BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

5 Ways a Firm Can Stop a Data Breach Lawsuit

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 2 Feb 2016 19:10:29 -0700
http://fortune.com/2016/02/02/data-breach-lawsuits/?xid=timehp-category

For company executives, data breaches are traumatic. They must rush to
patch data leaks and work with law enforcement while also reassuring
anxious customers and employee about fraud and identity theft. And then
there’s the lawsuits.

After cyber criminals strike, class action lawyers are rarely far behind.
In the wake of breaches at retailers like Home Depot  HD -0.87% , Michaels,
and Target  TGT -0.58% , lawyers have been quick to pounce by filing
complaints seeking millions of dollars in the name of consumers.

The outcome of such cases has been mixed, but the good news for executives
is they can take steps before and after a breach to minimize exposure to
civil lawsuits. Here are five tips:

Run a data breach simulation

Just like other corporate emergencies, executives can practice how to
respond to data breaches. Many firms run training exercises and role play
scenarios to prepare their staff for a cyber attack. This helps ensure
that, in the event of a breach, executive teams can respond quickly and
know in advance who is responsible for what.

Watch what you say

Margaret Dale, who advises clients about cyber crime at the law firm
Proskauer, says it’s critical for company officials to be mindful of what
they say in public after a data breach. While it’s important to reassure
customers and investors, an executive’s comments can also expose the
company to liability.

“You have to be really carefully about you say. You can be sure the
plaintiffs will use it against you later on,” said Dale, who adds that
companies should have a team in place to handle communications.

Know the law and speak up quickly

Following recent data breaches, some retailers have ended up on the hook
for big civil penalties, but others have not. Why the difference? One
explanation lies in how companies responded after the breach occurred. Home
Depot, for instance, dithered before warning people their data was
compromised–which is part of the reason the company is now poised to pay a
multimillion dollar settlement.

There’s also an extra incentive to speak up quickly because of laws in
nearly every state that require companies to notify customers about a data
breach. So how long can a company wait? The state laws typically don’t
specify a precise time, but refer instead to acting in a “reasonable” time.

Do Your Homework on Your Vendors

If cyber criminals want to plunder a company’s customer data, they have
multiple ways to go about it. They can attack a firm directly, or they can
look for a weak point among third parties attached to the firm’s network.
For instance, the massive Target hack began with attackers obtaining log-in
credentials from an outside company that supplied air conditioning to the
retailer.

According to Dale, the lawyer, companies should carry out due diligence on
the vendors they hire to ensure those outside firms are properly focused on
cyber security.

Offer Credit Monitoring Services*

Today, in the wake of a data breach, most retailers are quick to offer free
access to services that monitor for credit and identity theft. Doing so is
not just good customer service. It can also help to undercut class action
claims that customers have suffered a real harm from the data breach.

There’s a reason this suggestion comes with an asterisk, however. In one
high profile case, involving Neiman Marcus, an appeals court pointed to the
retailers’ offer of credit monitoring as evidence that customers had
suffered enough harm to bring a lawsuit. In other words, the free offering
made it look like Neiman was admitting fault. The upshot is, when it comes
to offering credit monitoring, companies might be damned if they do and
damned if they don’t. The good news, though, is legal scholars are starting
to see the Neiman case as an outlier.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: