HOT TOPICS

2016

MEMBERSHIP

DIRECTORY

126

do not provide for an opt-out due to agreement made where the disclosure is necessary to process or service a

transaction for you the consumer therefore not required.”

In 2015, the federal Seventh Circuit Court of Appeals ruled that the risk of future harm to affected customers

is enough to enable the customers to sue, including on a class action basis, the company that allowed their

personal information to be compromised. In reversing a lower court that had dismissed the case, the Seventh

Circuit Court held the likelihood of personal data exposure following a system breach “is immediate and very

real.” This was the first federal appellate court to rule on the issue of standing (ability to sue) to assert data

breach claims. The case will mean that dealers and other companies that incur a security breach will have

to contend with more lawsuits after security breaches. In the case, it was uncontested that the data breach

exposed 350,000 consumers’ personal data. In discovery, the defendant company acknowledged that 9,200

individuals’ credit card data had since been used fraudulently. The Seventh Circuit determined that the breach

victims“should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class

standing, because there is an ‘objective reasonable likelihood’ that such an injury will occur.’ In so finding, the

Court asked “Why else would hackers break into a store’s database and steal consumers’ private information?”

If a victim has standing as the Seventh Circuit ruled, claims for negligence, breach of contract, and UDAP

violations could be asserted. Statutory, as well as, actual damages could be available along with recovery of

the victim plaintiffs’attorney’s fees.

RECOMMENDED PRACTICES

The FTC has identified 10 critical steps for data security of non-public personal information (NPI):

a. Start with security – Don’t collect or keep NPI you don’t need and design data security in all aspects

of your business.

b. Control access to data sensibly – Actively manage your data and develop policies to manage it

during its lifecycle. Limit permissions to those who need it and give permissions to only what they

need. Don’t keep NPI longer than you need to do so.

c. Require secure passwords and authentication – consider two-factor authentication to access NPI.

Something you know (a complex password) and something you have (a randomly-generated

number from an ID token).

d. Store sensitive personal information securely and protect it during transmission – Encrypt NPI and

other sensitive data in accordance with best industry practices during its lifecycle.

e. Segment your network and monitor who’s trying to get in and out – Monitor using firewalls,

intrusion detection software, and don’t allow computers to connect to computers as attacks can

bleed from one to others.

f. Secure remote access to your network – Ensure endpoint security and put limits on access in place.

g. Apply sound security practices when developing new products – Train developers and engineers

in secure coding, test and verify proxies and vulnerabilities. Conduct a privacy impact assessment

for new products.

h. Make sure your service providers implement reasonable security measures – Do due diligence,

contractually require protections and have an audit capability. Try to assess liability for data

security breaches.

1