Last week, a Federal court affirmed the right of the US Federal Trade Commission (FTC) to sue companies who have suffered a data breach for failure to comply with federal regulations and appropriate practices.
This decision, which was not on the merits of the specific case, highlights how much a company that suffers a data breach has to worry about. First, they have to diagnose the breach and figure out the extent of their exposure. Then they have to make sure they have fixed the problem and that it won’t happen again.
One would hope that would be the end of it, but depending on the type of data breached the vulnerabilities and liabilities can be extremely serious. In some cases, they could threaten the very life of the organization. If employee or customer data is breached, or could have been breached, the firm has a legal obligation to let them know about the breach. In this litigious age, the response may be more than “thank you very much for telling us and I hope it doesn’t happen again.”
Individuals have limited resources to spend on legal challenges. They usual require a class action suit to be brought on their behalf to seek remedy in court. Class actions are usually brought only if the breach is large and significant enough to make it worth it for the lawyer, such as with the recent breaches at Target or Neiman-Marcus.
The FTC also chooses significant cases to take action against, but they don’t make the same financial calculations that plaintiff lawyers do. They bring cases that they can win on the merits, I trust. However, they also bring cases for the deterrence effect, that is, to send a message to the rest of the business community not to color outside the lines of Federal regulations. And nobody has deeper pockets to spend on legal action than the Feds. Even if you have a good case, it is tough to make it against Uncle Sam.
Every company should keep this in mind when they consider data security, its planning, implementation and maintenance. It is very much like what has been said about defending against terrorist attacks. We have to be right every time, but the bad guys only have to get through once.