Domestic and multinational companies are increasingly focused on safeguarding personal information due largely to the potential liability and reputational damage associated with data breaches. In 2010, we published an article titled “Is Data Breach Litigation a Continuing Threat?,” after countless consumer class actions seeking damages following a data breach were dismissed for failure to establish Article III standing. But, over the last few years, there has been a resurgence in the number of these actions as many have survived early dismissal. The government has also been more aggressive. A record seven administrative proceedings and court actions were brought by the Federal Trade Commission in 2014 alleging that companies failed to provide reasonable and appropriate security for consumers’ personal information.
Companies that have been successful in mitigating their liability and avoiding significant government actions after a cyber attack are those that, among other practices, developed a comprehensive written information security plan for protecting sensitive personal information, implemented robust security measures to protect this information, and responded appropriately to the attack. This white paper provides guidance on practices that companies should consider employing to safeguard personal information and, for certain target industries, to comply with statutes, regulations, guidelines, and rules prescribing safeguard standards.