Litigation risk for data breaches

Reputational damage and customer churn are subjects regularly referred to when discussing data loss. If a company loses a customer’s data, they may expect to wave goodbye to that individual’s business, as well as risking further churn from other worried customers. But given that so many organisations have confessed to data breaches during 2008 alone, how long will it be before the backlash extends beyond churn, as individuals begin to understand the ramifications of these breaches and start seeking legal retribution?

In June 2008 a lawsuit was filed in Regina, Canada, alleging that Daimler Chrysler Financial Services and several affiliated companies were responsible for losing confidential customer data, before failing to notify the affected customers for several weeks. Interestingly, the plaintiffs’ claim referred specifically to their concerns about the heightened risk of identity theft resulting from the data loss.

A more bizarre case occurred in February 2008 when a customer attempted to sue US retailer Best Buy over a laptop containing personal data that was apparently lost during a repair process. Astonishingly, the customer filed a 54 million USD lawsuit, an amount she admitted to be unrealistic but had chosen purely to attract media attention (and presumably to increase the compensation Best Buy was prepared to offer). When the loss became apparent, Best Buy did not initially file the required legal notice stating that the customer was at risk from identity theft, instead offering a gift card by way of recompense for the laptop loss. Having failed to appease the customer, the company found itself at the centre of a huge court case and accompanying media storm.

It’s clear to see the reputational damage that can be caused by litigation, even with one-off cases involving inconsequential amounts of money. No matter whether an organisation conducts itself admirably or questionably under these circumstances, it still lost the data in the first place and is likely to be portrayed in a negative light through any resultant legal proceedings.

Then of course there’s the question of what happens when litigation occurs on a widespread scale? When an organisation loses confidential information pertaining to 15,000 customers, supposing that, rather than receiving a handful of protests, it actually gets taken to court by all or the majority of the affected 15,000. If every customer files a big-money lawsuit then the organisation in question could be facing a huge financial outlay in addition to the reputational damage we’ve discussed – a recipe for disaster for most companies. In fact, one insurance broker recently revealed to me that its New York office had to deal with 300 cases of data breach within a single month during 2008, each one attracting a class action lawsuit.

It doesn’t matter whether the data breach occurred because of neglect, insufficient internal procedures, or the malicious actions of a lone employee. By this stage it has become irrelevant, for the simple reason that a growing percentage of the general public is already highly paranoid about identity theft, and is unlikely to tolerate any organisation that fails to treat their personal data with care. Consequently, it will be no surprise if we see similar lawsuits occurring in the UK over the coming months, as more people demand adequate compensation for their loss.

Dave Fisher is business development manager at Alcatel-Lucent