Cyber thieves are successfully stealing masses of customer and employee data from major companies at a dangerous rate. Hackers are running away with information like credit card and Social Security numbers, putting victims at risk of identity theft.
Many companies respond to data breaches by providing those affected by the compromise with at least one year of free credit monitoring. However, some consumers feel those protections do not reach far enough and do not protect them in the event that more sensitive information, like a Social Security number, has been stolen. When one year of free credit monitoring is not enough, consumers turn to legal action.
So far, companies involved in breaches could rest easy knowing a legal rule protected them from consumers seeking damages through legal action. Until now.
In 2015, the 7th Circuit Court of Appeals issued a ruling which revived a lawsuit against the luxury department store Neiman Marcus. The suit covered a 2013 data breach in which hackers stole credit card information from as many as 350,000 customers, and the Court of Appeals ruling makes it easier for consumers to sue the companies which lose their personal information in data breaches.
Prior to this ruling, companies have been able to avoid consumer lawsuits by invoking the Supreme Court case Clapper v. Amnesty International USA.
The Clapper case, which was about phone records and national security, required potential plaintiffs to show a risk of “imminent” and “concrete” injury. It is frequently used to prevent consumer class actions suits involving data since victims who fear future fraud or ID theft cannot show injury until their identity has already been stolen and used criminally.
The turning point of the Neiman Marcus case occurred when Chief Judge Diane Wood explained, “Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?” With Wood’s reasoning, the threat of having your information stolen and used against you changes from hypothetical to imminent, operating under provisions from the Clapper case.
The department store’s three-year-old case has concluded with Neiman Marcus agreeing to pay $1.6 million to settle the breach class action in Illinois federal court.
For companies, there are steps to take that can reduce the risk of legal action, and that includes handling data breaches with care and efficiency.
- Immediately contact IT professionals if you know or suspect that your organization has experienced an attack on your data systems.
- Report the breach to police authorities and the FBI.
- Locate the threat and disconnect breached systems to limit damage and prevent further data breaches.
- Contract outside IT forensic experts to handle the ongoing investigation. This is an essential part of ensuring credibility with customers, vendors and investors as solely relying on an internal investigation can seem biased.
- Gather all relevant executives and public communications teams to draft the company’s response to the data breach.
- Notify necessary parties as soon as possible. This includes notifying affected parties, both consumers and business partners, and law enforcement.
- Get set up with credit monitoring and breach support services for your organization and those affected by the breach.
Companies are responsible for keeping their consumer information safe and private. When they fail at doing so, they owe their customers a swift and effective response to the data compromise.