Data security breaches are becoming too common for comfort and ease as we engage in daily as participants in the marketplace. Companies, governmental institutions, nonprofits, and organizations are quickly learning that cyber incidents could be a day away. If they claim that their information is secure their claim can be checked and they can be found guilty of deception, giving customers, members, and the like a false sense of security. Inadequate measures that do not meet reasonable and industry standards may soon be left with no avail. That lackadaisical approach to IT management has recently affected schools as well as commonly shopped at stores.
One such store, Home Depot, just entered into a settlement agreement out the United States District Court for the Northern District of Georgia that was filed on March 7, 2016. A couple of days later, a suit was filed in the United States District Court for the Central District of Florida against the University of Central Florida (UCF). The complaint cites a claim for negligence by UCF in handling confidential information, breach of implied contract to maintain the data secure, conversion and a claim for bailment. The latter is underscored by the argument that the plaintiffs claim that UCF did not safeguard the personal or financial information of persons.
The store suit claimed that the store failed to maintain industry standard data security and appropriate notification practices. In count I, the plaintiffs asserted violations of consumer laws regarding all affected plaintiffs and separate statewide consumer law classes. Count II asserted violations of state data breach notification statutes on behalf of separate statewide classes. Count III asserted the occurrence of negligence. Count IV asserted the occurrence of a breach of implied contract. Counts V and VI were asserting unjust enrichment and declaratory judgment. The complaint asserted that the store violated state data breach statutes by not timely informing customers and not providing them accurate notification of the breaches.
In its settlement, the store agreed to establish a reimbursement fund for cardholders and a fund for identity protection for cardholders. The store will also invest to enhance its data security practices and improve its identity protection services. The cyber intrusion into Home Depot’s system occurred where a vendor’s credentials were acquired to enter the network and extract customer purchasing card information using a malware. This similarity of an external intrusion is shared in the UCF matter.
The UCF lawsuit claims that the school committed negligence by failing to reasonably secure the personally identifiable information (PII), to maintain the PII securely, and to provide notice of the incident in a timely manner. The suit claims that UCF took over a month to notify the affected persons and that the size of the affected class approximates 63,000. The UCF potentially affected persons range from employees, students, and alumni and the type of information extracted may have included social security numbers and complete names. The lawsuit as well asserts that UCF violated Florida’s Deceptive and Unfair Trade Practices Act claiming that UCF’s conduct was unlawful by not seeking to protect the plaintiff’s’ vested interest in the privacy, security, and integrity of their PII.
Both cases demonstrate that data security efforts and claims require due diligence and involve a lot more than housing IT, receiving payments, issue billing, monitoring sales, losses, and employees. There is a personal stake in all at the institutional and corporate level that has to embrace technology, personnel, and management with an eye towards risk assessment. Seeing the risk is only part of the equation. Implementing the institutional steps, personnel, and scheduled follow through to rectify future vulnerabilities and verify of applications are satisfactory is a greater commitment.