The consumer may not be your worst enemy in the case of a data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2014/11/03/the-consumer-may-not-be-your-worst-enemy-in-the-ca

Hardly a month passes without headlines of a prominent business, from
retail giants like Target and Home Depot to sophisticated financial
institutions like JPMorgan Chase, experiencing a data breach involving the
unauthorized disclosure of consumers’ personal and financial information.
Those headlines are routinely followed by reports of class-action lawsuits
being filed on behalf of consumers within weeks and sometimes days of the
public release of the breach.

It should be no surprise then that data breach lawsuits are on the rise
across the nation. What may be surprising is that businesses may face their
most significant data breach liability threat not from consumers but from
their business partners and shareholders. With increasing frequency, banks,
payment card issuers and shareholders are suing companies that suffer a
data breach for business and investor losses resulting from the disclosure
of consumer information.

While consumers have had only limited success in data breach lawsuits
because of the difficulty in establishing actual rather than speculative
monetary injury, non-consumer plaintiffs do not face this challenge because
they can more easily identify compensable losses in the form of lost
business expenses resulting from the breach. Accordingly, businesses should
be equally, if not more, concerned about data breach lawsuits brought by
parties other than their customers.

The recent Target data breach, which involved the theft of 40 million
payment card numbers, provides a good example of the multi-front litigation
that businesses can expect from a data breach. In addition to facing the
class-action claims filed by consumers, Target is being sued by 29 payment
card issuers who allege that Target’s negligence in securing its computer
network cost them millions dollars in reissuing payment cards and
reimbursing the victims of fraud. In September 2014, Target moved to
dismiss the banks’ claims, arguing that it had no common-law tort duty to
the banks and card issuers. The court has yet to rule on Target’s motion,
but its resolution of these claims could have a significant impact on how
similar claims are asserted and resolved in the future.

Board directors of Target, Wyndham Worldwide Corp. and other companies have
also been sued in shareholder derivative suits arising from data breaches.
Generally, these lawsuits allege that directors breached their fiduciary
duties to the companies and shareholders by failing to take reasonable
steps to maintain customers’ personal and financial information in a secure
manner. The shareholder plaintiffs seek damages associated with the loss of
share value and waste of company assets arising from legal costs,
liability, and government investigations. If these lawsuits are successful,
the damages will be significant. For example, Target recently announced in
a SEC filing that it expects its data breach expenses to reach $148 million.

Companies suffering a data breach involving the theft of payment card
information can also expect fines from payment card companies, such as
Visa, Mastercard and American Express. Under their contracts with payment
card issuers and processors, such as banks and credit unions, payment card
companies require merchants who accept their payment cards to comply with
the Payment Card Industry Data Security Standard (PCI-DSS), which
establishes information security standards for payment processes, systems,
networks, software and applications. Merchants who fail to comply with
PCI-DSS are subject to fines and reimbursement assessments from the payment
card companies. Although the fines vary depending on the volume of payments
processed by the merchant and the number of violations, companies that
experience a data breach can be fined and assessed millions of dollars.

Some retailers are challenging these fines and assessments in court. For
example, in Genesco, Inc. v. Visa U.S.A., Inc., which is currently pending
in federal court in the Middle District of Tennessee, apparel retailer
Genesco, Inc. is suing Visa after being fined and assessed for violations
of PCI-DSS. In that case, hackers installed software on Genesco’s computer
network to obtain cardholders’ unencrypted account data that was
transmitted to Wells Fargo and Fifth Third banks. After the breach, Genesco
retained an information security firm to investigate the breach. The
investigation report, which was provided to Visa, found three violations of
the PCI-DSS requirements. As a result, Visa assessed Wells Fargo and Fifth
Third over $13 million in fines and reimbursement costs for Genesco’s
PCI-DSS violations under its contracts with the banks. Genesco indemnified
the banks, and the banks assigned their claims against Visa for the fines
and assessments to Genesco.

Genesco subsequently sued Visa as the banks’ assignee and subrogee for
recovery of the fines and assessments, asserting claims of breach of
contract and implied covenants of good faith and fair dealing, unjust
enrichment, restitution, and violation of California’s Unfair Competition
Act. Genesco alleges that Visa lacked a factual basis for its fines and
assessments and imposed them in violation of Visa’s agreements with the
banks. Genesco’s claims are still pending, and the court refused to dismiss
its claim for violation of the Unfair Competition Act. According to the
court, “[I]f Visa’s contracts impose assessments based upon possible risk
of injuries in the event of a breach of a cardholder’s data, without an
actual theft of such data, then that assessment may be an unenforceable
penalty.”

These recent developments demonstrate that when assessing cybersecurity
risks businesses must think beyond the consumer data breach lawsuits that
dominate the headlines and consider potential claims from business partners
and shareholders. Companies must ensure that their information systems and
networks are secure and comply with prevailing security standards and
contractual requirements. Companies should also obtain cybersecurity and
D&O liability insurance that covers data breaches and include data breach
protections into contracts with vendors, suppliers and other business
partners. Finally, businesses should continually monitor the rapidly
developing law relating to data breaches to ensure they have adequately
prepared to preserve all litigation options and defenses in the event they
face lawsuits filed by their business partners and shareholder as a result
of a data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!