“If you have shopped at these 15 stores in the last year, your data might have been stolen,” an article written by Dennis Green, was released in early July, informing people of data breaches with common retailers such as Adidas, Sears, and Best Buy.
We met up with John Wood, attorney from Egerton McAfee and received his legal perspective on these recent data breaches. John told us that first and foremost all of these companies who had a data breach in the U.S. need to consider what their notification requirements are for all 50 states. The notification requirements for each state are different, including certain times you need to notify people, what needs to be in the notification, etc. Considering these are large companies, there is a good chance they have personal information from outside of the U.S., meaning they need to look into international laws as well.
We asked John if there was likely implications for these companies and he informed us “There can be potential penalties if the reason the data breach happened was because you weren’t protecting the data the way you were suppose to. For example if the data wasn’t encrypted and that’s how they were able to get it, then you’re going to have issues.” Some of these issues in the U.S. can be introduced by the FTC as unfair deceptive trade practices. By the terms of the FTC, failure to secure personal information in your network is considered a unfair trade practice. A specific list of criteria that the FTC has decided on must be implemented in your network to secure customer’s personal information. At our upcoming Privacy Lunch and Learn, John will be specifically going over this list of criteria.
John’s opinion was that typically when the FTC begins to investigate, they are investigating “a” and then discover the companies was doing “b,c,d,e” incorrectly as well. It seems to be systemic. If a company is failing to do one thing, it’s common they are doing many things wrong. It is becoming more typical for these types of things to happen because the people taking the information are becoming more and more sophisticated. John also shared that sometimes victims of data breaches have everything they need in place, but it takes one employee accidentally downloading some malware, which opens their network and lets the bad guys on the inside. However, if data is being encrypted, then it does limit what they can access even from the inside.
Often people aren’t even aware of the legal implications of what can happen if they aren’t protecting data from a technical perspective. Join us on July 18th to hear more from John while he covers certain regulations that have to do with privacy, what the FTC requires in terms of security, and GDPR and how it is starting to come into the US. In addition to John’s legal perspective, Paul Sponcia, CEO of The IT Company, will be sharing a technical perspective on similar matters. Let us help you be informed so you can protect yourself and your data. Space is limited! Reserve your free ticket to our Privacy Lunch and Learn at the link below.