David Kessler and Sue Ross write:
Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another way, disclosure is an affirmative act, and, absent an affirmative duty to protect information from unauthorized access, theft of information is not a violation of a duty not to disclose.
This question, however, was at the heart of the decision in Gerber v. Twitter, Inc., case no. 4:23-cv-00186-KAW (N.D. Cal. Dec. 18, 2024) (2024 WL 5173313). Judge Kandis Westmore ruled that a social media platform’s duty not to disclose personal information is not the same as the duty to protect that information against theft. Further, the duty not to disclose does mean the social media platform has a duty to notify individuals if the social media platform is breached. As a result, the court granted in part and denied in part the defendant’s motion to dismiss the plaintiffs’ complaint. (Id.)
Read more at Data Protection Report.