Worth reading the linked paper and checking if your organisation has ‘reasonable’ security…:
[…] But in the U.S., assigning legal fault is more complicated than this. How will we know what a business needs to do to protect its data well enough to successfully fight a liability determination? What is the duty of care that a company owes to its customers, and is that duty the same for public address data as it is for credit card data?
A working group of the Sedona Conference has proposed a solid answer to these questions. By its own description, the Sedona Conference is a nonpartisan, nonprofit research and educational institute dedicated to the advanced study of specific law and policy, including privacy and data security law. The Conference has just published a set of commentary on a reasonable security test. The paper is worth reading.