1. Privacy Law Today - What’s at Stake? Part Two: Consumer Data Protection

    Earlier this year, Barnes & Noble discovered that PIN pad devices in 63 stores had been hacked by thieves seeking debit and credit card data. And the thieves were successful: according to store officials, the hackers used customer credit card data to make unauthorized purchases following the breach. 

    B&N isn’t the only company with this problem, however: many more are just waiting to be hacked, explains privacy law expert Lisa Sutton in the above video. That’s a view insurance attorney Scott Brown of Sedgwick Law shares: 

    “According to a recent study, incidences of data breach have nearly doubled over the last 12 months, as regulators, insurers and institutions struggle to respond to security risks and the proliferation of shared data storage (so-called ‘cloud computing’).  It can take a hacker or malicious computer virus minutes to gain access to stored data, leading to months or even years of costly remediation.” 

    And hackers are targeting more than retailers. Amy Malone and Cynthia Larose of law firm Mintz Levin explain: 

    “[T]he FBI released a fraud alert warning financial institutions that cyber criminals have been using tactics such as spam and phishing emails to obtain employee log-in credentials.  After obtaining the credentials the hackers initiated wire transfers oversees.  A few days after the alert, Bank of America, JPMorgan Chase and Wells Fargo suffered service outages that prevented access to their websites.”

    Hacking is but one of many ways that personal data can be compromised, which include:

    1. Exposure of confidential information:

    “The [New York] Post reported that shredded files appearing to contain material from Long Island’s Nassau County Police Department were dropped during this year’s Thanksgiving Day parade. The confetti reportedly contains the names and social security numbers of detectives as well as other confidential information.” (BakerHostetler

    2. Illegal collection and misuse of personal data:

    “The FTC announced … that analytics company Compete Inc. has settled charges that it violated federal law by using its web-tracking software to collect personal data without disclosing to consumers the extent of the information that it was collecting and that the company failed to honor promises it made to protect the personal data it collected.” (Loeb & Loeb

    3. Failure to adequately protect consumer privacy:

    “The Federal Trade Commission’s recent lawsuit against Wyndham Worldwide may mark the beginning of FTC enforcement actions targeting franchise systems through allegations of customer data security vulnerabilities in franchisors’ technology platforms or the platforms maintained by their franchisees. This lawsuit is the latest in a string of more than 30 legal actions—all of which have resulted in settlements—intended to address allegedly misleading consumer privacy policies and inadequate data security policies and practices.” (Ballard Spahr

    4. Old-school theft:

    “… in late 2009, someone entered AvMed’s Gainesville, Florida office and stole two laptops, both of which held AvMed customer’s PII—protected health information, social security numbers, and other contact information. Two customers—the named plaintiffs—became victims of identity theft ten and fourteen months after the laptop theft. They both alleged that they’d never before been identity theft victims and that they guarded their PII. In particular, bank and investment accounts were opened, credit cards activated, addresses changed, and purchases made.” (Bradley Arant Boult Cummings

    5. Low-tech loss of data:

    “As many as 267,000 TD Bank customers from Maine to California were affected by the loss of two data backup tapes that contained personal information such as Social Security numbers and driver’s license numbers. In Maine, 34,907 residents were affected, according to a letter the bank sent to the attorney general… The loss of data affects bank customers in at least six states, and may include names, addresses, dates of birth and account numbers.” (Bernstein Shur


    What’s Next?

    State and federal lawmakers (and maybe even the president himself) are doing their part, but laws requiring companies to report data breaches and beef up security measures are of little help to the individual whose identity has been stolen and credit rating destroyed. When that happens, regulators – and lawyers – have picked up the slack. Loeb & Loeb

    “Both the Federal Trade Commission and private plaintiffs’ class action attorneys have filed actions against companies that experienced data breaches, claiming that the companies’ privacy policies misrepresented the adequacy of their security measures and that the defendants are liable for violating the terms of their own policies.”

    Is there hope for a more secure future? Perhaps: the cost of data breaches continues to climb, and that hits companies where they are most vulnerable: in their bottom line. From McNees Wallace & Nurick:  

    “A 2010 study found the average cost to a company of a data security breach is $7.2 million, or, an average of $214 per compromised customer record… In 2007, hackers stole the records of 45 million customers of the TJX Companies (owners of the T.J. Maxx retail chain). The company’s subsequent SEC filings disclosed more than $200 million in costs as a result of the breach; some industry analysts have estimated the company’s total losses (including harm to its brand) at more than $1 billion.”

    And ultimately, it may be consumers, more than lawmakers and regulators, who force companies to become better at protecting their information. Not by filing class-action lawsuits, as common as that is becoming, but by doing what consumers do best: voting with their feet. Privacy lawyer Ted Kobus: 

    “While complying with legal requirements is critical, companies cannot forget the impact these events have on employees, customers, the public, and regulators. Appropriately protecting the people affected by the incident will protect the brand and the company’s most valued relationships.” (Levick)  


    This post is part of a five-part series on privacy law, in which we take a look at how lawyers and law firms are both framing the questions and identifying the solutions regarding: 


    The updates:


    Follow @Privacy_Law on Twitter»