|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
WORRIES ABOUT BREACHES OF PRIVACYSource: Supply Chain Management ReviewPosted on January 19, 2009 It has been reported that there have been more documented data breaches in 2008 through August than in all of 2007. In addition to the damage to reputation of the corporations which have experienced the data breaches, individual victims of data theft have suffered losses for which they have sought redress in the courts and, for certain large breaches, groups of victims have also sought class action status in the courts. For example, there was a case decided in Ohio in August, 2008 involving the National Shoe retailer DSW. In 2005, DSW announced that hackers had accessed sensitive information at 103 of its stores, with 1.4 million consumers affected. The hackers obtained credit card information, including account numbers, cardholders' names, and the transaction amounts, as well as other consumer information (including drivers' license numbers). DSW became aware of the data breach after receiving a "suspicious activity" alert from a credit card company. The Federal Trade Commission investigated this data security breach and alleged that DSW had failed to exercise reasonable care to protect the sensitive consumer data. DSW settled the case with the FTC which opened the door to a class action lawsuit. In that case, the judge ruled that since the class action plaintiffs had failed to show any actual injury or damages as a result of the data breach, the case could be dismissed. But clearly, DSW had experienced reputational damage as a result of all of the publicity surrounding the release of the data, and had also been harmed economically by having to defend itself before the FTC and in the class action lawsuit in Ohio. Another actual example of a class action lawsuit involved Wells Fargo Bank which was sued in Minnesota. A subsidiary of Wells Fargo had hired a service provider to print monthly statements for certain home equity mortgage and student loan customers. A laptop computer that contained unencrypted customer information including names, addresses, social security numbers and account numbers was stolen from the service provider. A class action lawsuit was brought against Wells Fargo accusing Wells Fargo of negligently allowing the service provider to keep the private information of Wells Fargo customers without adequate security. Similar to the DSW case, the judge dismissed this lawsuit since the plaintiffs could not show any present injury or reasonable certain future injury. At least 44 states have some sort of data security breach notification law. Additionally, there are many federal laws dealing with data security such as the Health Insurance Portability and Accountability Act (HIPAA) which is intended to protect sensitive consumer information relating to health care and prohibits the use of an individual's medical information for purposes other than that for which the information was provided without the person's express written consent. There is also the Gramm-Leach-Bliley Act which protects sensitive financial information. The European Union has a comprehensive directive on data protection which must be complied with for any entity doing business in Europe. The risk of data breaches and compliance with the applicable laws and regulations make supply chain management transactions, and particularly outsourcing deals, of particular worry to companies which are transferring the data to third parties. In an outsourcing transaction, where a service provider is required to operate some aspect of a customer's business, the service provider will need to comply with those laws applicable to that outsourced business. If the business is a financial business, the outsourcer will have to comply with the Gramm-Leach-Bliley Act. If the business is a health care business, it is likely that the outsource supplier will have to comply with HIPAA. If there is a data breach, the expense of containing the data breach will be significant, but more importantly the expense of notifying all the individuals who are affected by the data breach in accordance with various laws may be more significant. Defense of class action lawsuits could run into millions of dollars. In the event the data breach is caused by the supplier, the question often is which entity must pay for the notification expenses or legal fees. Although "indemnification" is a legal term which many business people do not pay much attention to, if the supplier is obligated to indemnify the customer for these costs, such obligation will definitely get the attention of the supplier's management in the event there is a data breach by the supplier. The supplier of course will want to limit its liability. Before entering into a relationship with a new supplier and even continuing relationships with existing suppliers, the customer should perform due diligence to make sure that the supplier complies with existing laws and regulations, contractually obligate the supplier to comply with these laws and regulations, be able to audit this compliance, and take (and require the supplier to take) expeditious action when data breaches occur.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |