Target Corporation, the nation’s number two general retailer (after Wal-Mart), was recently the center of a cybercrime attack that may have compromised as many as 40 million credit and debit card accounts. Target revealed that a third-party had breached its security safeguards during the height of the holiday shopping season and gained access to private customer data, including shoppers’ names, credit card numbers, expiration dates, and three-digit security codes. This highly publicized debacle highlights the risks of cyber exposure.
Target’s large scale data breach is just one of many examples of the havoc that a cyber attack can unleash. The security breach which affected shoppers at the height of the holiday season has already spawned lawsuits in California and Oregon. These suits which implicate fiduciary obligations are demonstrative of the potential exposure that professionals face. Because these types of claims involve the mishandling of sensitive account information, it is not uncommon for data breaches to result in claims of fiduciary liability, or fraud on the part of directors, officers, or I.T. professionals.
The Target ordeal also serves as reminder of the expenses associated with a cyber breach. A study conducted by an online risk management firm reported that in 2011, the average total cost to a company of a security breach was $3.7 million, with an average legal settlement cost of $2.1 million and average legal fees of $582,000.
Security breaches can be bad for business as well. As news of the security breach hit, Target’s sales took a dip with the number of transactions at Target slipping by approximately 4 percent compared with the final weekend before Christmas last year. Loss in revenue, a dip in share prices, and expensive litigation are a recipe for derivative suits against directors and officers if it becomes apparent that the risk of the data breach was not appreciated and proper protocols were not put into place.
Moreover, professionals often create documents containing personally identifiable information and retain the data on electronic devices. What happens if these records are breached, like when hackers targeted specific laws firms to seek information about a $40 Billion dollar takeover deal?
Lawyers have a professional duty to protect confidential client information. If a client’s personal records are obtained because a law firm failed to properly dispose of sensitive business records, or because of a security breach, the client may sustain an action under state and federal law, in addition to traditional common law claims. Making matters worse, the traditional PL policy may not cover the penalties and costs associated with the breach itself.
Lawyers and other professionals can protect themselves from liability associated with data breaches by taking several proactive steps. These include the developing a comprehensive security and data breach plan, training employees on security data issues, physically securing electronic equipment, and implementing a policy for how documents are to be produced and destroyed when production is required. In the event of a suspected breach, firms should immediately notify the client, in addition to investigators, in order to minimize the potential harm.