Is Your Small Business Ready to Defend Against a Data Breach?

The average total cost of a data breach in the U.S. has increased from $7.01 million to $7.35 million, according to the Ponemon Institute. The severe financial loss and potential reputational harm caused by a breach is overwhelming for any sized organization, but especially for small businesses that may not have the resources to recover. In fact, one-third of small businesses in the U.S. need up to three years to recover from a data breach, according to the 2017 Shred-it Security Tracker survey conducted by Ipsos. For small businesses that often rely on word-of-mouth and reputation, this means multiple years of reduced business.

“Small business information security is at a pivotal point in time. Between evolving outsider and insider threats, as well as changes to state and federal regulations, when it comes to disclosing breaches, small business leaders must take the time to remain vigilant about their information security needs,” says Kevin Pollack, Shred-it Senior Vice President. “As work ramps up in the fall, it is a prime opportunity for small businesses to engage with employees about security and review their physical and digital risk. Business leaders should also take the time to implement cost effective preventative measures to protect confidential data.”

To help SBOs strengthen their information security protocols and mitigate the risk of fraud, Shred-it has identified five strategies for avoiding data breaches and reputational damage:

Hard Drive Destruction – With so much data being shared in every transaction, it’s no surprise that 80% of office computers contain sensitive corporate information. When it comes to disposing of devices, companies need a reliable process to secure the massive amount of data they contain. Before old devices change hands, the best practice is to remove and safely destroy the hard drive to ensure the information is unrecoverable.

  1. Employee Training – According to the 2017 Shred-it Security Tracker, 38% of SBOs never train employees on information security protocols. But training is one of the easiest ways to protect confidential data. When employees are armed with the knowledge of what can and cannot be done when it comes to handling information, confidential paper documents and electronics are more secure. Regular employee training should be at the very core of every information security program so that all employees are aware of information destruction procedures within the company.

  2. Legal Proficiency – It’s not just companies in highly regulated industries that need to know the ‘ins and outs’ of legal requirements around data protection. Organizations of all sizes must understand their responsibilities for data protection and ensure their practices remain compliant with new laws to protect personal information. Yet, 33% of SBOs never audit their organization’s information security policies or procedures.1Small business leaders should consider holding meetings with new employees, as well as refreshers with all employees, multiple times a year. They should also frequently audit information security protocols to ensure they are keeping up with any changes in legislation.  

  3. Physical Paper Shredding – Despite movements towards a paperless office, the reality is that many companies still use paper on a daily basis. In order to avoid the risk of a data breach it is important that small organizations implement information security protocols that include a Shred-it All policy. According to the 2017 Shred-it Security Tracker, less than half (49%) of SBOs shred all documents including non-confidential ones. Requiring all paper documents to be shredded removes any uncertainty around what is required to be destroyed and maintains environmental benefits because all shredded paper is recycled.

  4. Storage Accountability – Document management is key to fighting fraud. One of the easiest – yet most overlooked – methods for managing documents is to use locked storage consoles to protect sensitive information that is yet to be shredded or destroyed. SBOs need to have a greater awareness of how to securely store employee and customer data, whether it’s on paper or on a hard drive. Only 13% of SBOs use a locked console and a professional shredding service.2This is a shocking statistic considering SBOs are more likely to suffer long-term consequences after a data breach. To thwart insider and outside threats, SBOs should store all sensitive materials in a locked console or cabinet and limit access to the area.

For small businesses, the financial and reputational damage of a data breach can be insurmountable. Small businesses must understand their information security vulnerabilities and take a proactive approach to data management in order to protect their customers, their reputation and their people.

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients’ private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com

1 2017 Shred-it Information Security Tracker Survey: U.S.

2 2017 Shred-it Information Security Tracker Survey: U.S.

SOURCE Shred-it

Article source: http://www.prnewswire.com/news-releases/is-your-small-business-ready-to-defend-against-a-data-breach-640726543.html

,

No Comments

Is Your Small Business Ready to Defend Against a Data Breach?

The average total cost of a data breach in the U.S. has increased from $7.01 million to $7.35 million, according to the Ponemon Institute. The severe financial loss and potential reputational harm caused by a breach is overwhelming for any sized organization, but especially for small businesses that may not have the resources to recover. In fact, one-third of small businesses in the U.S. need up to three years to recover from a data breach, according to the 2017 Shred-it Security Tracker survey conducted by Ipsos. For small businesses that often rely on word-of-mouth and reputation, this means multiple years of reduced business.

“Small business information security is at a pivotal point in time. Between evolving outsider and insider threats, as well as changes to state and federal regulations, when it comes to disclosing breaches, small business leaders must take the time to remain vigilant about their information security needs,” says Kevin Pollack, Shred-it Senior Vice President. “As work ramps up in the fall, it is a prime opportunity for small businesses to engage with employees about security and review their physical and digital risk. Business leaders should also take the time to implement cost effective preventative measures to protect confidential data.”

To help SBOs strengthen their information security protocols and mitigate the risk of fraud, Shred-it has identified five strategies for avoiding data breaches and reputational damage:

Hard Drive Destruction – With so much data being shared in every transaction, it’s no surprise that 80% of office computers contain sensitive corporate information. When it comes to disposing of devices, companies need a reliable process to secure the massive amount of data they contain. Before old devices change hands, the best practice is to remove and safely destroy the hard drive to ensure the information is unrecoverable.

  1. Employee Training – According to the 2017 Shred-it Security Tracker, 38% of SBOs never train employees on information security protocols. But training is one of the easiest ways to protect confidential data. When employees are armed with the knowledge of what can and cannot be done when it comes to handling information, confidential paper documents and electronics are more secure. Regular employee training should be at the very core of every information security program so that all employees are aware of information destruction procedures within the company.

  2. Legal Proficiency – It’s not just companies in highly regulated industries that need to know the ‘ins and outs’ of legal requirements around data protection. Organizations of all sizes must understand their responsibilities for data protection and ensure their practices remain compliant with new laws to protect personal information. Yet, 33% of SBOs never audit their organization’s information security policies or procedures.1Small business leaders should consider holding meetings with new employees, as well as refreshers with all employees, multiple times a year. They should also frequently audit information security protocols to ensure they are keeping up with any changes in legislation.  

  3. Physical Paper Shredding – Despite movements towards a paperless office, the reality is that many companies still use paper on a daily basis. In order to avoid the risk of a data breach it is important that small organizations implement information security protocols that include a Shred-it All policy. According to the 2017 Shred-it Security Tracker, less than half (49%) of SBOs shred all documents including non-confidential ones. Requiring all paper documents to be shredded removes any uncertainty around what is required to be destroyed and maintains environmental benefits because all shredded paper is recycled.

  4. Storage Accountability – Document management is key to fighting fraud. One of the easiest – yet most overlooked – methods for managing documents is to use locked storage consoles to protect sensitive information that is yet to be shredded or destroyed. SBOs need to have a greater awareness of how to securely store employee and customer data, whether it’s on paper or on a hard drive. Only 13% of SBOs use a locked console and a professional shredding service.2This is a shocking statistic considering SBOs are more likely to suffer long-term consequences after a data breach. To thwart insider and outside threats, SBOs should store all sensitive materials in a locked console or cabinet and limit access to the area.

For small businesses, the financial and reputational damage of a data breach can be insurmountable. Small businesses must understand their information security vulnerabilities and take a proactive approach to data management in order to protect their customers, their reputation and their people.

About Shred-it
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients’ private information. Shred-it, a Stericycle solution, operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.com

1 2017 Shred-it Information Security Tracker Survey: U.S.

2 2017 Shred-it Information Security Tracker Survey: U.S.

SOURCE Shred-it

Article source: http://www.prnewswire.com/news-releases/is-your-small-business-ready-to-defend-against-a-data-breach-640726543.html

,

No Comments

The Morning Risk Report: Government Can Help Fill Data Breach Information Holes

The cyberinsurance market continues to grow, but issues remain in the collection and dissemination of incident data. Data collection remains scattered and that leaves insurers with only some of the information they need to more effectively write and price coverage. Jacob Olcott, a former U.S. Senate and House legal advisor and now a vice president […]

Article source: https://blogs.wsj.com/riskandcompliance/2017/08/16/the-morning-risk-report-government-can-help-fill-data-breach-information-holes/

,

No Comments

The Morning Risk Report: Government Can Help Fill Data Breach Information Holes

The cyberinsurance market continues to grow, but issues remain in the collection and dissemination of incident data. Data collection remains scattered and that leaves insurers with only some of the information they need to more effectively write and price coverage. Jacob Olcott, a former U.S. Senate and House legal advisor and now a vice president […]

Article source: https://blogs.wsj.com/riskandcompliance/2017/08/16/the-morning-risk-report-government-can-help-fill-data-breach-information-holes/

,

No Comments

Reflections following the UniCredit Data Breach

The Breach 

Last month, Italy’s largest bank, UniCredit, confirmed that it had fallen foul of a security breach, impacting approximately 400,000 of its customers. Whilst the breach was apparently only discovered by the bank last month, the first breach took place as early as September and October 2016, with another more recent attack in June and July of this year.   

Whilst no unauthorised transactions are recorded as having taken place, nor have passwords been affected, the attackers may have accessed customers’ personal details along with their International Bank Account Numbers (IBANs). In its press statement following the attack having been discovered, UniCredit explained that the breach had occurred due to unauthorised access through an unnamed third party provider.   

Real and immediate threat 

Unfortunately, the threat of a cyber-attack is becoming increasingly varied, common and difficult to predict as ever-creative hackers think of new ways to penetrate organisations’ defences and often outdated IT systems. In the past year alone, we have seen a number of notable cyber-attacks, including both the Wannacry and Petya-related ransomware attacks, in addition to the UniCredit data breach. More recently, HBO (the US production company responsible for Game of Thrones) has reportedly received threats to release stolen, unaired episodes and cast members personal details if a Bitcoin ransom is not paid. 

In Gowling WLG’s online research of 999 large SMEs in the UK, France and Germany, it was made evident that only 65% of UK businesses see ransomware as a high risk to their business, compared to 82% of German and 77% of French businesses.   

Companies and institutions can no longer afford to ignore the threat of cyber-attacks, for reputational and business continuity reasons, as well as from a legal perspective. Given the extension to the data protection regulations coming into force in May 2018, with the new General Data Protection Regulation (GDPR) legislation, the need to take action now is all the more acute.    

Supply chain risks 

The Department for Culture Media Sport (DCMS) recently released the results of its Cyber security breaches survey 2017. One of the headlines from the survey of 1523 businesses was that 19 per cent were worried about their supplier’s cyber security, but only 13% had required suppliers to adhere to specific cyber security standards or good practice. Whilst we do not know specific details, UniCredit mentions the involvement of a third party provider in the recent attack it suffered. This highlights that organisations should bear in mind cyber security risks from outside the business as well as within.

The results of the DCMS survey suggest that, generally speaking, much more can be done and all companies and institutions should review the arrangements they have in place.    

Wrongdoer unidentified   

One of the challenges for victims of hackers is that in the case of cybercrime, not uncommonly, it may not be immediately apparent who is responsible, as compared to frauds and other wrongdoing. It has been reported that UniCredit does not know who was behind the attacks, despite having undertaken, one would expect, an extensive investigation once the breaches were discovered. This serves as a reminder that the available options for seeking compensation in the event of a cyber-attack may be limited. 

Even if the wrongdoer can be identified they may well not have the assets to be worth pursuing. Claims may be possible against third party providers if any are caught up in the incident, as may be the case with the UniCredit breach, but that will depend on the terms of any relevant contracts. Losses may be covered by insurance policies, but as the scale and potential impact of cyber-attacks increase, whether adequate cover will be available at affordable premiums remains to be seen. Depending on the policy wording, some losses may not be covered by insurance. In any case, there are uncertainties around the recoverability of fines under insurance policies, for public policy reasons.    

Increased penalties under the GDPR 

Data controllers already risk potential claims from individuals in the event of a data breach and the prospect of regulatory action, in the UK under the Data Protection Act 1998.  

However, from May 2018 the GDPR will apply to processing of data carried out by organisations operating within the EU. It will also cover organisations outside the EU that offer goods or services to individuals in it. The Regulations will increase companies’ responsibilities and requirements to protect personal data and oblige them to notify (to a relevant supervisory authority) within strict timescales, a breach likely to result in a risk to the rights and freedoms of individuals. Individuals may also need to be notified depending on the likely risks from the breach. It will also impose tough penalties for failing to comply – depending on the breach of the Regulations, fines of up to four per cent of global annual turnover for the previous financial year or €20 million, whichever is higher, can be imposed.      

Individuals who have suffered material and non-material damage as a result of an infringement of the Regulations will be entitled to compensation from the data controller or the data processor, and the controller and processor are jointly and severally liable. The ability to claim non-material damage means that individuals can pursue claims for distress, even where they have not suffered a financial loss. Controllers and processors who have infringed the Regulations, and also any processors that have breached the data controller’s lawful instructions, will only escape liability if they can show that they are not in any way responsible for the event giving rise to the damage.    

Given the new laws and potentially much heftier sanctions in the event of future data breaches, companies and institutions should already be planning and taking steps to ensure compliance. Those steps should include putting in place a breach team and training them to respond to incidents. Incident response plans should also be revisited and evaluated in response to any incident that arises, and revised appropriately where necessary.   

Helen Davenport, Director at Gowling WLG 

Image Credit: Balefire / Shutterstock

Article source: http://www.itproportal.com/features/reflections-following-the-unicredit-data-breach/

,

No Comments

Reflections following the UniCredit Data Breach

The Breach 

Last month, Italy’s largest bank, UniCredit, confirmed that it had fallen foul of a security breach, impacting approximately 400,000 of its customers. Whilst the breach was apparently only discovered by the bank last month, the first breach took place as early as September and October 2016, with another more recent attack in June and July of this year.   

Whilst no unauthorised transactions are recorded as having taken place, nor have passwords been affected, the attackers may have accessed customers’ personal details along with their International Bank Account Numbers (IBANs). In its press statement following the attack having been discovered, UniCredit explained that the breach had occurred due to unauthorised access through an unnamed third party provider.   

Real and immediate threat 

Unfortunately, the threat of a cyber-attack is becoming increasingly varied, common and difficult to predict as ever-creative hackers think of new ways to penetrate organisations’ defences and often outdated IT systems. In the past year alone, we have seen a number of notable cyber-attacks, including both the Wannacry and Petya-related ransomware attacks, in addition to the UniCredit data breach. More recently, HBO (the US production company responsible for Game of Thrones) has reportedly received threats to release stolen, unaired episodes and cast members personal details if a Bitcoin ransom is not paid. 

In Gowling WLG’s online research of 999 large SMEs in the UK, France and Germany, it was made evident that only 65% of UK businesses see ransomware as a high risk to their business, compared to 82% of German and 77% of French businesses.   

Companies and institutions can no longer afford to ignore the threat of cyber-attacks, for reputational and business continuity reasons, as well as from a legal perspective. Given the extension to the data protection regulations coming into force in May 2018, with the new General Data Protection Regulation (GDPR) legislation, the need to take action now is all the more acute.    

Supply chain risks 

The Department for Culture Media Sport (DCMS) recently released the results of its Cyber security breaches survey 2017. One of the headlines from the survey of 1523 businesses was that 19 per cent were worried about their supplier’s cyber security, but only 13% had required suppliers to adhere to specific cyber security standards or good practice. Whilst we do not know specific details, UniCredit mentions the involvement of a third party provider in the recent attack it suffered. This highlights that organisations should bear in mind cyber security risks from outside the business as well as within.

The results of the DCMS survey suggest that, generally speaking, much more can be done and all companies and institutions should review the arrangements they have in place.    

Wrongdoer unidentified   

One of the challenges for victims of hackers is that in the case of cybercrime, not uncommonly, it may not be immediately apparent who is responsible, as compared to frauds and other wrongdoing. It has been reported that UniCredit does not know who was behind the attacks, despite having undertaken, one would expect, an extensive investigation once the breaches were discovered. This serves as a reminder that the available options for seeking compensation in the event of a cyber-attack may be limited. 

Even if the wrongdoer can be identified they may well not have the assets to be worth pursuing. Claims may be possible against third party providers if any are caught up in the incident, as may be the case with the UniCredit breach, but that will depend on the terms of any relevant contracts. Losses may be covered by insurance policies, but as the scale and potential impact of cyber-attacks increase, whether adequate cover will be available at affordable premiums remains to be seen. Depending on the policy wording, some losses may not be covered by insurance. In any case, there are uncertainties around the recoverability of fines under insurance policies, for public policy reasons.    

Increased penalties under the GDPR 

Data controllers already risk potential claims from individuals in the event of a data breach and the prospect of regulatory action, in the UK under the Data Protection Act 1998.  

However, from May 2018 the GDPR will apply to processing of data carried out by organisations operating within the EU. It will also cover organisations outside the EU that offer goods or services to individuals in it. The Regulations will increase companies’ responsibilities and requirements to protect personal data and oblige them to notify (to a relevant supervisory authority) within strict timescales, a breach likely to result in a risk to the rights and freedoms of individuals. Individuals may also need to be notified depending on the likely risks from the breach. It will also impose tough penalties for failing to comply – depending on the breach of the Regulations, fines of up to four per cent of global annual turnover for the previous financial year or €20 million, whichever is higher, can be imposed.      

Individuals who have suffered material and non-material damage as a result of an infringement of the Regulations will be entitled to compensation from the data controller or the data processor, and the controller and processor are jointly and severally liable. The ability to claim non-material damage means that individuals can pursue claims for distress, even where they have not suffered a financial loss. Controllers and processors who have infringed the Regulations, and also any processors that have breached the data controller’s lawful instructions, will only escape liability if they can show that they are not in any way responsible for the event giving rise to the damage.    

Given the new laws and potentially much heftier sanctions in the event of future data breaches, companies and institutions should already be planning and taking steps to ensure compliance. Those steps should include putting in place a breach team and training them to respond to incidents. Incident response plans should also be revisited and evaluated in response to any incident that arises, and revised appropriately where necessary.   

Helen Davenport, Director at Gowling WLG 

Image Credit: Balefire / Shutterstock

Article source: http://www.itproportal.com/features/reflections-following-the-unicredit-data-breach/

,

No Comments

UK Retail Data Breach Incidents Double in a Year

The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC.

The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.

Contrary to some headlines making the news, this doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions.

Nevertheless, the stats highlight a growing problem for the UK’s retailers, and the need for further investments in cybersecurity, according to RPC.

Partner Jeremy Drew argued that cost pressures including rates and minimum wage increases and the declining pound can often take precedent.

“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” he added.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

David Kennerley, director of threat research at Webroot, argued that retailers need to focus both on their internal security and on ensuring customers stay safe online.

“Retailers need to keep PoS software up-to-date and deploy threat protection and detection on these devices, while not forgetting the importance of the physical security of PoS systems. Where possible, two-factor authentication should be used internally and by their customers. Online transactions should always require the CVV number is entered by the customer for every transaction,” he said.

“Retailers need to make sure all data that they store and transmit is encrypted, access is only given to those within the organization that need it to perform their job and at the same time ensure any third-party entities are maintaining the same high standards.”

Sports Direct and Debenhams Flowers are just two well-known brands breached over the past year.

Article source: https://www.infosecurity-magazine.com/news/uk-retail-data-breach-incidents/

,

No Comments

UK Retail Data Breach Incidents Double in a Year

The number of UK retailers experiencing data breaches has doubled over the past year, according to new stats shared by law firm RPC.

The City-based firm claimed that the number of breaches reported to data protection watchdog the Information Commissioner’s Office (ICO) increased from just 19 in 2015/16 to 38 in 2016/17.

Contrary to some headlines making the news, this doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions.

Nevertheless, the stats highlight a growing problem for the UK’s retailers, and the need for further investments in cybersecurity, according to RPC.

Partner Jeremy Drew argued that cost pressures including rates and minimum wage increases and the declining pound can often take precedent.

“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” he added.

“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained.”

David Kennerley, director of threat research at Webroot, argued that retailers need to focus both on their internal security and on ensuring customers stay safe online.

“Retailers need to keep PoS software up-to-date and deploy threat protection and detection on these devices, while not forgetting the importance of the physical security of PoS systems. Where possible, two-factor authentication should be used internally and by their customers. Online transactions should always require the CVV number is entered by the customer for every transaction,” he said.

“Retailers need to make sure all data that they store and transmit is encrypted, access is only given to those within the organization that need it to perform their job and at the same time ensure any third-party entities are maintaining the same high standards.”

Sports Direct and Debenhams Flowers are just two well-known brands breached over the past year.

Article source: https://www.infosecurity-magazine.com/news/uk-retail-data-breach-incidents/

,

No Comments

Your credit data is at risk as hackers seek to bully startups

MUMBAI: After infiltrating your bank account and email, the next big high for a rogue hacker is combing your credit history — data that capture your earnings, defaults, loans, and some of the well-kept financial secrets.

Early August one of the credit score management companies in India, Creditseva, was alerted by a European cyber security firm that credit history of close to 40,000 borrowers stored in Creditseva server has been leaked. The overseas firm assured that given a chance it would fix the problem.

The hassled two-year old Hyderabad-based company looked around for gaps in the system, but did not find — or so it claims — any chinks or any evidence that the confidential information has landed on wrong hands.

But before the company could brush it off, a London-based blogger ran a piece talking about the breach and a large data loss. Soon some of the bankers and ethical hackers in India were whispering about it despite the company denying it.

When contacted, Creditseva chief executive officer Satya Vishnubhotla said, “There has been no data breach”.

He explained how the company had ordered an internal audit of all its database after receiving the mail and even looked into Amazon Cloud where they have their data stored and found all folders secured.

Indian companies or banks, even those listed abroad, have rarely admitted they have been hacked. Nonetheless, another question, which hints at a different kind of threat, has cropped up: Besides actual attacks and real cyber threats, are Indian businesses exposed to bullying by shady security professionals who scare them — with the capability of even hacking into a system — to generate business?

Your credit data is at risk as hackers seek to bully startups

In a blog post on a social media site, Steven Tong — managing director of Startup Bootcamp Asia, an investor in Creditseva-—said: “Running a startup is hard but it gets harder when so called security ‘consultants’ contact you about engaging their services because they ‘found’ a security breach in your system and then ‘leak’ news of it to ‘journalists’ when you refuse to pay up and engage their services. This happened to one of our portfolio companies and it can happen to you too. Beware!”

It’s a message that startups may make a mental note of: While security is an important aspect of business in the fintech space and there have been incidents of cyber heists, startups have to balance expense between security measures and expansion of business.

“As a part of our continuous internal checking mechanisms over the last year, we have got ISO audit done, even had onboarded security specialists NII Consultants last year,” said Satya. “Post this incident, we are planning to get another security auditor to check our systems.”

The company had just raised $360,000 in April. The 10-member strong organisation has around 1 lakh customers who have used its services.

The dilemma for a company would be to distinguish between a hoax call and a genuine alert. Cyber attacks can take multiple forms and malwares can be stealthy. There have been incidents where cyber worms, after penetrating a company’s system, lie dormant for six months before crawling from terminal to terminal to wreak havoc.

Most companies, particularly small businesses, may be clueless about the enormity of a problem or assess the seriousness of a threat.

“Some companies are quick to act…after spotting a breach they work almost round the clock to plug it. Once the problem is resolved, they are free to assure clients and investors that there have been no attacks or leak. Only banks have to follow mandatory reporting of breaches to RBI. But such reports are never in public domain,” said a local security firm.

Article source: http://economictimes.indiatimes.com/small-biz/startups/your-credit-data-is-at-risk-as-hackers-seek-to-bully-startups/articleshow/60078101.cms

,

No Comments

How A Potent Defense Can Stifle Data-Breach Lawsuits By Businesses

Consumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too.

When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified.  

This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.

Instead, a business plaintiff must overcome a different defense: the economic-loss rule.  That rule prevents plaintiffs who suffer economic losses stemming from a contract from trying to recover those losses through non-contract claims. 

A recent decision from a federal court in Colorado involving one of my kids’ favorite mac-and-cheese spots shows how the economic-loss rule can apply when one business sues another over a data breach. This post studies that decision.

A Cyberattack Compromises Diners’ Payment Card Data

SELCO Community Credit Union v Noodles Company concerns a cyberattack on the Noodles Company restaurant chain that compromised customers’ credit and debit card information. The plaintiffs were not consumers, but instead credit unions whose cardholders dined at Noodles and whose information was compromised. They sued Noodles for failing to prevent the breach. 

According to the credit unions, Noodles breached a common-law duty to protect its customers’ payment card information by failing to implement industry-standard data-security measures. The credit unions alleged that this breach caused them damages, including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.

The credit union brought tort claims—all based on theories of negligence—against Noodles. Noodles filed a motion to dismiss based on the economic-loss rule, pointing to agreements it and the plaintiffs had entered as participants in the payment-card-processing ecosystem.   

The Payment Card Ecosystem: A Chain of Interrelated Contracts

The court provided the following diagram to explain this ecosystem:

ap

In its motion, Noodles observed that each actor in this ecosystem signed an agreement with at least one other actor in which it agreed to follow rules issued by the bank-card associations. Importantly, the agreements required merchants to maintain a certain level of security for payment-card data—including compliance with a set of detailed best practices for data security in the payment-card industry called the Payment Card Industry Data Security Standard (PCI DSS).

Noodles argued that these agreements also allocated the parties’ rights and responsibilities in the event of a cyberattack. More specifically, the agreements called for the credit unions to guarantee cardholders zero liability for fraudulent transactions. The credit unions, in turn, could partially recover their losses through a loss-shifting scheme managed by the bank-card associations.

According to Noodles, this arrangement reflected “a series of determinations by several sophisticated commercial entities about how the risk of fraudulent transactions should be allocated in the payment card networks.� Noodles accused the credit unions of trying to re-allocate that risk—and violating the economic-loss rule—by bringing tort claims.

An Independent Duty?

The credit unions had two main arguments in response.

First, they argued that Noodles owed them a common-law duty to secure payment-card data and to prevent foreseeable harm to cardholders. This duty, they urged, was separate and distinct from any contract-based duty to comply with PCI DSS. The credit unions made this argument to try to shoehorn their claims into what’s known as the “independent duty� exception to the economic-loss rule.

Second, the credit unions argued that the economic-loss rule should not apply because the credit unions had no contract with Noodles. Thus, the credit unions argued, they never had the chance to “reliably allocate risks and costs� with Noodles.  

The Court’s Decision

The court, like my children, sided with Noodles.

On the independent-duty argument, the court concluded that each duty that Noodles allegedly breached was bound up in the agreements to comply with the bank-card association rules and PCI DSS. Even if Noodles might also have had a common law duty to protect payment card data from a cyberattack, that duty could not be considered “independent of a contract that memorialize[d] it.�

The fact that the credit unions never contracted directly with Noodles had no analytical impact. In the court’s view, the economic-loss rule does not mandate a one-to-one contract relationship. Instead, the court reasoned, the rule asks whether a plaintiff had “the opportunity to bargain and define their rights and remedies, or to decline to enter into the contractual relationship.� The credit unions had that chance here.

Lessons for Litigants

SELCO confirms that the economic-loss rule can provide a powerful shield against attempts—including and especially by businesses—to make end-runs around negotiated limitations and allocations of liability for cyberattacks.

Defendants, however, must be ready to show that the contract on which they rely imposes relevant data-security obligations. Doing so requires that the obligations be clearly defined—well before litigation arises—in any contracts that involve the receipt or handling of sensitive information.

Clearly defining data-security obligations in contracts is already a recognized best practice for information-security risk management.  But as SELCO demonstrates, this type of clarity can also lay the groundwork for deploying the economic-loss rule against lawsuits arising from a successful cyberattack. 

Article source: http://www.jdsupra.com/legalnews/how-a-potent-defense-can-stifle-data-97441/

,

No Comments