Stand in the Place Where Data Live: Data Breaches as Article III Injuries

Every day, another hacker gains unauthorized access to information, be it credit card data from grocery stores or fingerprint records from federal databases. Bad actors who orchestrate these data breaches, if they can be found, face clear criminal liability. Still, a hacker’s conviction may not be satisfying to victims whose data was accessed, and so victims may seek proper redress through lawsuits against compromised organizations. In those lawsuits, plaintiff-victims allege promising theories, including that the compromised organization negligently caused the data breach or broke an implied contract to protect customers’ personal information. However, many federal courts see a data breach as essentially harmless, or that data breach plaintiff-victims do not necessarily suffer cognizable legal injuries. In practice, this means that the plaintiffs do not have Article III standing, and courts do not reach merits determinations of fault. Instead, a data breach to these courts is only harmful to the extent that it leads to a subsequent injury, like identity theft or fraud. Therefore, data breach victims must suffer even more harm before they can bring a lawsuit. Other courts under this framework do nonetheless find that data breach plaintiff-victims have standing. However, even those courts still wrongfully check whether the plaintiffs suffered future identity theft, fraud, or other harm. Those courts simply find that such subsequent harm is readily apparent. This Note offers a proper approach to standing in data breach lawsuits. I argue that the moment a victims’ data is exposed without their authorization, they suffer a cognizable common law injury, regardless of whether that data exposure actually causes subsequent harm. Rather than thinking of data breaches as a means to future data misuse, courts should think of data breaches as injurious in and of themselves

Crisis communication in organizational data breach situations: Facebook data breach 2018

Objectives The main objective of this study was to explore how effective crisis communication can help an organization facing a data breach to minimize the organizational damage caused by the data breach crisis. In an optimal situation, this research explains why certain crisis response guidelines and communication characteristics are useful in data breaches and how they affect the relationship between the organization and the crisis stakeholders. In addition to this, this research should be helpful for all organizations facing a data breach in the future, as it shows from the perspective of a giant global social network company, which forms of crisis communication are useful and which are not. Summary This research studies the existing literature on traditional organizational crises and on crisis management and crisis communication and compares the information to modern data breach crises. To use the information from the literature effectively, information from the literature review will be compared to a big data company Facebook’s recent data breach in September 2018, affecting initially over 50 million people. The research aim is to find out, how crisis communication is the most effective when an organization is facing a data breach. This bachelor’s thesis is a qualitative study and it uses a combination of common effective crisis communication characteristics and a traditional crisis communication theory, SCCT by Timothy Coombs, as guidelines for a recent major data breach case. Conclusions The common characteristics of effective crisis communication are still expected from a company facing a data breach by the media and the crisis stakeholders, especially when individuals’ personal data is affected. However, a common crisis communication theory SCCT is proven to be mostly incompatible with modern data breach crisis, which means that there is a need for a guiding theory for data breach crisis communication including the characteristics required by the crisis stakeholders and the media. In addition to this, this research concludes that regardless of effective or ineffective crisis communication, the company’s prior crisis history and reputation have a significant effect on how crisis communication is responded to

The great data breach

This paper examines how Target Corporation dealt with their data breach when their network was infiltrated by hackers compromising the debit and credit card information of millions of customer\u27s personal information including customer names, mailing addresses, phone numbers and e-mail addresses. Crisis communication models that are used to evaluate the effectiveness of corporations\u27 handling crisis situations in a world where social media and speed dominate the news cycle

Heartland Payment Systems: lessons learned from a data breach

On August 13, 2009, the Payment Cards Center hosted a workshop examining the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS or Heartland), Robert (Bob) Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event. The former director of the Payment Cards Center, Peter Burns, who is acting as a senior payments advisor to HPS, also joined the discussion to outline Heartland's post-breach efforts aimed at improving information sharing and data security within the consumer payments industry. In conclusion, Carr introduced several technology solutions that are under discussion in payment security circles as ways to better secure payment card data as they move among the different parties in the card payment systems: end-to-end encryption, tokenization, and chip technology. While HPS has been very supportive of end-to-end encryption, each of these alternatives offers its own set of advantages and disadvantages.Payment systems ; Data protection ; Electronic commerce

The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information

Data breaches are an increasingly common part of consumers’ lives. No institution is immune to the possibility of an attack. Each breach inevitably risks the release of consumers’ personally identifiable information and the strong possibility of identity theft. Unfortunately, current solutions for handling these incidents are woefully inadequate. Private litigation like consumer class actions and shareholder lawsuits each face substantive legal and procedural barriers. States have their own data security and breach notification laws, but there is currently no unifying piece of legislation or strong enforcement mechanism. This Note argues that proactive solutions are required. First, a national data security law—setting minimum data security standards, regulating the use and storage of personal information, and expanding the enforcement role of the Federal Trade Commission—is imperative to protect consumers’ data. Second, a proactive solution requires reconsidering how to minimize the problem by going to its source: the collection of personally identifiable information in the first place. This Note suggests regulating companies’ collection of Social Security numbers, and, eventually, using a system based on distributed ledger technology to replace the ubiquity of Social Security numbers

An investigation of the impact of data breach severity on the readability of mandatory data breach notification letters: evidence from U.S. firms

The aim of this article is to investigate the impact of data breach severity on the readability of mandatory data breach notification letters. Using a content analysis approach to determine data breach severity attributes (measured by the total number of breached records, type of data accessed, the source of the data breach, and how the data were used), in conjunction with readability measures (reading complexity, numerical intensity, length of letter, word size, and unique words), 512 data breach incidents from 281 U.S. firms across the 2012–2015 period were examined. The results indicate that data breach severity has a positive impact on reading complexity, length of letter, word size, and unique words, and a negative impact on numerical terms. Interpreting the results collectively through the lens of impression management, it can be inferred that business managers may be attempting to obfuscate bad news associated with high data breach severity incidents by manipulating syntactical features of the data breach notification letters in a way that makes the message difficult for individuals to comprehend. The study contributes to the information studies and impression management behavior literatures by analyzing linguistic cues in notifications following a data breach incident