Security Technology Executive

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 14 of 79

Continued from page 12 After Your Data Breach CYBERTECH Inspire Children and families in crisis across the USA need our help – and yours. And as a 501(c)(3) organization, Mission 500 now has even greater flexibility to work with local charities to better support existing and new sponsors and volunteers. But even with over 1100 children sponsored and many acts of charity performed to date, there's still a great deal of work to be done. Get involved today! Visit for more information. Supporting Families Across America data breach notification compliance. The more companies can protect consumers up front and respond quickly to breaches, the stronger a litigation defense will be. Keeping consumer harm to a minimum is both good corporate practice and good litigation strategy. It should be noted that state courts can be more forgiving on some of these issues since state courts deciding civil cases under state law do not need to be concerned with standing under fed- eral constitutional standards; as a general matter, they need only be concerned with whatever their state standing rules are. Those can potentially be more permissive. Assuming plaintiffs bring their suits in state court – which can be difficult with regard to class actions since data breaches affecting consumers will almost always affect consumers across state lines – then it will be the idiosyncrasies of state law, and not constitutional standing or federal rules, that will govern. What Are the Claims? Third, what claims do plaintiffs bring? Increasingly, they seek damages (both compensatory and punitive) by turning to claims of negligence, breach of contract, consumer protection, and unfair competition. Indeed, a survey of cases over the past three years shows that negligence claims are increasingly becom- ing popular. The Home Depot data breach litigation referenced above itself included negligence, negligence per se, and viola- tions of various unfair and deceptive trade practices statutes. What plaintiffs often cannot turn to is data breach notification statutes. While such statutes will normally provide state attor- ney general offices with the power to enforce violations of those statutes, they rarely provide private rights of action to individual consumers or state residents affected by a breach. It's important to note that, usually, data breach litigation ends with a settlement, or possibly with a dismissal; but it is rare that cases go to trial with a verdict. (This is true, of course, for civil liti- gation in general – the vast majority of cases never reach a final judgment at a trial.) The Home Depot litigation, for example, had two class action settlements: one for the consumer class action, and one for the financial institution class action. Be Prepared For a company suffering a data breach, it can seem unfair that having been the victim of what is often criminal activity, that company might nevertheless have to suffer through a crucible of regulatory compliance and potential litigation. There are some signs that states and federal law enforcement entities increasingly see companies as victims rather than as somehow complicit in data breaches. Nevertheless, so long as companies collect, maintain, and use personal confidential information, they will be expected to maintain reasonable policies governing the security of that information and to act prudently in the event of a data security incident. Reasonable action can increase (but never guarantees) the likelihood of success. Request information:

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2018