With high-profile cases like ChoicePoint and TJX acting as alure, plaintiffs' attorneys are increasing interested in generatingclass-action lawsuits against businesses for data security breachesor electronic data loss events.

And the lawsuit could be the least of a business's problems.Attorney general audits and fines, third-party litigation and thethreat of tighter federal regulation of data security meansbusinesses must be more proactive than ever in mitigation suchloss.

In a panel discussion at the recent 2009 PLUS International Conferencein Chicago, five experts discussed the exposure environment fordata breaches, passed and pending legislation, and the best waysbusinesses can protect themselves against a loss.

The exposure environment

Although data breach lawsuits can be attractive to plaintiffs'attorneys, lawyers know they must have their ducks in a row beforeseeking a class-action certification, said Sherrie Savett, Esq.,shareholder and chair of the securities litigation department atBerger & Montague, Philadelphia. At the least, thebreach should affect millions of users, result in an actual misuseof data, and involve sensitive information such as Social Securitynumbers or credit card numbers and expiration dates.

Successful cases also result in statutory damages, she added.Under the Fair Credit Reporting Act, companies that aredetermined to have been reckless in storing their customers'data--including medical information--could be liable for between$100 to $1,000 per victim in a case settlement. And potentialdefendants include not only credit scoring bureaus but banks,lenders institutions, and other financial institutions. Damage isthe big issue and the exposure to a company can be huge, Savettsaid.

In a recent class-action case involving credit card numbersstolen from Hannaford Bros. Co., an East Coastsupermarket chain, the courts are determining whether the time andmoney a consumer spends to restore his or her credit is compensabledamage. The trend in the courts now is to consider data as realproperty, not just information, Savett said.

For defendants, the lawsuit is only half the story, saidTheodore Kobus II, chair, technology, media & IP practicegroup, Marshall, Dennehey, Warner, Coleman & Goggin,Philadelphia. State attorneys general are tracking data breachesand requiring that they be reported to them. Mellon Bank,Countryside and others have been fined by AGs after audits, andstate departments of insurance and others can audit if a breach isreported. Nevada and Massachusetts have especially stringent ruleson responsibility to breach, and on the federal level, H.R.2221, the Data Accountability and Trust Act, would require"reasonable security policies and procedures to protectcomputerized data containing personal information," as well asnationwide notice in the event of a security breach.

Anatomy of a breach

Two of the biggest and most notorious data breach cases involvecredit scoring bureau ChoicePoint Inc. and TJX Cos. Inc., owner of discountretailers Marshalls and T.J. Maxx. The ChoicePoint breach occurredin 2005, when swindlers stole the personal financial records ofmore than 163,000 consumers by setting up fake business requests.In the subsequent lawsuit, ChoicePoint ended up paying $10 millionin civil penalties and $5 million in consumer damages.

In the TJX case, hackers stole 45.7 million credit and debitcard numbers over 2005 and 2006, resulting in a class-actionlawsuit and a $200 million settlement with consumers and TJX'sbank, Fifth Third Bancorp. According to an article fromInformationWeek, TJX has spent more than $20 million investigatingthe breach, notifying customers, and hiring lawyers to handledozens of lawsuits from customers and financial institutions.

Breach response preparedness

The good news arising from high-profile cases like ChoicePoint and TJX is thatbusinesses are taking a more cautious approach to data breach riskmanagement, said Bradley S. Gow, senior vice president at Zurich North America, Schaumburg, Ill. Banks are nowmaking retailers responsible for breaches, and specifically puttingthis responsibility into their contracts with retailers.

Because the expenses of a breach can be mitigated by prevention,and time is critical in reacting to a breach, a written responseplan is essential, said Kendall Walsh, director of Direct Group, a directmarketing firm based in Pennington, N.J. This should includewritten documentation approved by management, and a list of teammembers who will respond if a data breach occurs, including legalrepresentation, marketing representatives for brand protection, ITexperts and outside vendors knowledgeable in state and federalprivacy laws to handle forensics and customer notification, hesaid. Having such experts at your disposal is key in underwritingdatas breach risks.

Efficacy of security/privacy insurance

Although data breach insurance is available and has becomeincreasingly popular with businesses in recent years, coverage isstill evolving and will change in response to frequency of loss,federal legislation, attention from the plaintiff's bar and marketcompetition, said Gow of Zurich.

Today's data breach insurance coverage goes beyond basiccoverage to provide the "bells and whistles" most businessesexpect, said Patrick Donnelley, managing director of Professional Risk Solutions, Aon. In early policies, abreach response fund of $25,000 to $50,000 was built into mostpolicies insurance policies to help minimize liability. Because ofcompetition and the evolution of the line of business, today'sfunds have gone into the $1 million to $10 million range, he said.Other variations include policies with time rather than dollardeductibles, as well as business interruption coverage.

However, 5 years of pricing in a soft market has resulted inpolicy pricing that is "probably light," said Gow of Zurich. "Whilecarriers are hoping losses won't occur, there has been frequency insome industries," he said. "Based on the potential of risk, we'reprobably whistling past the graveyard."