CSG Law Alert: From Victim to Accomplice: When Liability Shifts in Cases Involving Corporate Data Breaches

As the target of a corporate cyber breach, are you a victim – along with your customers and personnel – or are you a “willing” accomplice to the crime?

This week, a U.K. bank was fined in excess of $21 million dollars for failing to protect its systems and customers against a “foreseeable” cyber-attack that occurred in 2016.

The bad actors exploited deficiencies in the design of the bank’s debit cards. In the year preceding the attack, Visa, Inc. had issued a warning to lenders, including this bank, about this weakness. As such, the regulator found that the bank was on notice of the potential for the attack, and nevertheless failed to take action to prevent its occurrence.

Those of you based in the U.S. reading this post may say, “well that is the U.K.”…

However, earlier this year, a Federal District Court in North Carolina found that a U.S.-based company that failed to train its personnel about a “known” phishing scam had acted “intentionally” when one of its (untrained) employees released the company’s employees’ W-2s in response to such a phish.  In this case, the IRS had issued warnings in prior years about this type of scam.  However, the U.S. company did not train its personnel to be aware of such an attack, nor did they have protocols in place to guide personnel in such instances.  In finding that the company acted “intentionally,” the court ruled that the company, in effect, willfully exposed the social security numbers of its personnel.  Under North Carolina law, having been found to have acted intentionally, the company was subject to treble damages.

Given these rulings, and with more and more states adopting proactive legislation requiring businesses to have written policies, procedures and protocols in place to prevent, detect and mitigate cyber-attacks, companies may not be able to argue that they were “innocent” victims, too.

Having written policies and procedures, supporting technology and educated personnel will go a long way toward protecting the company, its customers and its personnel;  and when (not if) an attack occurs, the company will be prepared to respond effectively.

Related Industries

Privacy & Data Security