The end of 2013 saw a slew of data breaches rock American consumers’ faith in the ability of big companies to keep their information secure. Target, Neiman Marcus, Michaels, AmMed, White Lodging Services Corp., and many other companies all suffered breaches that left valuable information, including credit card numbers, vulnerable to theft. Last year’s Thanksgiving-weekend breach at Target even prompted calls in the Senate for a congressional investigation. Clearly, something had to be done. Customers were being exposed to too much of a risk, while some companies seemed not to be heeding the warnings offered by their competitors’ own problems.
When it comes to holding companies accountable, how important is the distinction between having your credit card information exposed to theft, and actually having it used?
Fast forward to mid-2014 – how much has changed?
Earlier this week, Michaels urged a judge in Illinois federal court to dismiss a number of consolidated class action lawsuits brought by customers who claim they were affected by a data breach. The company, which revealed the breach back in March, claims individuals who filed lawsuits haven’t shown they suffered fraudulent charges or other injuries because of the security breach and, as such, lack standing to pursue their claims. That might be true, but it’s important to remember that Michaels only became aware of the breach after receiving reports of fraudulent activity on some of their customers’ cards. When it comes to holding companies accountable, how important is the distinction between having your credit card information exposed to theft, and actually having it used? One plaintiff involved in the lawsuit does claim an attempt was made to use his card, although it’s not clear if the charge was approved or not.
Michaels also argued that the information allegedly stolen consisted of card account numbers only, not more personal information such as Social Security numbers. It says a lot when a company’s defense basically boils down to the fact it could have been worse, but there you go.
Now, on to Target – the granddaddy of the current data breach scandals. Progress was made late last month when an eleven-strong steering committee was appointed. The committee (the group of attorneys who will report directly to the judge) will be an important part of the litigation that currently involves more than 80 different consumer classes. Some 70 million customers were affected by the breach, and lawsuits against the retail giant include claims for breach of contract, negligence, concealment, invasion of privacy, and violations of state and federal consumer protection laws. Target CEO Gregg Steinhafel was ousted last month, with many commenting that the security breach and the company’s handling of it contributed to his downfall.
Sadly, though, data breaches aren’t just old news. EBay went public just weeks ago with one of the largest data breaches so far, affecting as many as 145 million customers. While it did not compromise individuals’ financial details, the lapse may have exposed customers’ names, addresses, e-mail addresses, phone numbers and birthdays, potentially giving hackers a worrying amount of ammo. Users’ passwords were also allegedly subject to the breach, though it’s unclear if eBay’s encryption may have protected these passwords from being read. Worse, eBay announced that the breach began in February. As with Target – and so many other companies – the fact there was such a delay between the time the breach started and when consumers were alerted to it does not bode well.
At least three states – Connecticut, Illinois and Florida – are now investigating the eBay breach, and all customers have been advised to change their passwords. The company has more information available on their website.
As online business and digital technology advances, we’re entering a brave new world – but it looks like there’s still a way to go until businesses can ensure their customers’ details are safe from prying hands.