LexisNexis® CLE On-Demand features premium content from partners like American Law Institute Continuing Legal Education and Pozner & Dodd. Choose from a broad listing of topics suited for law firms, corporate legal departments, and government entities. Individual courses and subscriptions available.
by Devin J. Chwastyk
When people think about data breaches, corporate giants like Target, Home Depot and Michael’s spring to mind. But even small businesses holding personal information can face costly consequences if a breach occurs.
In the past, cases only proceeded in the courts if plaintiffs could show actual harm (such as money stolen by identity thieves) – the mere exposure of personal information was not enough to file a lawsuit.
But, after the 2013 Target breach, a Minnesota federal judge accepted the plaintiffs’ claims of potential future harm and allowed a class-action suit to move forward. Target promptly offered $10 million to reimburse consumers for any harm they could eventually show – but that amount was rejected by the plaintiffs, and Target could be on the hook for substantially more.
Whether the Minnesota ruling is a harbinger of other courts allowing these claims to proceed is an open question, but it underscores the importance of doing everything possible to prevent data breaches.
Small businesses must also be careful to satisfy data protection laws of any state where they do business. Many people are surprised to learn that Pennsylvania and most other states, except Massachusetts and California, don’t already require that businesses protect personal information.
However, Pennsylvania does require any business that suffers a breach of personal information to notify all affected state residents and provide phone numbers of credit reporting agencies.
Any business that accepts credit card payments must also comply with the Payment Card Industry Data Security Standards, which requires regular system updates and data-breach response policies. Failure to comply could lead to a business facing fines, higher transaction fees and even losing the ability to accept credit cards – what I call a “death penalty’’ in today’s commercial environment.
And Congress is now considering the Data Security and Breach Notification Act of 2015, which would authorize the Federal Trade Commission to enact guidelines requiring that businesses adopt “reasonable” measures to protect personal information and mandate the reporting of any breaches.
In general, personally identifiable information is defined as an individual’s first name or initial and last name, plus one or more of these elements:
No matter the size of your business, I recommend three basic steps:
The bottom line is that most businesses, no matter their size, hold personal information and need to guard against data breaches – or run the risk of expensive consequences.
Keep in in mind that in a settlement, if several thousand people want even just a few dollars apiece, the out-of-pocket cost quickly adds up.
Read other articles at the McNees Wallace & Nurick website.
For more information about LexisNexis products and solutions, please connect with us through our corporate site.