HR Morning

Feds hold companies responsible for stolen data

Tim Gould
by Tim Gould
2 minute read

The legal liability for getting hacked is real, as a few recent news stories demonstrate — and Congress is working on even tougher rules.
That puts a bigger security burden than ever on your company. Just promising to do better next time may not cut it.
Take these recent news stories:

  1. The Federal Trade Commission (FTC) recently issued the biggest fine ever to a company whose records were stolen by a hacker. Data broker ChoicePoint was fined $275,000 for allowing two major data attacks, affecting more than 160,000 U.S. consumers. The attacks included the theft of social security numbers and other personal information.
  2. A federal judge shot down a recent offer by stockbroker TDAmritrade to settle claims based on a 2007 data breach that compromised names, addresses, phone numbers and trading information of potentially all of its more than 6 million retail and institutional customers. The solutions that the company had worked out (which involved having a third-party analytics firm discover if any identity theft had happened, plus an offer of free security software for customers) were rejected as “very temporary fixes.” The company will have to do far better, according to the judge.
  3. In Maine, a decision is pending from the state Supreme Court on whether companies can be charged by consumers and banks for the time and money involved in resolving problems and reissuing cards compromised by stolen data. Regional supermarket chain Hannaford Brothers had data about 4.2 million debit and credit card customers stolen.

As a Computerworld article dealing with the Maine case states:
“In most cases, courts have held that since consumers are compensated for any loss by the card-issuing bank they have little reason to seek other damages from the breached entity. They have also tended to reject the idea that consumers must be compensated for damages that they could suffer in the future as a result of a data breach.”
But that may be changing — whichever decision Maine’s high court makes is expected to influence judges in other jurisdictions. And, meanwhile, Congress is poised to pass Personal Data Privacy and Security Act, which would require notification of victims and hold companies liable for breaches (mirroring several state laws already on the books). The cost of inadequate data security may get a lot higher soon.