What Companies Can Learn from Target's Data BreachLegal Compliance Resource
March 25, 2014 — 1,169 views
The Target data breach case, where consumer data was stolen by hackers with individuals’ privacy being compromised, is an important lesson for companies on how to handle similar scenarios. Many lawsuits have been filed against Target, but they are not very strong and the retail giant may emerge a winner. However, every company should pay close attention to how Target reacted to the breach.
If a company does not react immediately and notify all affected consumers or individuals in case of a data breach, lawsuits are bound to follow. Companies are generally hesitant to reveal data breaches because of the dent in image, but will end up spending time and resources on litigations, settlements and the like. Though Target made the disclosure considerably quickly, it did come under fire for slow revelations.
Different notification laws
It must be noted that companies need time to ascertain what kind of information has been compromised. Most of the states have laws for notifying data breach, and require companies to notify within timeframes that vary from state to state. Most of these laws also allow a margin after the timeframe, if the enforcement machinery can be convinced that notification would come in the way of nailing and probing the hackers. As a legal adviser, you will have to inform the company about these laws, depending on which state’s jurisdiction it is under, so that the firm can act accordingly. In fact, what defines data breach also varies from state to state, as also the mode of notification. One of the fallouts of the Target data breach is that the White House is now considering a common yardstick across the nation, rather than state laws for speedy notifications.
Compliance with law
As an attorney or legal adviser, your role will be to advise the firm to ensure that none of its documents are tampered with. Government investigating agencies will certainly look into the records of the company and no efforts should be made to delete or tamper with them. The investigators will also monitor if a company has issued a hold on litigation and how it has gone about doing so.
Following a hold on litigations or lawsuits, the company should understand how the data breach occurred and must hold a review internally. If you are a law firm, representing the company, you should advise the company to take damage control steps like Target did. The retail giant gave new cards to protect privacy of its consumers, apart from insurance in case of consumer data theft and a credit monitoring service which is entirely free.