- Cyber Crime: Liability and Prevention in Retail and Hospitality
- November 16, 2017 | Author: Stephanie Solomon
- Law Firm: Burns White LLC - Pittsburgh Office
In 2013, an employee at a heating and cooling business in Sharpsburg, Pennsylvania, opened a seemingly innocuous email. With that one click hackers gained access to the credit card information of more than 70 million people, and Target, the second largest discount retailer in the United States, suffered a massive security breach. Masked men did not storm a store or warehouse to heist inventory. The culprit of the breach was more likely in pajamas than a mask, and over a three-week period—during the busy holiday rush—personal shopper information was stolen from the retailer.
Target immediately faced scrutiny from the press and consumers, but this public relations nightmare was not the company’s only problem. The retailer was soon faced with more than 100 lawsuits. Target settled a suit with the banks affected by the breach for $39.4 million. More worrisome for the company was a massive class action suit brought in the Eighth Circuit. Target originally intended to settle that case for $10 million, but in February, the Eighth Circuit Court of Appeals reversed the settlement, due to the objections of two customers, and remanded the case back to the lower court. There is no telling what Target’s damages now could be.
Retailers are not the only entities in danger of suffering such a breach. InterContinental Hotels Group, owner of the Holiday Inn brand, had credit card information stolen at 12 of its hotels from August to December of 2016. The president is not even immune from cyber criminals; in 2015, Trump Hotels learned that its credit card machines had been compromised by thieves. The hotel chain was fined $50,000 by the New York Attorney General for not informing customers of the breach in a timely manner. The lesson learned: quality cyber security can be costly, but lack of a solid security system with a corresponding, trusted plan could hurt a company much more.
So what is a company’s liability if hackers steal customer information? This is a question that courts and legislatures around the United States are trying to resolve. California leads the country in cyber-security legislation. In 2002, the California state legislature enacted a law that mandated that any company that held unencrypted personal information, such resident’s credit card numbers, must publicly report when a cyber-security breach occurs. This law, which amended California Civil Codes 1798.29, 1798.82, and 1798.84, was the first security-breach notification law in the world.
Today, 47 states have enacted a version of mandatory reporting requirements for a business faced with a customer-information database breach. Congress has yet to enact federal legislation to regulate security breaches. However, the federal government still has had a hand in policing companies. The Federal Trade Commission (FTC) established the authority to bring suit against a company that fails to maintain proper cyber security in FTC v Wyndham WorldWide Corp., 799 F.3d 236 (3d Cir. 2015).
In Wyndham, the Third Circuit ruled that Wyndham’s lack of proper security, and its practices in relation to customer information, were the type of “unfair” business practices that the FTC was created to protect against. Id. Wyndham and the FTC settled the case. Under the terms of the settlement, Wyndham must now “establish a comprehensive information security program designed to protect cardholder data—including payment card numbers, names, and expiration dates. In addition, the company is required to conduct annual information security audits, and maintain safeguards in connection to its franchisees’ servers.” See Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information at Risk, FTC, Dec. 9, 2015.
The FTC and mandatory reporting statutes are not the only cause for concern when it comes to cyber-security breaches. Consumers who have had their data stolen have filed suits for everything from negligence to breach of contract to invasion of privacy. Most courts have dismissed tort claims due to the fact that most stolen consumer information is never used by the thieves. Therefore, plaintiffs have a difficult time proving standing, due to the lack of injury in fact. See Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (where the court held, “Allegations of hypothetical, future injury are insufficient to establish standing”).
Companies that suffer a breach also have to be worried about internal suits. When Target was breached, the company’s stock fell by more than 10 percent. That drop led to several suits by shareholders against Target’s board of directors, the company’s CEO, CFO, and CIO. Those suits alleged that the board and the company’s management were negligent by implementing ineffective cyber-security policies, leading to the hack, and the subsequent drop in stock price, which resulted in damages to the shareholders. Luckily for the board and the officers, a Minnesota judge dismissed all shareholder suits after the company’s independent, special litigation committee presented a 91-page report that concluded that it would not be in Target’s best interest to pursue the actions. By this point, the data breach had already cost the company $220 million.
No matter how big or small, any business that maintains customer information electronically should have a cyber-security plan. These plans should first insure that a proven, company-wide security system, respected within the industry, be implemented or updated. While solid security is a must-have, no defense is 100 percent effective in this battle. Therefore, every business should, in conjunction with its legal team, have an established data-breach response plan that provides an operational process in case of a breach. The plan should include:
- A template of a notification letter that can be sent to parties whose information was stolen,
- A timeline of when to notify the proper authorities, the shareholders, the board of directors, and other key stakeholders in the company, and
- A company-wide policy on how to preserve evidence and mend the breach.