Lawsuits spin out of data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://gazette.com/money-the-law-lawsuits-spin-out-of-data-breaches/article/1554268

Helping to demonstrate that every cloud has a silver lining if you look
hard enough, hacking has proven to be of great benefit to the legal
profession. That's because every major hacking event has resulted in a
flurry of litigation.

For example:

- Sony Pictures Entertainment is being sued in a class-action lawsuit
initiated by nine former employees who claim the company failed to take
adequate safeguards to protect personal information.

- Shortly after the Anthem data breach this year, the company was sued in
several lawsuits alleging the company did not take adequate measures to
secure its data.

- Target, in the aftermath of the massive breach it suffered in late 2013,
has agreed to pay $10 million in damages to settle a class-action lawsuit
brought on behalf of individuals whose personal information was compromised.

But that's not all. There is also a widespread finger- pointing exercise
going on involving merchants who accept credit card payments, banks where
merchants deposit their credit card payments, banks that issue credit
cards, and credit card payment system companies such as MasterCard and Visa.

The reason is, when a data breach involving credit card information occurs,
federal law protects card holders from liability for unauthorized
transactions. Losses, therefore, initially fall on credit card issuers,
which are, for the most part, banks.

There are then complex contractual arrangements that give credit card
issuers the right to go back against banks where merchants deposit their
credit card payments - and give those banks the right to go back against
the merchants. Under these contracts, however, merchants are supposed to be
protected against losses from unauthorized transactions as long as they
follow customer verification procedures imposed on them by the contracts
and otherwise adhere to something called "payment card industry data
security standards."

As an example of how this finger-pointing plays out in the legal arena,
MasterCard and Target reached an agreement in March whereby Target would
pay $19 million to MasterCard to settle contractual claims arising out of
the Target hack. However, three of the largest banks that issue credit
cards - Citigroup, Capital One Financial and JPMorgan Chase - vetoed the
settlement, saying $19 million wasn't nearly enough to compensate them for
the hit they took in the aftermath of the Target data breach.

In another credit card industry- related lawsuit, Genesco - a large shoe,
hat and sports apparel retailer - has sued Visa, claiming the contractual
arrangements by which credit card-issuing banks can take money out of bank
accounts where merchants deposit their credit card payments is illegal. In
Genesco's case, it saw $13.3 million suddenly disappear from its accounts
at Wells Fargo and Fifth Third Financial for what Visa called a "fine"
before any determination was made of Genesco's rights and obligations under
the contracts governing its participation in the Visa system.

If all of that isn't enough, the Federal Trade Commission has declared
itself to be the chief regulator of cybersecurity in this country.

Relying on vague language in the Federal Trade Commission Act (which goes
back to a time when people still used smoke signals to communicate), the
FTC has, over the past 13 years, brought administrative enforcement actions
against more than 50 companies, alleging their lack of adequate data
security systems constitutes an unfair or deceptive trade practice. These
actions are intended to send a message to all other data collecting
companies that they'd better clean up their act - or see you in court.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!