A recent court settlement shows just how expensive security issues can be for businesses.
Heartland Payment Systems, Inc., a credit and debit card transaction processor, revealed in 2009 that hackers had broke into its network and stolen data about 130 million cardholders.
The breach, organized by a U.S.-based gang of cyberhackers, was the largest of its kind and resulted in a flurry of false charges made on consumer cards.
Many of the hackers were caught and jailed, but when it came time to recover their losses, the affected individuals and banks set their sights on Heartland. Many lawsuits were filed which were consolidated into two class action suits (one for consumers, and one for financial institutions).
The consumer class action has now been settled for a total of $4 million. That sum includes up to $10,000 for victims of identity theft resulting from the breach and up to $175 to each individual to cover out-of-pocket expenses related to canceling and replacing debit and credit cards.
Experts note that previous courts have dismissed lawsuits related to data breaches, so this settlement could be a sign that more businesses will be held liable if customer or employee data is stolen. Says a recent BusinessWeek article about the settlement:
“Typically, courts have tended to dismiss consumer class-action lawsuits in data breach cases involving payment card data. By that measure, Heartland’s settlement offer is unusual even though it might appear small considering the number of cards that were compromised.”
How can you help your business limit liability if sensitive data is ever stolen? The Better Business Bureau recommends taking the following steps:
- Create a breach notification policy
- Train employees to recognize breaches
- Talk to outside counsel
- If financial info was taken, notify appropriate financial institutions
- Tell law enforcement, and
- Notify affected customers and offer to pay for credit monitoring services to spot signs of ID theft.