2016 GNYADA Membership Directory

HOT TOPICS

do not provide for an opt-out due to agreement made where the disclosure is necessary to process or service a transaction for you the consumer therefore not required.” In 2015, the federal Seventh Circuit Court of Appeals ruled that the risk of future harm to affected customers is enough to enable the customers to sue, including on a class action basis, the company that allowed their personal information to be compromised. In reversing a lower court that had dismissed the case, the Seventh Circuit Court held the likelihood of personal data exposure following a system breach “is immediate and very real.” This was the first federal appellate court to rule on the issue of standing (ability to sue) to assert data breach claims. The case will mean that dealers and other companies that incur a security breach will have to contend with more lawsuits after security breaches. In the case, it was uncontested that the data breach exposed 350,000 consumers’ personal data. In discovery, the defendant company acknowledged that 9,200 individuals’ credit card data had since been used fraudulently. The Seventh Circuit determined that the breach victims“should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objective reasonable likelihood’ that such an injury will occur.’ In so finding, the Court asked “Why else would hackers break into a store’s database and steal consumers’ private information?” If a victim has standing as the Seventh Circuit ruled, claims for negligence, breach of contract, and UDAP violations could be asserted. Statutory, as well as, actual damages could be available along with recovery of the victim plaintiffs’attorney’s fees. The FTC has identified 10 critical steps for data security of non-public personal information (NPI): a. Start with security – Don’t collect or keep NPI you don’t need and design data security in all aspects of your business. b. Control access to data sensibly – Actively manage your data and develop policies to manage it during its lifecycle. Limit permissions to those who need it and give permissions to only what they need. Don’t keep NPI longer than you need to do so. c. Require secure passwords and authentication – consider two-factor authentication to access NPI. Something you know (a complex password) and something you have (a randomly-generated number from an ID token). d. Store sensitive personal information securely and protect it during transmission – Encrypt NPI and other sensitive data in accordance with best industry practices during its lifecycle. e. Segment your network and monitor who’s trying to get in and out – Monitor using firewalls, intrusion detection software, and don’t allow computers to connect to computers as attacks can bleed from one to others. f. Secure remote access to your network – Ensure endpoint security and put limits on access in place. g. Apply sound security practices when developing new products – Train developers and engineers in secure coding, test and verify proxies and vulnerabilities. Conduct a privacy impact assessment for new products. h. Make sure your service providers implement reasonable security measures – Do due diligence, contractually require protections and have an audit capability. Try to assess liability for data security breaches. 1 RECOMMENDED PRACTICES

2016 MEMBERSHIP DIRECTORY

126