In the Wake of Home Depot’s Data Breach: Five Tips to Protect Against Corporate Hacker Liability

September 2014

Shielding a company's and its customers' data from unwanted attack is becoming a critical part of corporate infrastructure response planning and prevention protocols. But sophisticated data thieves seem to be a step ahead as evidenced by last week's startling news that hackers had broken into Home Depot's payment-card processing systems and stolen, according to some experts, more than 40 million payment cards. Electronic data breaches at the corporate level that actually or potentially compromise customers' private personal information can have enormous repercussions – costly regulatory reporting and notice obligations, class action lawsuits, public relations nightmares and, more recently, FTC enforcement actions and even shareholder derivative suits. Already, a lawsuit has been filed against Home Depot in Chicago federal court by an affected consumer, two senators are pushing for a federal government investigation and five states have commenced their own investigations as repercussions from the unprecedented Home Depot attack continue to mushroom.

In April 2014, a federal district court judge in New Jersey allowed the FTC, in a case of first impression, to pursue an action it had filed against Wyndham Hotels for its alleged failure to take reasonable efforts to protect consumer information that had resulted in hackers stealing data on more than 619,000 consumer credit card accounts over a two year period. And Wyndham was hit earlier this year with a novel shareholder derivative suit arising out of the same incidents.

In addition to civil lawsuits and class actions, 47 states (excluding only Alabama, New Mexico and South Dakota) currently have data breach notification and reporting laws, which can impose significant burdens and costs on an affected company. The impact of negative publicity and extensive fallout litigation can have devastating effects on a company's financial performance. The good news is that a recent Supreme Court case has bolstered the ability for companies to seek a class action dismissal. Clapper v. Amnesty International USA, has led some courts to dismiss data breach class actions for lack of standing (i.e., no actual injury) if claims are based only on a potential compromise of private data.

In this day and age, while no company's data is ever 100% secure from a hacker's attack or misuse by rogue employees, being proactive and having a good defense team ready on board can help alleviate the worst fallout.

Five Tips to Protect Against Hacker Liability

All businesses, small or large, that obtain and store personal customer data should:

1. Conduct an audit of their data security and rapid response protocols
2. Update firewalls and adopt strong encryption for sensitive personal data
3. Ensure that protocols are in place so that only authorized and trusted employees can access such data
4. Consider adding data-breach insurance coverage
5. Develop a rapid response plan for addressing data breaches, both on the public relations and legal side

For more information on how Herrick can assist your company in responding to a data breach, please contact:

Ronald J. Levine at +1 609 452 3801 or [email protected]
Barry Werbin at +1 212 592 1418 or [email protected]

© 2014 Herrick, Feinstein LLP. This alert is published by Herrick, Feinstein LLP for information purposes only. Nothing contained herein is intended to serve as legal advice or counsel or as an opinion of the firm.