Doing security right is cheaper than trying to recover from a data breach -- and the stakes keep getting higher. Recent moves by the courts indicate that organizations are expected to take adequate security measures to protect user data; if the companies don’t have protection in place, the penalties will be painful.
While organizations were previously subject to fines for not complying with regulatory requirements, they were rarely held responsible for failing to implement certain defenses. That seems poised to change, as the recent district court decision against Target and the appellate decision against vacation-resort company Wyndham Worldwide show there can be serious financial repercussions for security failure.
“U.S. businesses didn’t need another reason to get very serious, very quickly, about cyber security, but now they have one,” said Jeff Hill, the channel marketing manager at STEALTHbits.
A U.S. District Court judge recently affirmed Target’s negligence in the 2013 data breach, which compromised more than 40 million credit cards over the holiday shopping season. The decision opens the way for the $5 million class-action lawsuit from banks affected by the breach. The five primary plaintiffs, Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and the First Federal Savings of Lorain, claim they sustained more than $5 million in damages from the breach.
In the past, banks and card issuers were responsible for the cost of credit card fraud, which included the cost of replacing the cards as well as fraudulent charges incurred on the stolen accounts. With the lawsuit, if the plaintiffs could prove Target was negligent in securing its systems, then they would be able to recover some of those costs.
It’s a challenging situation because Target had invested in security and deployed advanced defenses. The retailer made mistakes as it didn’t act on the alerts flagged by its security tools, but it’s up to the courts to decide if that constituted negligence.
"If a construction company leaves a hole in the ground and someone falls in it, there’s liability due to negligence, and litigation follows. The construction company failed to fulfill their obligation to protect the public. But if they put a barrier around the hole and a vandal removes it through the night, who is at fault?” said Kevin Foisy, chief software architect and co-founder of STEALTHbits. “Litigation becomes complicated.”
Target recently agreed to a $67 million settlement with Visa, agreeing to compensate thousands of financial institutions for the costs they suffered as a result of the breach. A similar $19 million settlement with MasterCard fell through when not enough banks signed on to the terms of the agreement. The retail giant has already paid $200 million in the aftermath of the breach, of which $21 million was for legal and other professional services for this year. With the new class-action lawsuit and settlement, Target’s data breach price tag creeps even higher.
The per-record cost of a data breach is $154, and the average cost of a data breach is $3.79 million, according to the latest figures from the Ponemon Institute. The costs include reputation damage, investigating and mitigating the breach, and regulatory fines.
“Add the cost of litigation in an increasingly hostile legal environment to the list of unsettling data breach consequences that already includes reputation loss, customer exodus, embarrassment, and federal government fines," Hill said.
Combine the District Court decision against Target with the recent appellate decision in the case between Wyndham and the Federal Trade Commission, and it’s clear organizations are being held to a higher standard than before.
Earlier this month, the appeals court ruled that the FTC had authority to sue vacation-resort company Wyndham Worldwide for failing to take adequate security measures to protect its systems and customer data. The 2012 lawsuit alleged “data security failures which led to three data breaches at Wyndham hotels in less than two years,” but Wyndham claimed the FTC did not have legal authority to bring the lawsuit. The appellate decision affirmed the FTC’s authority, letting the regulatory agency move forward with the suit.
The court upheld the FTC's authority to bring actions against businesses with lackluster security practices that lead to data breaches. More important, the decision lets the FTC act against companies whose security practices may result in data breaches, even if no actual breach has occurred, said Chenxi Wang, chief strategy officer at container security company Twistlock.
“To avoid an FTC action, companies must take a long, hard look at their security posture and security hygiene,” Wang said. As recent events indicate, it is becoming too expensive not to.