See your link here
Hannaford gets hit with lawsuits. How ready are you for one?
5 comments- TAGS:data breach, Hannaford, lawsuit
- IT TOPICS:Security
For a long time now, legal analysts have been warning about IT security being destined for the courtroom. For an equally long time, security analysts have been talking about how it is much cheaper for companies to protect against a breach than it is to pay for the cleanup after one happens.
Those still in need of convincing on either score just need to take a look at today's news about two lawsuits being filed against Hannaford Bros. in connection with the data breach that the supermarket chain announced on Monday. Both basically accuse the company of breach of contract and negligence in its duty to protect consumer data.
Those lawsuits were super-fast in coming, but certainly not unexpected. If recent trends are any indication, Hannaford can expect to see more of them from consumers and from the financial institutions hurt by the compromise before this thing settles down.
For companies, there are at least three takeaways from this trend, according to industry analysts.
* The cost of a breach is almost always going to be more than whatever investments it might take to protect against it in the first place. That difference is only going to get a whole lot bigger in the foreseeable future as more lawyers start figuring out there's money to be made in these lawsuits. And it's not just consumers that are doing the suing but banks as well. Just ask TJX. Since its infamous January 2007 breach disclosure, the retailer thus far has had to shell out or set aside close to $250 million in breach-related costs-including those associated with settling class-action lawsuits. A tiny fraction of that money is all that it most likely would've taken the company to fix the wireless security weakness that led to the compromise in the first place.
* A breach can happen to any company, but those that can demonstrate that they had applied due diligence with their security controls are likely to be able to defend themselves better in the event of a compromise. One example: California's SB 1386 breach disclosure law offers a safe harbor for companies that have encrypted their sensitive data. Credit card companies have required retailers to implement the Payment Card Industry (PCI) Data Security Standard for sometime now. It's not clear yet if Hannaford was compliant with all of those requirements at the time it was breached. But if it was, the company could say the breach happened despite its best efforts. Lawyers are probably going to interpret that in a thousand different ways, but at least Hannaford would have a better story to tell than if it turns out the breach happened because of negligence.
* Prompt disclosure is a good thing. Almost all of the state breach disclosure laws that are in effect today require breached entities to notify affected consumers as soon as reasonably possible. Consumers also expect a company they do business with not to knowingly withhold information that could end up harming them. In Hannaford's case, the company first learned of suspicious card activity on Feb. 27 but waited until this Monday to disclose the breach. It's a delay that both of the lawsuits filed this week are questioning. So far, the breach has resulted in about 1,800 cases of alleged card fraud. If it turns out that a lot more people were victimized, the delay in notification could become more important.
Print
Email this
Digg this
