July 26, 2016

Data Breach Litigation: 6 Ways to Avoid Costly Consumer Lawsuits

When a data breach occurs and credit cards are exposed, should hacked companies have to compensate their customers for potential data breach damages?

While plaintiffs have had a tough time proving direct material harm, according to Wall Street Journal Europe and other publications, various reports about data breach litigation suggest some courts are beginning to think they should.

In the U.K., the English Court of Appeal ruled there may be a privacy claim without immediate financial loss.

In the U.S., this type of data breach lawsuit is proceeding in a few cases.  

A panel of Court of Appeals judges in one online article said victims of a luxury department store’s breach shouldn’t have to wait until a fraud occurred before being allowed to sue.

“Why else would hackers break into a store’s database and steal consumers’ private information?” wrote a judge. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”

There have been class action lawsuits too, from affected customers and employees. While none of the large data breach lawsuits have gone to trial, companies have paid out millions of dollars in settlements.   

What can an organization do to reduce the risk of a data breach and lawsuit?

  • Put a data breach response plan in place. Since 2013, the percentage of organizations that have one has increased from 61% to 81%, according to Ponemon’s Third Annual Data Breach Preparedness Study. Industry experts recommend periodic ‘fire drills’ to make sure everyone knows what to do, and vulnerabilities are addressed.
  • Have a dedicated breach response team. In earlier Ponemon research,67% of respondents had a team dedicated to breach response.
  • Handle communications carefully. While customers and investors need reassurance, experts advise organizations to be careful not to say anything plaintiffs can use against you later. The key is to maintain trust of customers, business partners, and other key stakeholders.
  • Act on applicable notification laws. ‘Notify consumers immediately’ was one of the key measures recommended by respondents in a RAND Corporation study when asked what companies can do to better protect personal information.
  • Consider other measures for customers. In the Ponemon report, 74% said free identity theft protection and credit monitoring services would help keep customers and maintain reputation; 50% said gift cards could help, 42% said discounts on products or services would help, and 39% said a sincere and personal apology was important.
  • Monitor third parties. Research has shown that cyber criminals often get into a network through third party weaknesses. Be sure third parties have adequate privacy and data protection practices.

As a matter of course, all organizations should have comprehensive privacy and information security protocols.There should be on-going employee education as well as workplace reminders. Keep all network systems and hard drives protected and updated with security software and other safeguards. Use a document management process to protect confidential information from creation to end-of-life. Partner with a leading document destruction expert for secure data destruction of both paper and digital data.  

Learn how to protect your organization against cyber criminals – and lawsuits – by using best practices to protect all the confidential information you create.