Target and Home Depot now find themselves standing among the ranks of other large companies who are under intense legal scrutiny thanks to massive data breaches, but that increased legal exposure could soon trickle down to medium-sized companies, as well, and result in anything but medium-sized penalties and fees. 2014 might very well be the last year in which companies of any size can get away with risky data practices scot-free.
Legal activities are growing in scale (and cost)
When in doubt, follow the money. Crain’s recent investigation into the burgeoning legal industry surrounding data breaches notes attorneys’ fees can range from $450 to $900 per hour. The justification for such high fees is an evolving legal landscape where the burden of privacy is falling on those companies who are collecting the data.
Jillian Fennimore, spokeswoman for Massachusetts Attorney General Martha Coakley (D), recently told Bloomberg BNA that her state is also involved in the multi-state investigation into the recent Home Depot data breach. She notes:
“We have been in contact with Home Depot, and will be working with attorneys general across the country to review the circumstances and cause of this data breach, whether Home Depot had sufficient safeguards in place to protect consumer information, and to confirm that Home Depot will take appropriate steps to protect its customers.”
Regardless of how the investigation proceeds, the message is clear: Home Depot is responsible for its customers’ data, and “doing enough” is not a clearly defined term when it comes to electronic record-keeping.
Retail is the tip of the iceberg
Though running a large retail business entails keeping track of millions of transactions and customer records, big retail isn’t the only easy target for hackers with malicious intent. Healthcare and financial services firms find themselves particularly at risk, especially since both industries have sensitive data combined with the need to collaborate between many stakeholders. This creates not only a lucrative target for data thieves, but also a system where human error is likely to occur. To take just one example from the many that have made it into the headlines recently, the loss of several laptops from a metropolitan hospital system has resulted in a flurry of lawsuits from patients and potential fines for the company.
Preparing for the future
Medium and even small businesses must now stave off the dual risks of data leaks and legal exposure. Implementing automated policy enforcement tools, as well as standardizing best practices around training employees and collaborators, can help support a security-conscious organization while also building a strong legal position in the event that a data breach does occur.