Do Data Breaches Count as Negligent Security?

There was a time when ‘negligent security’ primarily referred to preventable security breaches at brick-and-mortar locations, but not anymore. The recent data breaches of major US retailers Target and Neiman Marcus show that cybercrime is leading to a type of personal injury or professional malpractice (financial loss) for consumers, and it’s the retailers’ responsibility to take the necessary steps to protect their customers.

For those who missed the data breach story over the holiday season, here’s what you need to know: between November 27th and December 15th, up to 40 million of Target customers’ debit and credit card information was hacked, and up to 70 million customers also had their names, home addresses, and email addresses compromised. Individuals and businesses were outraged by the breach, which led to some significant financial losses. Putnam Bank has already sued Target due to financial losses from reissuing cards and reimbursing customers for fraudulent purchases, and other banks are following suit.

As if that’s not bad enough, the upscale Dallas-based retailer Neiman Marcus also recently discovered that they’d been hacked and that customers’ card information had been compromised. Neiman Marcus says that it warned customers as soon as it became aware of the breach. Because thetiming of the Neiman Marcus correlates with the Target breach, it’s now believed that Target, Neiman Marcus, and three other retailers were all hit in a coordinated cyber-attack.

The recent attacks raise new questions surrounding liability, and many consumers are wondering if Target and Neiman Marcus could have done more to protect their private information.

Target Was Warned about Security Risk

In the case of Target at least, the company had some warning that they were at risk for a security breach. According to a Seattle law firm that is filing a new complaint against Target, the retailer was warned by a security expert that its point-of-sale systems had weaknesses. Because Target failed to take any actions to address the weaknesses that ultimately led to the breach, they may be found liable for negligent security.

Target is also being criticized of—and sued for—failing to notify customers of the security breach until four weeks after it happened. That means that customers weren’t on the lookout for fraudulent activity on their credit or debit cards until up to a month after their information was compromised, and some individuals (as well as their banks) were more likely to incur significant financial losses, as a result. Target is facing dozens of lawsuits from customers, as a result.

Greater Security Measures Needed to Protect Consumers

The recent Target and Neiman Marcus hacks highlight the fact that retailers need to take greater security measures to protect their customers. Just as business owners may need to implement security measures like security cameras and good lighting to protect their customers from personal injuries at their brick-and-mortar locations, they also need to implement security measures to keep their customer’s data safe. That’s simply part of the duty that retailers have to their customers.

Retailers need to regularly have security experts inspect their systems, and unlike Target, they need to respond to any weaknesses. (For the record, Target reports that it has now fixed the weakness that led to its breach. CRN contributor Robert Westervelt suggests that one thing retailers may need to start doing is getting their business executives more involved in risk-based decisions, as this may help companies to address and resolve points of weakness more quickly.

Whatever steps businesses need to take to improve their security, it’s clear that now is the time to act. Data hacking is a lucrative industry for cyber criminals, who make about $80 per stolen card, and cyber security experts suggest that the retail industry is going to see a rise in the number of security hacks in 2014.

It’s no longer a case of if hackers are going to try to compromise a business’ system, it’s when. Retailers had better be ready to respond.

About the Author:

Andrew Winston is a partner at the personal injury law firm of Lawlor Winston White & Murphy. He has been recognized for excellence in the representation of injured clients by admission to the Million Dollar Advocates Forum, is AV Rated by the Martindale-Hubbell Law Directory, and was recently voted by his peers as a Florida “SuperLawyer”—an honor reserved for the top 5% of lawyers in the state—and to Florida Trend’s “Legal Elite.”