As regular readers of the ITRC blog already know, data breaches can occur in a variety of ways. Either by hacking, employee error or negligence, or some form of physical theft, access to customer information is given to criminals who may then use that information for illicit purposes.
The financial fallout of these breaches often leads to lawsuits which can cost the breached company serious dollars. Below are some of the most expensive, high profile breaches in the past year and the litigation that resulted from them.
Target: The Target data breach is almost certainly the largest and most visible cyber-attack since the breaches of Heartland Payment Systems or TJX. Currently the retail giant is facing a plethora of legal actions resulting from the breach of more than 40 million customers’ credit and debit card information. Many of these lawsuits stem from accused negligence on the part of Target . Banks associated with this breach assert that the necessity to issue new credit and debit cards, as well as cleaning up any resulting fraud, could end up costing them millions.
Neiman Marcus: The Neiman Marcus data breach was perpetuated by hackers who stole personal information from more than 1.1 million debit and credit cards over a period of months. It is generally assumed that the malware used for this breach was similar to that which was used to access Target’s system.
There is currently a pending lawsuit alleging that Neiman Marcus knew about the stolen information but waited several weeks before informing affected consumers. According to most data breach notification laws, the only relevant reason for waiting to notify affected consumers is if to do so would compromise an ongoing criminal investigation or expose some national security objective.
Michaels: Michaels Arts and Crafts Supply Store is also facing a pending class-action lawsuit due to the fallout of a data breach. Exact information about the number of records exposed or damage in dollars is still limited, but the current suit alleges that Michaels failed to report its last major breach in May of 2011. In addition, they failed to adequately monitor its payment systems in a way which would allow the retailer to detect fraud or other signs of tampering, allowing the breach to continue unnoticed for an extended period of time.
It is imperative, not only for the good of the consumer, but for the businesses that handle sensitive personal information themselves, to have best practices and protocols in place to immediately and effectively identify a breach incident and subsequently mitigate any resulting harm. In the event that a data breach occurs, it is imperative that businesses work against the traditional inclination to be silent on the matter.
The companies that recover from breaches the fastest and with the least amount of public relations damage are those that get out ahead of the issue They have a Data Breach Incident Response Plan to notify their consumers about what happened, provide information on what they have done to correct the situation, they inform customers about the steps they are taking to minimize the risk of it happening again, and they provide necessary remedies to customers to rebuild their customers’ confidence and trust. For specific questions relating to data breaches, please visit our website at www.idtheftcenter.org or call us toll free at (888) 400-5530.