The lawsuits started almost immediately after Target’s (TGT) admission that hackers had stolen information related to the credit-card accounts of 40 million shoppers. At least 11 customers are now pursuing class-action suits against the retailer, claiming it was negligent in protecting their data.
Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by hackers, who are highly motivated to get at it. It’s not even clear how much legal responsibility they have to protect it. “There is limited judicial guidance on what constitutes negligence in the cybersecurity area,” says Craig Newman, a partner at Richard Kibbe & Orbe who follows legal issues related to security.
The U.S. Federal Trade Commission wants to offer some. In recent years it has brought more than 40 actions against companies. Generally, the companies have settled quickly; who wants to drag out a debate with regulators as to whether your security operations are negligent or just bad? But the commission is getting some push-back from companies that have suffered security breaches. Wyndham Hotels(WYN) was first to challenge the FTC, saying both that the commission’s standards are too vague and that it lacks the authority to enforce them. LabMD, a cancer-detection laboratory in Atlanta whose billing information wound up on file-sharing sites, has also refused to settle.
Those trying to argue that Target has been negligent will also be watching whether it is found to be in violation of cybersecurity standards known as PCI security standards. Companies handling credit-card transactions need to adhere to these standards, set by credit-card networks. The system has been criticized as fostering complacency among merchants that meet the standards, as well as offering the networks a means of avoiding blame: Companies have been found compliant, only to be re-investigated after getting hacked—and losing certification retroactively. “PCI is currently losing what little legitimacy it has,” wrote Rich Mogull, chief executive officer of security advisory firm Securosis, this spring.
Even if the Target hacking ends up seeming avoidable, consumers may face problems proving that the breach actually cost them anything. Customers whose cards are used fraudulently won’t be held responsible for those charges, and companies that get hacked often foot the bill for credit monitoring. Target customers whose identities are eventually stolen will find it difficult to prove that this breach is specifically to blame. Hackers have plenty of ways to access personal information.