Be Proactive in Cyber Security or Pay a Hefty Price
High profile data security breaches like those at Target and Home Depot drive home the need for businesses to take active responsibility for shielding customer information – and so do the resulting lawsuits.
“Companies can’t afford to stick their heads in the sand where cyber security is concerned. The potential cost to them for doing so is simply too high,” says Paul O. Lopez, an attorney and director with Fort Lauderdale-based Tripp Scott who chairs the firm’s litigation department and who has handled a large number of cases involving compromised data and issues pertaining to the storage of financial information. Together with attorneys Catalina M. Avalos, Megan L. Janes and Ryan Lehrer, Lopez also works with businesses that want to make sure their systems and procedures are in compliance with what the government considers to be best practices.
Lopez says that internal and external breaches of data security have cost companies millions of dollars, as both federal and state governments hold them responsible for protecting the information. Violations of laws like the Computer Fraud and Abuse Act and the Stored Communications Act come into play when those whose information is compromised file suit – individually and in class actions – against companies with data breaches. Lopez expects the government oversight of data breach issues to increase as Congress is currently considering more legislation that addresses the need for best practices in data security.
To be less vulnerable to hacker attacks and the potential data breach activities of rogue employees, companies need to create secure networks for information, the Tripp Scott attorneys advise. To guard against internal threats, businesses need to employ competent IT staff to supervise cyber security, make sure that employees sign confidentiality agreements and update their passwords frequently. To shore up company network security against external cyber attacks, update firewalls and make certain that data is well encrypted, which makes it more difficult to penetrate.
“If your firewalls are from three or five years ago, they would likely be considered obsolete according to industry standards. So if information is compromised, your company could be held responsible for not having taken the necessary steps to protect customer information,” Lopez says. “You should review your protective technology every 12 to 24 months to be certain it is considered current, and make the investment in new technology for this purpose if at all possible. Factor it into your budget.”
The penalties for companies the government considers to be lax with regard to cyber security are substantial, he notes. While many cases brought by injured parties are settled at a heavy price, some go to jury trial and result in even higher corporate costs. Class action claims for data breaches due to insufficient security can amount to tens of millions of dollars, Lopez says, and penalties can be criminal as well as civil. States differ with regarding to security standard benchmarks, so it is important to know the most current standards where a company is operating, as well as the federal position on the issues.
Many of the breaches Lopez has seen involve former employees’ theft of customer information for use either in their employment with a competitor or in their own businesses.
“We work side by side with forensic IT experts to quickly understand how the information was stolen and transmitted,” Lopez says. “From there, we can map out a strategy to deal with it. However, we hope more often to help companies in their proactive efforts that will help avoid security breaches and damages.”