We are in the midst of a digital age that has resulted in astonishing productivity gains for business and extraordinary convenience for consumers, but it also has ushered in an era of unprecedented danger. Gone are the days when a couple of locked doors and a security guard were enough to protect a store.
Any organization that uses e-mail or has a web presence will be attacked. The biggest threat to the retail sector is Russian criminal syndicates that operate with ruthless efficiency in search of credit card numbers and personally identifiable information (PII).
According to a 2011 report by the Ponemon Institute, a security research firm, the typical data breach costs a company $5.5 million in operating expenses and lost business. Temple University’s Beasley School of Law released a study last year noting that companies on the losing side of data-breach class action litigation pay an average settlement award of $2,500 per plaintiff, with attorney’s fees averaging approximately $1.2 million. The Federal Reserve earlier this year confirmed that the PII of 4,000 banking executives was compromised due to vulnerabilities in the software framework used to build the agency’s website.
Schnuck Markets Inc., a family owned grocery store chain, revealed that customer credit cards used at 79 of its 100 stores might have been exposed in an attack that lasted about four months until its discovery. Facing litigation over the approximately 2.4 million credit and debit card numbers that may have been compromised, Schnuck’s insurer filed suit, claiming that the data breach was not covered by the company’s policy.
Proper cyber defense starts with talented IT professionals, but that is only the start. No cyber defense team is complete without the participation of knowledgeable legal counsel. A good lawyer will work with an organization to educate the stakeholders about the dangers that lurk, and the substantial liabilities incumbent with any breach.
Although a retailer may feel secure in its efforts to safeguard its data, what about all of the outside parties that are integral to the retailer’s mission? Experienced legal counsel can review supply chain agreements and insurance policies to identify and mitigate potential threats before they materialize.
When an IT department learns of a data breach, the person to call first is an attorney. Interactions with outside digital security or forensic firms may be subject to discovery by aggrieved parties. If an attorney engages these parties to investigate or mitigate the breach, those interactions are likely to be covered by attorney/client privilege, and thus will not be subject to scrutiny during the discovery phase of litigation.
Given the complexities of our rapidly evolving digital world, cyber security no longer can be thought of as merely an IT concern. Early and constructive engagement with cyber law counsel is fundamental to keeping data secure and responding to electronic attacks.
Michael Higgs is an attorney with the law firm of Shulman Rogers Gandal Pordy and Ecker, P.A., Potomac, Md. A frequent author and speaker, Higgs can be reached at firstname.lastname@example.org.