BreachExchange mailing list archives
Lawsuits spin out of data breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 23 Jun 2015 19:29:38 -0600
http://gazette.com/money-the-law-lawsuits-spin-out-of-data-breaches/article/1554268 Helping to demonstrate that every cloud has a silver lining if you look hard enough, hacking has proven to be of great benefit to the legal profession. That's because every major hacking event has resulted in a flurry of litigation. For example: - Sony Pictures Entertainment is being sued in a class-action lawsuit initiated by nine former employees who claim the company failed to take adequate safeguards to protect personal information. - Shortly after the Anthem data breach this year, the company was sued in several lawsuits alleging the company did not take adequate measures to secure its data. - Target, in the aftermath of the massive breach it suffered in late 2013, has agreed to pay $10 million in damages to settle a class-action lawsuit brought on behalf of individuals whose personal information was compromised. But that's not all. There is also a widespread finger- pointing exercise going on involving merchants who accept credit card payments, banks where merchants deposit their credit card payments, banks that issue credit cards, and credit card payment system companies such as MasterCard and Visa. The reason is, when a data breach involving credit card information occurs, federal law protects card holders from liability for unauthorized transactions. Losses, therefore, initially fall on credit card issuers, which are, for the most part, banks. There are then complex contractual arrangements that give credit card issuers the right to go back against banks where merchants deposit their credit card payments - and give those banks the right to go back against the merchants. Under these contracts, however, merchants are supposed to be protected against losses from unauthorized transactions as long as they follow customer verification procedures imposed on them by the contracts and otherwise adhere to something called "payment card industry data security standards." As an example of how this finger-pointing plays out in the legal arena, MasterCard and Target reached an agreement in March whereby Target would pay $19 million to MasterCard to settle contractual claims arising out of the Target hack. However, three of the largest banks that issue credit cards - Citigroup, Capital One Financial and JPMorgan Chase - vetoed the settlement, saying $19 million wasn't nearly enough to compensate them for the hit they took in the aftermath of the Target data breach. In another credit card industry- related lawsuit, Genesco - a large shoe, hat and sports apparel retailer - has sued Visa, claiming the contractual arrangements by which credit card-issuing banks can take money out of bank accounts where merchants deposit their credit card payments is illegal. In Genesco's case, it saw $13.3 million suddenly disappear from its accounts at Wells Fargo and Fifth Third Financial for what Visa called a "fine" before any determination was made of Genesco's rights and obligations under the contracts governing its participation in the Visa system. If all of that isn't enough, the Federal Trade Commission has declared itself to be the chief regulator of cybersecurity in this country. Relying on vague language in the Federal Trade Commission Act (which goes back to a time when people still used smoke signals to communicate), the FTC has, over the past 13 years, brought administrative enforcement actions against more than 50 companies, alleging their lack of adequate data security systems constitutes an unfair or deceptive trade practice. These actions are intended to send a message to all other data collecting companies that they'd better clean up their act - or see you in court.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Lawsuits spin out of data breaches Audrey McNeil (Jun 29)