Shielding a company's and its customers' data from
unwanted attack is becoming a critical part of corporate
infrastructure response planning and prevention protocols. But
sophisticated data thieves seem to be a step ahead as evidenced by
last week's startling news that hackers had broken into Home
Depot's payment-card processing systems and stolen, according
to some experts, more than 40 million payment cards. Electronic
data breaches at the corporate level that actually or potentially
compromise customers' private personal information can have
enormous repercussions – costly regulatory reporting and
notice obligations, class action lawsuits, public relations
nightmares and, more recently, FTC enforcement actions and even
shareholder derivative suits. Already, a lawsuit has been
filed against Home Depot in Chicago federal court by an affected
consumer, two senators are pushing for a federal government
investigation and five states have commenced their own
investigations as repercussions from the unprecedented Home Depot
attack continue to mushroom.
In April 2014, a federal district court judge in New Jersey allowed
the FTC, in a case of first impression, to pursue an action it had
filed against Wyndham Hotels for its alleged failure to take
reasonable efforts to protect consumer information that had
resulted in hackers stealing data on more than 619,000 consumer
credit card accounts over a two year period. And Wyndham was
hit earlier this year with a novel shareholder derivative suit
arising out of the same incidents.
In addition to civil lawsuits and class actions, 47 states
(excluding only Alabama, New Mexico and South Dakota) currently
have data breach notification and reporting laws, which can impose
significant burdens and costs on an affected company. The
impact of negative publicity and extensive fallout litigation can
have devastating effects on a company's financial performance.
The good news is that a recent Supreme Court case has bolstered the
ability for companies to seek a class action dismissal. Clapper
v. Amnesty International USA, has led some courts to dismiss
data breach class actions for lack of standing (i.e., no
actual injury) if claims are based only on a potential
compromise of private data.
In this day and age, while no company's data is ever 100%
secure from a hacker's attack or misuse by rogue employees,
being proactive and having a good defense team ready on board can
help alleviate the worst fallout.
Five Tips to Protect Against Hacker Liability
All businesses, small or large, that obtain and store personal customer data should:
- Conduct an audit of their data security and rapid response protocols
- Update firewalls and adopt strong encryption for sensitive personal data
- Ensure that protocols are in place so that only authorized and trusted employees can access such data
- Consider adding data-breach insurance coverage
- Develop a rapid response plan for addressing data breaches, both on the public relations and legal side
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.