Quick glance: data breach litigation & legislation in 2012

Published: January 10, 2012 by bkrenek

It was only a matter of time before a flood of class action lawsuits began to wash over breached companies. In general, these suits allege that a company: 1) did not adequately protect the sensitive data entrusted to it and 2) did not notify consumers of the breach in a timely enough manner. In 2011, after one of the biggest breaches of the year went public, it took just one day for the first class action lawsuit to be lodged.

The avalanche of recent breaches has been worrisome for consumers, causing lawyers, as well as lawmakers, to take note. Moving into 2012, businesses will want to carefully watch the changing landscape of litigation and legislation.
Two recently submitted bills would require companies to inform affected customers, the Federal Trade Commission and law authorities of a data loss within 48 hours of completing a breach assessment.

No matter the outcome of these bills, companies that delay making their breaches public will continue to face the consequences. In 2011, a large financial institution found itself in hot water after waiting weeks to notify customers of a breach. The controversial delay prompted a leading industry group representing the country’s largest financial institutions to testify before congress. The testimony suggested that banks should immediately notify federal officials and affected customers of a breach.

While the outcome of recent litigation remains to be seen, many lawyers expect these suits to inevitably increase in size – and rewards. To date, Internet privacy-related lawsuits have yet to yield the hefty settlements of securities fraud cases. Still, with the escalating breadth of data breaches, higher profile law firms, ones known for mounting successful security fraud litigation on behalf of shareholders, are getting involved.

The challenge for plaintiffs’ lawyers in security breach cases is not in proving liability but establishing damages. Judges must determine whether the compromise of personal data represents a loss of value or if there should be additional proof of tangible harm.

With the recent spate of data breaches and accompanying class action lawsuits, businesses have constant reminders that an ounce of prevention is worth a pound of cure. The best way to protect your business against the high costs of data breaches is to ensure your security practices and fraud resolution plans are strongly built to ward off malicious attacks and the complications that follow.