Data Breach

Subscribe to Data Breach

On July 20, 2015, the Seventh Circuit reinstated a data breach class action in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, after a 2013 malware attack on Neiman Marcus’s computer systems that resulted in the theft of customers’ credit and debit card information. The plaintiffs argued that they had constitutional standing to pursue their claims against the retailer based on an alleged increased risk of future fraudulent charges and greater susceptibility to identity theft. This decision is troubling and could have a potentially significant and wide-ranging impact on pending and future class actions brought in the wake of similar data breaches. In fact, plaintiffs’ lawyers already are citing the decision in other data breach class actions facing Rule 12 standing challenges. See, e.g., In re Barnes & Noble Pin Pad Litigation, No. 12-08617, U.S. Northern District of Illinois.
Continue Reading Seventh Circuit Resurrects Data Breach Class Action and Stymies Standing Challenge

A familiar refrain of some corporate clients discussing data breaches is: “We’re not a health care company. We also don’t process customer credit card transactions. We really don’t collect protected health information or personally identifiable information from customers in any way. Do we need to be worried about data breaches?” A June 15, 2015 decision from the U.S. Central District of California reaffirms that the answer is a resounding, unqualified YES for any company that has employees, which means almost any company of any kind, regardless of whether it provides health-care-related services or processes customer credit card transactions.
Continue Reading Data Breach Case Survives Rule 12 – Sony Employee Negligence Claims Still Kicking

As we reach the midpoint of 2015, it is a good time to check in on the progress of the Data Breach and Security Notification Act of 2015 that is making its way through Congress. Most privacy experts and data breach practitioners agree that a single nationwide data breach notification statute would be superior to the current state-by-state regime—it would certainly make data breach response much easier and more cost-effective—but there is considerable debate about what that statute should say. 
Continue Reading Checking In On the Federal Data Breach Notification Law

The National Labor Relations Board (NLRB) may be yet another new sheriff in town (in addition to all the other sheriffs such as the FTC, FCC, SEC, OCR, OIG, state AGs, etc.), poised to box the ears of data breach “scofflaws” with expensive, time-consuming, conflicting and perhaps impossible-to-comply-with requirements related to computer security incidents.
Continue Reading NLRB Steps into the Data Breach

PCI DSS. If your company deals with credit cards and you don’t know what those letters stand for, you should. While the public relations nightmares, response costs and expensive class action defense fees associated with major data breaches garner most of the headlines in the mainstream media, many companies that are victims of data breaches also face significant compliance costs, penalties and fines as a result of contractual relationships with credit card companies, credit card processors and banks. These all stem from a company’s failure to comply with PCI DSS.

So what is PCI DSS? It’s the Payment Card Industry Data Security Standard, which is the proprietary information security standard for organizations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express and Discover. PCI DSS compliance is an ongoing process and is far too complicated to discuss in detail here. For an overview of PCI DSS and the complete requirements, you can go here. But for our purposes, we will just focus on the risks of not complying.
Continue Reading PCI DSS Compliance: A Difficult Task Worth Doing

In 2014, we saw some of the largest, most expensive and most highly publicized data breaches in history. Unfortunately, the early forecast for 2015 does not appear to be any better. According to Experian’s 2015 Data Breach Industry Forecast, the risk of experiencing a data breach is higher than ever (almost half of all organizations have suffered at least one security incident in the last 12 months). In the Information Age, it has become increasingly clear that the question is when, not if, a company will have a cybersecurity incident. 

Speaking in June 2014 at a cyber risk conference at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized the critical role that directors and officers must play in cybersecurity matters:

Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s oversight responsibilities. . . . [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.

So what should directors and offers do to avoid becoming the “next Target” or the “next Home Depot?” 
Continue Reading Directors and Officers Ignoring Cybersecurity “Do So at Their Own Peril”