A data breach last year at California-based customersupport service [24]7.ai may have exposed the credit cardinformation of customers of Sears, Kmart and Atlanta-basedDelta. These organizations are now faced with the task of sortingthrough potential liability stemming from state data breachnotification laws and the role of third-party vendors in dataexposure.

Delta notified March 28

In a press statement issued on April 4, Delta announced that ithad been made aware of the breach on March 28 and had begun workingwith [24]7.ai to get a sense of the breach's scope and impact.Delta also reportedly contacted federal law enforcement andforensic teams to confirm the breach and has launched a website toanswer consumer questions about the breach.

Related: New study urges comprehensive approach is needed tomanage cyber risks

Georgia is one of 47 U.S. states with breach notification lawson the books requiring companies to notify consumers in a timelyfashion if state residents have had their data exposed by a breach.Efraim Harari, general counsel at cybersecuritytechnology company SentinelOne, noted, however,that national companies such as Delta are likely subject to evenmore stringent state breach notification laws.

“Delta Airlines probably has more customers in California, wheretheir breach notification law is far beyond that, with creditmonitoring for one year and a few other requirements, as is thecase for Massachusetts,” Harari noted.

Consumer concern

Because of the kind of data Delta retains, Harari said thepotential to draw consumer concern is likely higher than it couldbe in a similar breach of a technology or data company. “Companieslike Delta have a different problem in the sense that the type ofdata they process is highly personal and has immediate personalimplications when it's been breached, specifically credit cardinformation, Social Security information, things that can lead tofraud pretty quickly,” he noted.

“The reputational risk is paramount,” Harari said of databreaches more generally. “It causes serious damage to companiesvis-à-vis their shareholders, their boards, their executives,” henoted.

Related: 4 lessons companies can (and should) learn from2017's data breaches

Harari guessed that Delta, given its longevity in the market andsize, probably mandates fairly strict data obligations for its dataprocessors, meaning that a smaller tech vendor such as [24]7.ai ismore likely to be held liable for data exposure. Companies smallerthan Delta, however, may not have the same negotiating weight inestablishing liability with their vendors, which could leave themexposed to litigation.

Data privacy law

U.S. data privacy law, Harari said, hasn't fully resolved thequestion of whether users need to expressly consent (or optin) to having organizations share their data, or whetherorganizations can simply share data unless users express otherwise(or opt out). He expects, however, that this may not always be thecase.

“I do predict some shifts at some point in the U.S. toward amore opt-in option with respect to sharing with third parties,especially third parties whose activities with respect to the dataare not what the user has signed up for,” he said.

Third-party breaches seem to be an increasinglycommon staple of corporate cybersecurity risks. An exposure ofVerizon Communications' data last year was traced back to athird-party data storage center, as was an earlier breach atretailer Target.

3rd party breaches & cybersecurity risks

Paul Sieminski, general counsel at WordPress' parent companyAutomattic, previously told CorporateCounsel that even when vendor systems are breached,organizations should approach the situation as if they areliable for consumer data loss. “I always feel that we'reultimately responsible for [our data] and when we choose partners,we can't wash our hands of it,” he noted. “A user whose account wasbreached is not going to accept: 'Oh, that wasn't us.'”

“[Vendors] are responsible for their own security practices andif there is a breach, if they failed in those obligations, theyshould bear responsibility for it. But you as the customer areresponsible for selecting good partners,” Sieminski added.

Related: 6 ways cybersecurity will impact insurers in2018

Delta noted in a statement that the company would “directlycontact customers who may have been impacted by the [24]7.ai cyberincident.”

“In the event any of our customers' payment cards were usedfraudulently as a result of the [24]7.ai cyber incident, we willensure our customers are not responsible for that activity,” thecompany added.

Payment info, passports, IDs, Skymiles

According to Delta, customer payment information may have beenexposed by the breach, but passports, government IDs, security andSkyMiles for Delta customers were not impacted. The company plansto directly contact customers who may have been impacted by thebreach and “will ensure our customers are not responsible for thatactivity.”

A statement issued by [24]7.ai noted that the breach occurredfrom Sept. 26 to Oct. 12, 2017.

Georgia has played host to a number of high-profile databreaches over the last few years, many of them exposing personalinformation for millions of consumers. A 2014 breach of athird-party vendor for Atlanta-based home improvement chain HomeDepot impacted more than 56 million customers, and resulted inaround $85 million in settlement fees for the company.

Atlanta-based credit reporting company Equifax, which exposed data for over one-thirdof all U.S. residents, is now facing a whole slew of litigationaround the handling of its breach.

Gabrielle Orum Hernández is a reporter with Legaltech Newsand the Daily Report covering legal technology startups andvendors. She can be reached by email at [email protected],or on Twitter at @GMOrumHernandez.