HBR Case Study on Data Breach

An interesting data breach case study appears in the September 2007 online issue of the Harvard Business Review. The HBR case study is titled “Boss, I Think Someone Stole Our Customer Data” and is available at http://tinyurl.com/2q87md. Although profiling a fictitious company, this HBR case study presents interesting perspectives on some of the dynamics and pressures a company faces in a data breach. This HBR case study provides some insight into the legal implications of a data breach, although it is by no means a complete analysis. You need to consider many other issues in order to get a complete picture. One new factor to be aware of is that several states adopted or are considering, legislation that will make a retailer (such as one like the fictitious company in the case study) liable for remediation costs incurred by businesses (e.g., banks) when they are required to notify individuals of data breaches. For instance, these laws allow financial institutions to seek reimbursement from a third party (e.g., a retailer) responsible for the breach of all “reasonable and actual costs,” including the costs of cancelling and reissuing credit cards, closing and/or reopening accounts affected by the breach, stop payment actions, unauthorized transaction reimbursements, and the providing of a breach notice to affected individuals. Congress, in the House Financial Services Committee, may be considering similar legislation later this year. The thrust of this legislation is to hold accountable parties who have in some way been the cause of the data breach (for instance, for failure to comply with applicable industry standards such as PCI and others).

Alan S. Wernick writes the Info Tech Law column for the magazine.