The lengthy list of data breaches occurring over the last few years – involving companies large and small, digital and analog, public and private – raises difficult questions going forward for any business that collects the personal information of its customers and/or employees. In particular, what is (i) the standard of care to be imposed on these companies by which to assess culpability in the event of future breaches, and (ii) the criteria by which a person whose data is compromised acquires standing to pursue an action against those companies?