There were 325 data breach incidents and 8,320,325 people exposed to data theft from the beginning of 2010 through late June, according to the Identity Theft Resource Center. This amounts to almost two breaches every day involving two of every 100 Americans. When thieves steal personal information, the victims look for someone to blame; the target is usually the person or company who had their data to start with. Businesses that suffer data breaches involving the possible theft of others’ information can expect to receive lawsuits. Legal actions taken so far have not produced sizable awards, but they have produced some guidance from the courts.
Some plaintiffs’ actions have failed because they could not prove that a data breach actually harmed them. A federal appellate court ruled that only one of three plaintiffs in a particular case had a cause of action against a company whose computer servers were stolen. That plaintiff had suffered an identity theft; the court ruled that it was possible that the server theft caused the identity theft. Because the other two plaintiffs could not show that the server theft harmed them, the court said that they had no cause of action. Likewise, a federal court ruling on an Indiana case said that a data breach alone was not what state law defines as a “compensable injury.” In both of these cases, plaintiffs sought recovery for the cost of credit monitoring services, but the courts ruled that these costs were not compensable damages.
Plaintiffs had no more success in a class action suit against supermarket chain Hannaford following a three-month data breach that exposed millions of credit card numbers and led to 2,000 incidents of fraud. Claiming that the chain had violated an implied contract to protect their data, the plaintiffs sought compensation and an injunction ordering Hannaford to disclose the breached data and to pay for credit monitoring services. However, the court ruled that Hannaford had no implied contract with its customers and owed no compensation to those affected customers who did not have fraudulent charges on their accounts. It also ruled that customers whose credit card issuers removed fraudulent charges from their accounts were not entitled to damages. Finally, the court denied the request for the injunction because the plaintiffs had closed the affected accounts.
Banks that reimbursed customers affected by a 2005 data breach involving TJX Corp. had more success in court. The company, which operates popular retail chains, suffered the theft of 45 million customer records from its systems. The banks removed fraudulent charges from their customers credit card accounts, then filed a class action suit against the company. TJX eventually settled for more than $40 million.
Many business owners see these large-scale events as the problems of large corporations, any business that keeps records of confidential customer information, such as credit card numbers, has a serious exposure to this type of loss. Some insurance companies now offer Security Liability insurance to protect businesses against being held liable for harm resulting from a data breach. One company’s policy covers a business’ liability resulting from a failure and inability of its computer security system to prevent a computer attack or to minimize its effects. It covers only losses resulting when a source outside the organization causes a data breach.
Since virtually every organization keeps some customer information on its computer systems, every organization, regardless of size, should at least consider purchasing Security Liability insurance. Our professional insurance agents can suggest coverages appropriate for your specific exposures and identify insurance companies that can provide them at a reasonable cost. Businesses must do everything they can to protect customer data, but if things go wrong, the right insurance will help the business survive.