Proceed with Caution: Security Breaches put Damper on 2013/14 Holiday Season
January 14, 2014
Recent security breaches have placed a significant damper on many during the 2013-14 holiday season. Even though the companies/institutions involved were very large - Target, JP Morgan Chase and the Food and Drug Administration (FDA), respectively - these recent breaches may provide useful cautionary lessons for any business facing data risks.
Target. In the most publicized incident, Target confirmed that thieves had accessed credit and debit card information of 70 million customers who shopped at its stores between November 27 and December 15, 2013. The Target breach is expected to be the second-largest theft of card accounts in U.S. history, just behind the 2005 breach involving the retailer TJ Maxx. Potentially the scariest fact is that Target failed to detect or report the theft for more than two weeks during the prime post-Thanksgiving shopping season. The breach already has triggered numerous claims, including a federal lawsuit against the company from three Minnesota plaintiffs, several consumer class actions, and formal inquiries filed (to date) from the Attorneys General of Connecticut, Massachusetts, New York and South Dakota. All of these actions and inquiries allege that Target knew or should have known about its security vulnerabilities and failed to alert customers quickly enough when it learned of the breach.
JP Morgan Chase. In another recent incident, the State of Connecticut suspended its innovative debit card tax refund program as a direct result of security concerns associated with a cyber-attack on the website of JP Morgan Chase (the program’s provider) that potentially exposed personal information of about 14,000 Connecticut card holders. The State had to return to issuing paper checks for tax refunds, child support payments, unemployment benefits and other tax-related payments. JP Morgan Chase may well face claims from the State and consumers adversely affected by the breach.
FDA. Finally, pharmaceutical companies and the House of Representatives are calling for an independent security audit of the FDA after hackers accessed the FDA’s computer systems in October. The FDA asserted that computers were accessed only at a division that does not host any drug company trade secrets but the FDA’s breach disclosure letter identified the compromised system as an “online submission system.” Drug companies, which are required to provide the FDA with highly sensitive data when they submit applications for approval of new drugs or medical devices, have expressed serious concerns about the FDA systems that hold priceless competitive information about drug manufacturing, clinical trials and marketing plans of the individual companies that report to the FDA.
LESSONS LEARNED
- Data breaches can devastate your business. A data security breach, if publicized, can be a serious blow to your company’s reputation. While the figures are not available yet, analysts have estimated that Target’s losses in the form of reduced sales alone could be in the billions of dollars, not even counting damages and regulatory fines. JP Morgan Chase’s share of the business segment providing debit cards to governmental and institutional clients also is likely to take a significant hit based on these new security issues. All businesses should maintain cybersecurity protections that are consistent with seeking to prevent the significant harms to the company from a major data breach.
- Regulated companies should consider expanding efforts to protect information filed with state or federal agencies. The FDA case should serve as a cautionary tale for all businesses that provide sensitive information to federal, state or local agencies. It is an evolving best practice for companies to undertake due diligence efforts relative to all vendors holding their personal information. All companies should demand answers about the protections in place to protect information filed with regulatory agencies. Where appropriate, companies should seek to initiate discussions - either alone or as part of an industry coalition - over possible security enhancements and best practices.
- Small to medium-sized businesses can be targeted as well. If hackers can access systems of large companies, such as Target or JP Morgan Chase, with significant resources to spend on cybersecurity measures, they can just as easily go after smaller companies that likely have fewer resources to devote to security protections. Make sure that your firm’s list of New Year’s resolutions for 2014 includes maintaining a robust cybersecurity program that includes IT protections, a written information security plan, internal and external controls on access to sensitive data, and vendor due diligence.
If you have any questions about the information contained in this Alert, please contact your Murtha Cullina attorney or a member of our Information Security and Privacy Group.
