Pending Case Illustrates Danger of Data Breach to Businesses

Posted by Edward Sharkey on Mon, 08/26/2013 - 04:00

Data breach, most often occasioned by computer hacking, is the acquisition of personally identifying information (“PII”) by unauthorized parties. It can lead to serious issues – notably, identify theft – for the people whose PII is stolen. We have addressed before in this space some of the legal problems businesses may face after falling victim to a data breach. We have also discussed a developing legal theory used by plaintiffs to pursue claims against businesses for data breach, even when a breach has not resulted in identify theft or actual damages. Another large-scale data breach has been in the news lately, and it illustrates just how problematic such a breach can be for a small business.

A small Midwestern grocery chain suffered a data breach when about 2.4 million customer debit and credit card numbers were exposed. To complicate matters, the company took more than two weeks to remedy the breach after it learned of the exposure, and it failed to warn customers until after the breach was fixed.

The business is now facing a class-action lawsuit filed by potentially affected customers. Notably, the allegations against the company include “willful and wanton neglect” in failing to warn customers of the breach in a timely manner. Punitive damages – which can be given in cases of extreme misconduct in addition to compensatory damages – would be available if such an allegation is proven. In an attempt to move the case to federal court (the suit was originally filed in state court in Illinois), the grocery chain acknowledged that the compensatory damages alone in the case could be greater than $5 million.

Businesses should take a few points away from this case: data breach is a serious and potentially costly problem facing all businesses that retain customers’ PII. When a business becomes aware of a data breach, it should its counsel and then notify the potentially affected customers as soon as possible. Stay tuned to the blog for updates on this case as well as other important developments in data breach law.

Call Today (301) 657-8184

 Google+  View Edward Sharkey's profile on LinkedIn