(844) 230-7676
Idioma
People trust companies with their personal information. Frequently, companies outright betray that trust or take it lightly. As a result, the number of serious data breaches has quadrupled since 2020. The explosion in the number of data breaches has prompted decision makers to pass tougher laws in this area. With a higher standard of protection thanks to legislation like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the U.S., data breach victims have greater support when pursuing class action lawsuits.
More legal options are available, but only an experienced commercial litigation and class action lawyer enforces these rights in court. Class action litigation is very complex. But it can be an effective way to enforce data breach legal rights. Large, multinational companies will most likely ignore a few small verdicts here and there. But a multi-million-dollar class action settlement almost always gets their attention.
Understand the Threat
To avoid the growing threat of data breach class action lawsuits, companies must first understand the threat, which could be a for-profit hacker, a “hacktivist,” a dumpster diver, or most likely, a careless employee.
Personal financial information, like bank account numbers and credit card numbers, is the mother lode for a for-profit hacker. These hackers rarely target banks or other financial institutions, since their security is so difficult to penetrate. Instead, they often hack into smaller and less-well-guarded systems, such as a lawyer’s or doctor’s office.
Hacktivist activity is harder to predict. Usually, these hackers don’t want money. They want to make a point or embarrass a company, often for personal reasons. Speaking of personal reasons, many hactivists break into digital accounts to prove to themselves they can do it. Nevertheless, if your company takes a strong stance on any issue, your company basically has a target on its back.
As mentioned, careless employees who leave thumb drives or portable hard drives in vulnerable locations may be the biggest cause of data breach class action lawsuits. One of the most infamous examples is the 2022 BIPROGY breach in Japan.
An employee copied the personal information of 465,177 residents of Amagasaki, Japan onto two USB memory sticks and took them with him. Then, on his way to Osaka, he stopped at a local bar in Amagasaki and, long story short, he woke the next morning without the bag that contained the two USB sticks.
In its defense, the company did the right thing and immediately reported the incident to Amagasaki police, who found the bag outside an apartment building a day later.
Make Appropriate Rules
Usually, a New York litigation and class action lawyer argues that the company was negligent. Promptly reporting a data breach incident, as mentioned above, and making appropriate rules are two of the three best ways to avoid a finding of negligence.
Lapse-of-security data breaches are embarrassing. Lapse-of-judgment data breaches are even more embarrassing. Nevertheless, companies have a legal duty to immediately report such incidents, to limit the damage as much as possible.
The rules must set industry standard-appropriate encryption and other measures. In general, companies don’t have a legal responsibility to lock information in a vault. But they do have a legal duty to close and lock the door.
Part of this protection includes a strict BYOD (bring your own device) policy, as well as an unsecured WiFi prohibition. Depending on the industry standard, most companies should either ban BYOD or closely regulate the practice (e.g. the USB drive never leaves a worker’s actual physical custody). In the WFH age, many workers go to Starbucks and work as they enjoy their coffee.
All employees must affirmatively agree to the policy and express their understanding for the reason underlying the policy. They must also agree that, if they violate a data breach policy, they’ll pay the price.
Enforce the Rules
This final area is harder to implement than it seems. Enforcement must be cold and even. Companies cannot consider extenuating circumstances, the employee’s prior contribution to the organization, or anything else. Instead, an investigation must be prompt, thorough, transparent, and fair.
Data breach investigations must begin immediately, not after the dust settles. The investigating body must consider all evidence, not just the evidence that supports a certain outcome. Nothing can happen behind closed doors, and the punishment, if any, must be based solely on the results of the investigation.
Data breach class action lawsuits often mean huge liability judgments. For a free consultation with an experienced commercial litigation and class action lawyer, póngase en contacto con Napoli Shkolnik. Manejamos estos asuntos a nivel nacional.