Cybersecurity is a major concern for any business that uses computers and the internet, which refers to nearly every business these days. Businesses routinely come into possession of customers’ personally identifiable information (PII), such as names, dates of birth, addresses, or credit card numbers. This information can be used in identity theft, which can be ruinous for victims. In certain industries, such as health care, businesses have to comply with strict requirements regarding the security of PII. Businesses in general should take steps to safeguard PII in their possession, both as a good business practice and in order to avoid possible liability, to customers and potentially to the state, for data breaches.
Recent Cybersecurity Breaches
The most recent case to make national news involved the internet auction site eBay. Hackers reportedly accessed personal data from 145 million user accounts, prompting the company to advise all of its users to change their passwords. The retail chain Target made two separate announcements in late 2013 regarding security breaches that compromised the PII of as many as 110 million customers. In both cases, the companies are accused of missing warning signs prior to the breaches, and of mishandling their responses.
Regulatory Consequences of Cybersecurity Breaches
Lawmakers in Congress and in several states are now seeking information regarding these cybersecurity breaches. Regulators in Connecticut, Florida, and Illinois have reportedly begun formal investigations, while the New York Attorney General has called on eBay and other companies to offer credit monitoring and related services free of charge to customers affected by the breaches.
Consequences of Cybersecurity Breaches within Companies
Most businesses may not think they have the same magnitude of cybersecurity risks as companies like eBay or Target. The difference is really just one of degree. A breach that compromises the PII of only one customer, while perhaps inconsequential to a large corporation, can be catastrophic for a company that serves a very small clientele. Stakeholders in the business may demand accountability for cybersecurity issues. An adviser to several of Target’s major shareholders, for example, has urged the removal of more than half of Target’s Board of Directors because of the security breaches.
Liability for Cybersecurity Breaches
Most businesses would prefer not to get sued in the first place, of course, but it is worth noting that the law is still developing with regard to the liability of a business to its customers for breaches that compromise their PII. In the absence of a statute that clearly defines liability, customers must rely on common-law claims like negligence.
Almost immediately after Target announced the first data breach, it was served with several class action lawsuits brought on behalf of affected customers. One case, Rothschild, et al, v. Target Corp., was filed by five individuals who made purchases using credit cards at Target stores in Utah in November or December 2013. They are alleging that Target was negligent in failing to safeguard their PII, and that it breached an implied contract not to disclose the PII to others.
Small business attorney Samuel C. Berger offers fixed-fee legal-service packages to New York and New Jersey entrepreneurs and businesses. We handle a variety of legal matters for our clients, including business formation, mergers and acquisitions, and contracts. To schedule a confidential consultation with a member of our legal team, please contact us today online or at (212) 380-8117.
More Blog Posts:
Dispute between Former New York Business Partners Highlights the Growing Importance of Typefaces, New York & New Jersey Business Lawyer Blog, May 12, 2014
Intellectual Property Rights and Monetary Value of Business Social Media Accounts, New York & New Jersey Business Lawyer Blog, March 27, 2014
Protecting Your New York Company’s Brand from Online Counterfeiters, New York & New Jersey Business Lawyer Blog, January 30, 2014
Photo credit: By Rama (Own work) [CC-BY-SA-2.0-fr], via Wikimedia Commons.