Media Center

June 4, 2015
Publications

When people think about data breaches, corporate giants like Target, Home Depot and Michael’s spring to mind. But even small businesses holding personal information can face costly consequences if a breach occurs.

In the past, cases only proceeded in the courts if plaintiffs could show actual harm (such as money stolen by identity thieves) – the mere exposure of personal information was not enough to file a lawsuit.

But, after the 2013 Target breach, a Minnesota federal judge accepted the plaintiffs’ claims of potential future harm and allowed a class-action suit to move forward. Target promptly offered $10 million to reimburse consumers for any harm they could eventually show – but that amount was rejected by the plaintiffs, and Target could be on the hook for substantially more.

Whether the Minnesota ruling is a harbinger of other courts allowing these claims to proceed is an open question, but it underscores the importance of doing everything possible to prevent data breaches.

Small businesses must also be careful to satisfy data protection laws of any state where they do business.  Many people are surprised to learn that Pennsylvania and most other states, except Massachusetts and California, don’t already require that businesses protect personal information.

However, Pennsylvania does require any business that suffers a breach of personal information to notify all affected state residents and provide phone numbers of credit reporting agencies.

Any business that accepts credit card payments must also comply with the Payment Card Industry Data Security Standards, which requires regular system updates and data-breach response policies. Failure to comply could lead to a business facing fines, higher transaction fees and even losing the ability to accept credit cards – what I call a “death penalty’’ in today’s commercial environment.

And Congress is now considering the Data Security and Breach Notification Act of 2015, which would authorize the Federal Trade Commission to enact guidelines requiring that businesses adopt “reasonable” measures to protect personal information and mandate the reporting of any breaches.

In general, personally identifiable information is defined as an individual’s first name or initial and last name, plus one or more of these elements:

• Social Security Number
• Driver’s license number or other government-issued identification number
• Financial account number and/or credit card number, in combination with any required access codes or passwords.

No matter the size of your business, I recommend three basic steps:

1. Get professional help: All businesses that collect personal information should talk to their attorneys, and attorneys should work closely with IT staff or contractors. Companies need appropriate data security policies in place that include what to do in case of a breach.
2. Perform audits: The agreement for businesses that accept credit cards require self-certified audits of systems. Overlooking this step can be risky, leaving the system exposed and opening the business to harsh penalties from credit card companies.
3. Get insured: Breaches are expensive. It costs money to draft and issue notices, offer credit card monitoring, defend against lawsuits, and pay settlements or fines. Insurance companies offer data privacy policies, generally separate from standard commercial liability.

The bottom line is that most businesses, no matter their size, hold personal information and need to guard against data breaches – or run the risk of expensive consequences.

Keep in in mind that in a settlement, if several thousand people want even just a few dollars apiece, the out-of-pocket cost quickly adds up.