Different Degrees of Breach Response

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.govinfosecurity.com/articles.php?art_id=4360

The key message from the recent court ruling on the Hannaford data
breach: You don't have to suffer fraud to be a victim.

A federal appeals court recently ruled in favor of victims of the 2007
Hannaford data breach. According to this ruling, some victims of the
Hannaford payment card breach can sue for damages resulting from the
costs of card replacement, theft insurance and other "reasonable"
mitigation efforts. This decision partially overturns a district court
ruling that dismissed 26 individual lawsuits against Hannaford, a
northeastern U.S. grocery chain.

In all, roughly 4.2 million accounts were compromised and 1800 cases
of fraud were reported as a result of the breach, which was
masterminded by convicted fraudster Albert Gonzalez, who currently is
imprisoned after pleading guilty to several crimes, including the
Heartland Payment Systems breach.

The message of this ruling? "Companies need to take more care in their
data breach response plans in terms of deciding who actually needs to
be provided notification," says Ronald Raether, an Ohio-based attorney
with deep experience in breach litigation. "I think Hannaford provides
the wake-up call for companies to take a better look at what the law
actually requires in terms of notices ..." and then tailor those
notices appropriately based on the actual fraud risk the individual
accounts might face.

Ideally, Raether says, Hannaford should have prepared one form of
letter for the 1800 complaints of actual fraud, but a different form
of letter for the remaining 4.2 million who were not defrauded.

"Sending different forms of breach notice letters helps in the defense
against class actions," Raether says. "It helps in allowing regulators
and others to understand that the scope of the breach and the severity
of it may vary considerably among each of those groups. I think
overall, it puts the company in a better position to forge ahead and
negotiate the troubled waters that come after a data breach in terms
of dealing with class actions, regulators and even public relation
issues."

In an exclusive interview about the Hannaford decision and its
ramifications, Raether discusses:

The significance of this decision re: data breaches and responsibility;
The message to merchants and financial institutions;
Advice for organizations about breach preparedness in 2012.

Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His
broad experience with technology-related issues spans a broad array of
substantive legal areas, including patent, antitrust, licensing and
contracts, employment, trademark, domain name disputes, and federal
and state privacy statutes. He has been involved in seminal cases
addressing compliance with statutes that regulate the use and
disclosure of personal information and laws that concern the adequacy
of securing against unauthorized access to personal information.
Raether has successfully defended companies in over 25 class actions,
and has represented companies in over 150 individual FCRA cases.

TOM FIELD: The Hannaford Data Breach. It's been more than three years
since the incident - what's new? Hi, this is Tom Field, Editorial
Director with Information Security Media Group. I'm talking today with
Ronald Raether. He is an attorney and partner at Faruki, Ireland, &
Cox LLP.

Ron it was early 2008 when Hannaford entered the news with its data
breach that certainly sparked lots of headlines that year and beyond.
And the case has just come back into the news with a fresh court
decision. What can you tell us about this decision?

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/