Hacked Companies Are Facing Data Breach Lawsuits Filed by Financial Institutions

Data breaches aren’t cheap to clean up. Just ask Rosen Hotels, whose costs to clean up a 2016 breach could end up exceeding $2.4 million. Shockingly, that’s below the $4 million average cited by IBM. In addition to direct costs, such as fines, labor to actually perform the cleanup, and bills from attorneys and PR firms, organizations are increasingly facing additional exposure in the form of data breach lawsuits – and not just from their customers.

Banks and credit unions, who must eat the losses when payment card numbers are stolen, are starting to fight back and demand reimbursement in the wake of POS system breaches. Fast-food chains Arby’s and Wendy’s, along with retailer Eddie Bauer, are facing class-action data breach lawsuits filed on behalf of financial institutions. Meanwhile, the Home Depot recently settled a similar suit for $25 million; this is in addition to the millions of dollars it is expected to pay for plaintiffs’ attorneys fees and the millions more it has already spent on fines and other cleanup costs.

Financial institutions aren’t the only parties that may file data breach lawsuits. Rosen Hotels is being sued by its commercial liability insurance company, which is alleging that Rosen’s policy did not cover data breaches. Additionally, the employee tax data phishing scam that was all the rage in 2016 reemerged just in time for the 2017 tax season, so the next round of lawsuits may stem from organizations’ own employees.

Preventing Breaches Is Far Cheaper Than Cleaning Them Up

Arby’s, Wendy’s, Eddie Bauer, Rosen Hotels, and the Home Depot have something in common, and it’s not just that their POS systems were hacked. All of them are examples of the high cost of reactive cyber security, which focuses on cleaning up after breaches happen instead of preventing them in the first place. This is the crux of the data breach lawsuits the banks are filing; they are alleging that hackers shouldn’t have been able to access these companies’ POS systems in the first place. They’re right. Hackers would not have been able to get in had the affected companies invested in proactive cyber security and implemented sound governance, risk, and compliance procedures.

The problem is not exclusive to large national or multinational corporations; it is estimated that 86% of small and medium-sized businesses woefully underfund their cyber security measures, and three-quarters have, at most, two staff members devoted to security (some have none). Yet as badly as companies the size of the Home Depot are being hammered by data breach lawsuits and other cleanup costs, they can afford to take the hit and keep going. A small business with razor-thin profit margins, or a young startup that’s not yet in the black, could be bankrupted by a data breach, especially if lawsuits are involved.

Often, it’s not that small businesses don’t care about being secure; it’s that they think they couldn’t possibly afford it. The good news is that proactive cyber security does not have to cost a small fortune. RegTech software solutions such as Continuum GRC’s IT Audit Machine (ITAM) automate GRC and security processes and put world-class security, compliance, and risk management within the reach of small and medium-sized businesses.

Don’t be reactive and wait for a breach to happen and potentially bankrupt your business; be proactive and prevent hackers from getting in to begin with.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.