With the large number of high-profile data breaches featured in the news recently, Edward Snowden and Heartland have become household names. Despite the attention to such significant breaches, the number of intrusions continues to rise.
A data breach, also referred to as a security breach or data intrusion, occurs when an unauthorized party accesses or retrieves sensitive data. Although data breaches often involve an intrusion into an electronic computer system by a hacker, they can also include physical access to data left unattended, such as a laptop or file.
According to the Identify Theft Resource Center, 614 breach incidents occurred in 2013, up 30 percent from the previous year. More than half of data breaches worldwide occur in the United States. It is estimated that the average data breach in the U.S. costs a company $188 per record accessed.
Laws regarding data breaches
Forty-seven states, the District of Columbia and Puerto Rico all have laws governing the contents and timing of the notice a company must provide to customers whose personal information was accessed through a data breach. Although no national law currently exists, a number of bills in Congress would create a national standard for data breach notification if passed. Publicly held companies are also subject to reporting guidelines from the Securities and Exchange Commission (SEC).
Recently, companies whose systems have been hacked have also come under the scrutiny of the Federal Trade Commission (FTC). In such cases, the FTC has alleged the data breach victim engaged in unfair and deceptive acts by not safeguarding customer information in the manner promised in its privacy policies.
Shareholder derivative lawsuits
While a data breach may be devastating to a corporation, recent shareholder derivative lawsuits prove breaches may also be disastrous for corporate directors and officers. In a shareholder derivative suit, a shareholder files a lawsuit on behalf of the corporation against a third party, typically a corporate insider such as an officer or director.
The shareholder plaintiff asserts a cause of action for which the management of the corporation could sue but has failed to do so. If the lawsuit is successful, directors and officers are held personally liable and damages are awarded to the corporation.
In two recent derivative suits, shareholders of Target Corp. and Wyndham Worldwide Corp. sued corporate directors and officers for mismanaging large-scale data breaches. Wyndham was the victim of three separate data breaches between April 2008 and January 2010 resulting in the theft of 619,000 credit card numbers. The complaint in the derivative suit alleges Wyndham directors and officers breached their fiduciary duties, wasted corporate assets and were unjustly enriched with regards to the three breaches.
Wyndham directors and officers failed to report the data breaches until over two years after they occurred. According to the complaint, Wyndham continued to use outdated and unsupported software even after its systems had been breached. Both the Target and Wyndham lawsuits are still pending.
Directors and officers may be indemnified by the corporation in some situations. However, the extent to which a corporation indemnifies its directors and officers may be affected by statutory limitations and corporate insurance policies. Thus, if the derivative lawsuit is successful, the directors and officers would pay out of pocket for the harm to the corporation, an amount alleged by the Wyndham shareholder plaintiff to be in excess of $10 million.
Assessing your security
From small startups to multimillion-dollar conglomerates, companies of all sizes have a duty to protect against and adequately respond to data breaches. Sufficient electronic and physical data security measures are often overlooked by startups and small businesses due to cost and lack of knowledge. Response to a data breach is frequently delayed, resulting in further liability.
A business can help reduce its liability by ensuring all sensitive data is encrypted, frequently updated firewalls and patches are utilized and regular security audits are performed by independent professionals. Companies that store payment card or other financial information should confirm compliance with all Payment Card Industry (PCI) security standards.
Privacy policies should never be copied from another company, as doing so could result in making deceptive security promises that expose the organization to FTC litigation. In the event of a data breach, a security expert and legal professional should be retained in order to formulate a legally compliant response and to avoid being held personally liable for a security attack on the organization.
Lindsay Junck is an associate attorney at the Lotus Law Center, where she practices business and intellectual property law. The Lotus Law Center was founded as a way to make legal services affordable for all sizes of businesses. Focusing on the practice of business and technology law, the Lotus Law Center provides premium personal and professional responses to the legal needs of business clients at an affordable fixed or hourly rate. Contact her at firstname.lastname@example.org.