Jim Flynn wrote: "Helping to demonstrate that every cloud has a silver lining if you look hard enough, hacking has proven to be of great benefit to the legal profession. That's because every major hacking event has resulted in a flurry of litigation.
- Sony Pictures Entertainment is being sued in a class-action lawsuit initiated by nine former employees who claim the company failed to take adequate safeguards to protect personal information.
- Shortly after the Anthem data breach this year, the company was sued in several lawsuits alleging the company did not take adequate measures to secure its data.
- Target, in the aftermath of the massive breach it suffered in late 2013, has agreed to pay $10 million in damages to settle a class-action lawsuit brought on behalf of individuals whose personal information was compromised.
But that's not all. There is also a widespread finger- pointing exercise going on involving merchants who accept credit card payments, banks where merchants deposit their credit card payments, banks that issue credit cards, and credit card payment system companies such as MasterCard and Visa.
The reason is, when a data breach involving credit card information occurs, federal law protects card holders from liability for unauthorized transactions. Losses, therefore, initially fall on credit card issuers, which are, for the most part, banks.
There are then complex contractual arrangements that give credit card issuers the right to go back against banks where merchants deposit their credit card payments - and give those banks the right to go back against the merchants. Under these contracts, however, merchants are supposed to be protected against losses from unauthorized transactions as long as they follow customer verification procedures imposed on them by the contracts and otherwise adhere to something called "payment card industry data security standards."
As an example of how this finger-pointing plays out in the legal arena, MasterCard and Target reached an agreement in March whereby Target would pay $19 million to MasterCard to settle contractual claims arising out of the Target hack. However, three of the largest banks that issue credit cards - Citigroup, Capital One Financial and JPMorgan Chase - vetoed the settlement, saying $19 million wasn't nearly enough to compensate them for the hit they took in the aftermath of the Target data breach.
In another credit card industry- related lawsuit, Genesco - a large shoe, hat and sports apparel retailer - has sued Visa, claiming the contractual arrangements by which credit card-issuing banks can take money out of bank accounts where merchants deposit their credit card payments is illegal. In Genesco's case, it saw $13.3 million suddenly disappear from its accounts at Wells Fargo and Fifth Third Financial for what Visa called a "fine" before any determination was made of Genesco's rights and obligations under the contracts governing its participation in the Visa system.
If all of that isn't enough, the Federal Trade Commission has declared itself to be the chief regulator of cybersecurity in this country.
Relying on vague language in the Federal Trade Commission Act (which goes back to a time when people still used smoke signals to communicate), the FTC has, over the past 13 years, brought administrative enforcement actions against more than 50 companies, alleging their lack of adequate data security systems constitutes an unfair or deceptive trade practice. These actions are intended to send a message to all other data collecting companies that they'd better clean up their act - or see you in court."
Lawyers at this moment are suing for a variety of issues caused by hackers. Not to say all of the cases will be successful in court, either through settlements or outright wins, but "plaintiff's attorneys are remaining steadfast in their attempt to establish working theories of liability and carve out new ground for legal standing."
What that means for your organization is that complying with various regulations (like PCI) is becoming a very high priority. Here is a whitepaper written by a lawyer who is also CISA, CISSP, CIPP, ISSMP, and CRISC that will help you understand better why having an effective security awareness program can prevent a significant amount of legal fees:
This article was cross posted from the Colorado Gazette