BreachExchange mailing list archives
Different Degrees of Breach Response
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Tue, 27 Dec 2011 14:43:10 -0500
http://www.govinfosecurity.com/articles.php?art_id=4360 The key message from the recent court ruling on the Hannaford data breach: You don't have to suffer fraud to be a victim. A federal appeals court recently ruled in favor of victims of the 2007 Hannaford data breach. According to this ruling, some victims of the Hannaford payment card breach can sue for damages resulting from the costs of card replacement, theft insurance and other "reasonable" mitigation efforts. This decision partially overturns a district court ruling that dismissed 26 individual lawsuits against Hannaford, a northeastern U.S. grocery chain. In all, roughly 4.2 million accounts were compromised and 1800 cases of fraud were reported as a result of the breach, which was masterminded by convicted fraudster Albert Gonzalez, who currently is imprisoned after pleading guilty to several crimes, including the Heartland Payment Systems breach. The message of this ruling? "Companies need to take more care in their data breach response plans in terms of deciding who actually needs to be provided notification," says Ronald Raether, an Ohio-based attorney with deep experience in breach litigation. "I think Hannaford provides the wake-up call for companies to take a better look at what the law actually requires in terms of notices ..." and then tailor those notices appropriately based on the actual fraud risk the individual accounts might face. Ideally, Raether says, Hannaford should have prepared one form of letter for the 1800 complaints of actual fraud, but a different form of letter for the remaining 4.2 million who were not defrauded. "Sending different forms of breach notice letters helps in the defense against class actions," Raether says. "It helps in allowing regulators and others to understand that the scope of the breach and the severity of it may vary considerably among each of those groups. I think overall, it puts the company in a better position to forge ahead and negotiate the troubled waters that come after a data breach in terms of dealing with class actions, regulators and even public relation issues." In an exclusive interview about the Hannaford decision and its ramifications, Raether discusses: The significance of this decision re: data breaches and responsibility; The message to merchants and financial institutions; Advice for organizations about breach preparedness in 2012. Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His broad experience with technology-related issues spans a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes. He has been involved in seminal cases addressing compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has successfully defended companies in over 25 class actions, and has represented companies in over 150 individual FCRA cases. TOM FIELD: The Hannaford Data Breach. It's been more than three years since the incident - what's new? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm talking today with Ronald Raether. He is an attorney and partner at Faruki, Ireland, & Cox LLP. Ron it was early 2008 when Hannaford entered the news with its data breach that certainly sparked lots of headlines that year and beyond. And the case has just come back into the news with a fresh court decision. What can you tell us about this decision? [..] _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Small, inexpensive USB drives pose huge threats to organizations left unprotected. Download Chapter 1 of CREDANT Technologies eBook Data Protection to the Rescue http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/
Current thread:
- Different Degrees of Breach Response Jake Kouns (Dec 27)