Food Industry Continues to Face Data Privacy and Security Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/food-industry-continues-to-face-data-pri-66163/

In 2014, grocers and restaurants continued to be plagued by attacks leading
to the theft of credit card information. Among others, Supervalu Inc. and
Jimmy John’s both experienced intrusions in 2014, extending the string of
intrusions and breaches in recent years that have hit stores and
restaurants in the food and beverage industry.

- On August 14, 2014, Supervalu experienced an intrusion into the portion
of its network that processes credit card data. This breach hit as many as
1,000 stores, including many no longer owned by Supervalu but for which
Supervalu was still providing IT services. While investigating that breach,
Supervalu identified a separate and unrelated incident that occurred weeks
later, where malware had been installed in the portion of its network that
processes credit card data.
- Jimmy John’s experienced a credit card data breach that lasted from June
16 to September 5. The hacker may have gained access to Jimmy John’s point
of sale systems using login credentials stolen from the company’s point of
sale vendor. This breach affected 216 stores.

2014 also saw developments in stores’ and restaurants’ liability for credit
card data breaches. One of the most active areas involves whether those
stores and restaurants hit by data beaches are liable to transactions
processors and financial institutions for costs such as issuing new credit
cards. Here, the news has been mixed for stores and restaurants.

- On one hand, a court interpreted a contractual limit of liability to
narrow a grocer’s liability for a data breach. Schnuck Markets had claims
asserted against it by its transactions processing vendors for costs
associated with replacing credit cards and other expenses, which costs and
expenses had been assessed against the transactions processors by Visa and
Mastercard. In denying the claim by the transactions processors, the court
entered into a detailed analysis of the limitation of liability in the
agreement between the processors and Schnuck Markets and found that the
limitation of liability excluded these categories of damages. This case
underscores that, while negotiating a protective contract takes time and
effort up front, it can substantially limit a company’s exposure when a
problem arises. (Schnuck Markets Inc. v. First Data Merchant Svcs. Corp.,
2015 BL 9927, E.D. Mo., 13-cv-02226, 1/15/15)
- On the other hand, in litigation resulting from the Target data breach, a
federal judge denied Target’s motion to dismiss claims asserted against it
by the financial institutions of customers affected by the breach. These
banks – which estimate that the total harm to them and retailers may
eventually exceed $18 billion – asserted that Target was negligent in
failing to take steps to avoid the data breach. The court found that the
harm alleged by the banks was sufficiently foreseeable for it to deny
Target’s motion to dismiss the negligence claims alleged by the banks. A
key distinction from the Schnuck Markets case is that here there was no
direct contractual relationship between the store and the financial
institutions, so no limitation of liability was in play. In any event, both
the Target case and the Schnuck Markets case are useful reminders that
consumer litigation is just one risk arising from a data breach. (In re
Target Corp. Customer Data Security Breach Litigation, MDL No. 14-2522,
2014 WL 6775314 (D. Minn. Dec. 2, 2014))

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!