Tech Company Turn Inc. Failed to Honor Opt-Out Requests 

In 2017, the Federal Trade Commission brought an enforcement action against Turn Inc., a digital advertising platform that tracked millions of users’ online behavior across websites and mobile apps. Turn used unique identifier headers (UIDHs) provided by Verizon to create detailed user profiles for targeted advertising. [2] 

Despite offering an “opt-out” mechanism that was supposed to stop behavioral tracking, the company continued to collect and use data from users who had opted out. The FTC found that Turn misled consumers by failing to honor their privacy choices and engaged in deceptive practices by representing that opting out would effectively end tracking—which it did not. 

This case demonstrates the critical importance of not just providing opt-out tools, but ensuring those tools actually work as promised. When companies fail to implement clear and functional opt-out mechanisms—or falsely advertise that users can limit tracking—they expose themselves to regulatory enforcement, legal action, and lasting reputational harm. 

Here’s what’s at risk: 

1. Regulatory Penalties 

A data breach can trigger swift and severe action from regulatory agencies. Depending on your industry and where your customers are located, violations can come from multiple jurisdictions: 

  • HIPAA (U.S. Healthcare): Up to $1.5 million per year per violation 
  • GDPR (European Union): Up to €20 million or 4% of annual global revenue 
  • CCPA (California): $7,500 per intentional violation 

2. Class-Action Lawsuits 

On the receiving side of any breach of security are consumers and employees who have suffered at the hands of a data breach, and they are liable to act. In most jurisdictions, a charge of negligence is sufficient to get a case started.  

3. Contract Terminations and Loss of Business 

A data breach from your side can cause you to lose customers quickly if they are bound by stringent data regulations. You will also miss out on opportunities for partnerships if your business gets labelled as a compliance risk category. 

Where Business Data Policies Often Fail 

Even well-meaning companies are found guilty of glaring gaps in their policies, such as: 

  1. Lack of formal data protection policy or employee training.  
  2. Weak password policies or a lack of multi-factor authentication.  
  3. Sensitive information is not encrypted.  
  4. Weak controls for data accessibility controls 
  5. No established breach response procedure.  
  6. Inadequate privacy policy or consent notices that allow website visitors to opt-out or fail to disclose the use of data collection tools, such as cookies, on the site. 

These aren’t just regular IT issues but sources for major legal liabilities. 

How to Secure Your Company’s Digital Assets 

1. Start with a Risk Assessment 

You need an in-depth understanding of your data- its nature, where it’s stored, and people who have access to it. Identify where weak points exist in your processes and infrastructure. 

2. Develop and Document Security Policies 

Establish explicit guidelines on data handling, password hygiene, encryption, use of email, and device security. You should also ensure that the policies meet applicable regulations within your industry and region. 

3. Train Your Team 

Policies are not meant to be on paper but to be followed. Provide regular training on phishing, secure data practices, and how to report suspicious activity. Also, if you operate a website, it’s important to ensure your privacy policy and data collection notices include the requisite opt-out notices and are processed timely in accordance with applicable law.  

4. Consult Legal and IT Experts 

Seek legal counsel from accredited legal and cybersecurity professionals to ensure your policies are not just compliant with applicable laws but are enforceable. And that there is an actual process behind the written policy that is being followed.  

5. Draft an Incident Response Plan 

The manner and the speed with which you respond to a data breach can make all the difference. Put in place a step-by-step action plan including who to notify, measures to contain the breach, and how to notify regulators and affected parties. 

Conclusion 

 You never know when a breach will happen and expose you to massive fines and lawsuits.  

But equipped with the right legal guidance and proactive IT support, you can fight these data challenges, but above all, you need a company-wide commitment to secure practices and stay ahead of the risks. 

Don’t leave your business vulnerable. Need help reviewing or drafting your data security policies? Call us today to be connected with a legal advisor who understands your industry and compliance landscape in-depth. Don’t leave your business to chance – get protected today. 

Sources 

  1. Surfshark. Data Breach Recap 2024. https://surfshark.com/research/study/data-breach-recap-2024 

Federal Trade Commission. In the Matter of Turn Inc. (FTC File No. 152-3099). https://www.ftc.gov/enforcement/cases-proceedings/152-3099/turn-inc-matter

Join our mailing list.

SUBSCRIBE TO OUR BLOGS

Call our experienced team.

904-389-0050
we’re here to help

Contact Us

CONTACT US
Jimerson Birr