Data breaches have become increasingly more common within the last decade. Most of these intrusions have caused a great deal of consumer scrutiny and could potentially affect a company’s future business potential. These data breaches have affected some major corporate enterprises and it is important for them to consider their legal obligations from a Cybersecurity and data breach perspective. Take for example the below listed data breaches and compromises:
- In 2007 TJ Maxx was subject to an intrusion where 94 million records were compromised;
- In 2010, Sony Playstation Network suffered an intrusion where 77 million records were compromised;
- In 2013, Target was subject to an intrusion where 70 million records were compromised; and
- In 2014, JP Morgan Chase fell victim to an intrusion where 76 million records were compromised.
Unfortunately, although these corporations are obviously victims of serious crimes, these breaches have pushed the onus onto businesses to develop security measures to protect consumer information. Failing to develop potential safeguards can ultimately lead to great distrust amongst the public, or, in certain circumstances, even litigation.
After Target’s 2013 data breach, the company faced a class action for its failing to protect customer data and ultimately settled for $10 million. Such a suit leads to the question: how exactly does a corporate entity become responsible for the nefarious acts of a third-party?
Typically, if the state has not adopted legislation placing the affirmative duty upon the corporate entity to adopt security measures for the protection of consumer information (please note: Massachusetts, California, Connecticut, Rhode Island, Oregon, Maryland, and Nevada have all passed such legislation), a court will view the failure to provide sufficient protection of consumer information under a typical negligence standard. A court will, therefore, consider (more…)