The Breach: Another Gift that Keeps Giving
Seemingly there continues to be published with regularity the new breaches affecting business. A majority of these have focused on the large business breaches. The Target, OPM, IRS, and others are recent and well known. The commonality with these is the size of the target. The press releases and stories regarding the breaches have been narrowly focused on the large breaches that have incensed a mass number of people.
A bi-product of this is the eventual lawsuit. Although the prior targets are massive corporations, small- and medium-sized businesses may also be sued based on a breach. This is a valid cause of action in the US and abroad. In the UK, entities with data breaches of personal identifiable information (PII) may receive a fine or be prosecuted by the Information Commissioner’s Office. Here the statute relied on is The Data Protection Act. The affected consumers also may sue under this statute. The EU also has like statutes.
The fines and damages from a suit vary greatly, dependent on the specific instances and facts. Bearing this in mind, merely because a lawsuit has been filed does not necessarily equate to a large, retirement inducing settlement. A case in point involved Shnuck Markets, Inc. The Community Bank of Trenton, University of Illinois Employees Credit Union, First Federal Savings Bank of Champaign-Urbana, and Southpointe Credit Union filed a suit with 13 counts in the District Court of the Southern District of Illinois. This suit involved 13 counts, all of which were dismissed. This was unique in that the suit was brought by the financial institutions for their loss, and not the consumers.
The case was dismissed not necessarily on the merits per se, but due more to the plaintiff’s attorney not sufficiently pleading the cause of action. Although there may have been a breach and a party should be responsible due to their lack of focus on cybersecurity, the suit should be presented and there may not be a massive settlement.
About the Author: Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.