When is a company on the hook after employee or customer data is stolen? Some recent court decision offer some answers.
The most recent case involved the theft of 4.2 million debit and credit card numbers, PINs and other info from a grocery store chain’s computer network.
Thieves broke into the network of the Maine-based Hannaford Brothers Co. and stole the data over a four-month period before the company discovered the threat and notified customers and financial institutions.
Some customers noticed fraudulent charges to their accounts, but all of those charges were reversed by their banks.
However, a group of customers in six different states sued Hannaford Bros., claiming the company was responsible for putting them at an increased risk of identity theft. Also, they said the company should pay damages for the time and effort spent clearing up fraudulent charges.
Who won the case?
The court decided in favor of Hannaford, ruling that the customers hadn’t suffered any actual damages, since they weren’t forced to pay the charges criminals made to their accounts.
And, in line with decisions made by other courts, the judge ruled victims must have suffered actual financial damage — rather than just an increase in risk or inconvenience — to sue after their information is stolen (Court cite: In re Hannaford Brothers Co. Customer Data Security Breach Litigation, Maine Supreme Judicial Court, No. Fed-09-586. Sept. 21, 2010).
Of course, the best way for companies to avoid liability is to prevent breaches in the first place. Since that’s never 100% possible, it’s important to know how to respond when a breach does occur. The actions a company takes after a breach can have a big impact on what happens with the data — and how a court views the situation.
Some response steps recommended by the Better Business Bureau:
- Create a breach notification policy
- Train employees to recognize breaches
- Gather the facts immediately after a breach
- If financial info was taken, notify appropriate financial institutions
- Talk to outside counsel
- Notify affected employees and/or customers, and
- Consider offering to pay for credit monitoring services and other corrective measures.