Media Center

September 10, 2015
Publications

Add dating website Ashley Madison to the list of large companies like Target, Home Depot and Michael’s that have had customer information stolen by hackers. Published reports say Ashley Madison is now facing multiple lawsuits seeking more than a half-billion dollars.

Keeping customer info safe isn’t just a concern for large companies – even small businesses holding personal information can face costly consequences if a breach occurs.

In the past, cases only proceeded in the courts if plaintiffs could show actual harm (such as money stolen by identity thieves) – the mere exposure of personal information was not enough to file a lawsuit.

After the 2013 Target breach, a Minnesota federal judge accepted the plaintiffs’ claims of potential future harm and allowed a class-action suit to move forward. Target promptly offered $10 million to reimburse consumers for any harm they could eventually show – but that amount was rejected by the plaintiffs. Target this month reached a new proposed settlement under which it would pay $67 million to reimburse consumers’ banks for losses related to the breach.

Whether the Minnesota ruling is a harbinger of other courts allowing these claims to proceed – and whether the ruling will impact the Ashley Madison lawsuits — is an open question. But it underscores the importance of doing everything possible to prevent data breaches.

Small businesses must also be careful to satisfy data protection laws of any state where they do business.  Many people are surprised to learn that Pennsylvania and most other states, except Massachusetts and California, don’t already require that businesses protect personal information.

However, Pennsylvania does require any business that suffers a breach of personal information to notify all affected state residents and provide phone numbers of credit reporting agencies.

Moreover, in a case involving Wyndham Hotels, this month the Third Circuit Court of Appeals (the federal appellate court with jurisdiction over Pennsylvania) ruled that the Federal Trade Commission has broad authority to sue companies that fail to protect consumers’ privacy and maintain data security.  And Congress is now considering the Data Security and Breach Notification Act of 2015, which provide the FTC with further regulatory authority.

Any business that accepts credit card payments must also comply with the Payment Card Industry Data Security Standards, which requires regular system updates and data-breach response policies. Failure to comply could lead to a business facing fines, higher transaction fees and even losing the ability to accept credit cards – what I call a “death penalty’’ in today’s commercial environment.

In general, personally identifiable information is defined as an individual’s first name or initial and last name, plus one or more of these elements:

• Social Security Number
• Driver’s license number or other government-issued identification number
• Financial account number and/or credit card number, in combination with any required access codes or passwords.

No matter the size of your business, I recommend three basic steps:

1. Get professional help: All businesses that collect personal information should talk to their attorneys, and attorneys should work closely with IT staff or contractors. Companies need appropriate data security policies in place that include what to do in case of a breach.
2. Perform audits: The agreement for businesses that accept credit cards require self-certified audits of systems. Overlooking this step can be risky, leaving the system exposed and opening the business to harsh penalties from credit card companies.
3. Get insured: Breaches are expensive. It costs money to draft and issue notices, offer credit card monitoring, defend against lawsuits, and pay settlements or fines. Insurance companies offer data privacy policies, generally separate from standard commercial liability.

The bottom line is that most businesses, no matter their size, hold personal information and need to guard against data breaches – or run the risk of expensive consequences.

Keep in mind that in a settlement, if several thousand people want even just a few dollars apiece, the out-of-pocket cost quickly adds up.

McNees, Wallace & Nurick LLC attorney Devin J. Chwastyk’s practice is focused on complex commercial litigation, with an emphasis on class actions, privacy and data security, constitutional law, intellectual property, and appellate litigation.