US news: Breach of Information in the cloud-it is raining suits.
By Martín Francisco Elizalde*
Give me back my photos- and my bank number account.
As worldwide news relentlessly showed, personal information stored online is increasingly being targeted by cyber-hackers. Inevitably, reliance on information technology exposes companies to numerous risks, and all firms are vulnerable to the threat of cybercrime. In recent years, sophisticated targeted attacks such as spear fishing, social engineering and advanced persistent threats, have become more widespread and far more dangerous.
Everybody is climbing that trendy, rather lawless, stairs.
In a market heavily lined towards cloud computing services, a huge amount of data is being handled online, always off office, usually in foreign jurisdictions. Even though is generally assumed that the majority of security breaches are committed by company outsiders, they are committed by insiders as well.
The legal framework, in both Federal and State levels, are becoming more astringent, and customer awareness is growing fast, probably thanks to the high profile that many victims held. However, many corporate lawyers still do not get the threat or its severity. Worse, they do not link the subject, with both board members and management liability.
Two thunders out of a blue sky.
Moreover, the subject is not merely academic, nor hypothetical. It does arose legal issues related to officers’ and shareholders’ liabilities. The possibility of a shareholder-action, alleging that the company’s board breached their fiduciaries duties by failing to take sufficient steps to protect the company from a breach, is real.
In fact, two recent suits in USA, point that when a company gets hit by a major data breach, the business, its leaders and its board members, should be prepared for directors and officers liability related litigation that is certain to follow. It is not a brave new world, is plain reality.
The actions were filed against two well-known corporations: Minneapolis-based Target Corp. and Parsippany, a New Jersey-based Wyndham Worldwide Corp. The heralded what is likely to happen from now on when a major breach occurs- an issue that has increased worries among other businesses.
In the case of Target, which suffered a massive data breach, shareholder plaintiffs have now filed at least two shareholder derivative suits against the company’s directors and officers, as well as against the company itself as nominal defendant. The complaints allege that the company “failed to take reasonable steps to maintain its customers’ personal and financial information,” and specifically with respect to the possibility of a data breach that the defendants failed “to implement any internal controls at Target designed to detect and prevent such a data breach.”
Both complaints emphasize not only the failure to take steps to prevent a breach, but also allege that the defendants, according to Kevin la Croix in his quoted article, “aggravated the damage to customers by failing to provide prompt and adequate notice to customers and by releasing numerous statements meant to create a false sense of security to affected customers.”. Data breach, “would have to cause enough of a loss, or potential loss, to a company to truly affect the bottom line, and that's what you had in Target,” said Joseph P. Monteleone, a partner at Rivkin Radler L.L.P. in Hackensack, New Jersey.
It will be a long, long day.
As evidence suggests, data security breach is, and will continue to be, an issue for firms of all types and sizes. Besides, incidents of data breach tend to be under-reported, suggesting that actual numbers might even be higher.
Thus, if a company has sensitive data – either confidential corporate data or personally identifiable data – it needs to face the fact that it is not a matter of if a data breach occurs but when. Whether data is breached by a malicious person, lost or stolen mobile computing devices, or just good old fashioned employee mistakes, for most companies a data breach is inevitable. And, I may add, it may be a matter to entire indifference to plaintiffs.
In conclusion, as complete prevention of data breach is almost impossible, a proliferation of data breach lawsuits in the coming years is foreseeable. The gauntlet is thrown, let the new generation of tech -trained lawyers do the control damage.
*Partner at Foresenics Argentina
Data Breach and corporate liability (http://cblr.columbia.edu/archives/12873)
Cyber security January 2014 , ROUNDTABLE | RISK MANAGEMENT. Financier Worldwide Magazine
Target Directors and Officers Hit with Derivative Suits Based on Data Breach. By Kevin LaCroix on February 3, 2014
“Data breaches bring litigation related to directors and officers liability”. http://www.businessinsurance.com/article/20140608/NEWS07/306089968, by Judy Greenwald
http://www.financierworldwide.com/roundtable-cyber-security#.VDxDgPldWSo, by Betty Shepherd.