Roy Strom writes:
Chieftains of corporate America have long feared the financial and reputational fallout from a hacking breach. But a class action suit unveiled against a law firm last week could add to their data security anxiety. The suit claims that companies and law firms should be held accountable for lax security measures even if their customers’ data never falls into a hacker’s hands.
Some lawyers are skeptical that a court will agree to a new, wide-ranging theory that could essentially hold companies legally accountable for staying up-to-date with the latest data security protocols.
Either way, it is a new risk for law firms and corporations.
Read more on The American Lawyer.
After reading the article, I’m not so sure he doesn’t have a case. Consider the company that trumpets “world-class security” as a selling point, but fails to stay up to date on their patching or permit VPN access without 2FA. In essence, it’s false advertising.
Very interesting.
And isn’t this what the FTC does, too? They don’t have to wait for a breach to try to enforce Section 5. And they can go after entities who make promises that are misleading. It may come down to how you demonstrate that a particular entity’s security is nowheres near industry standards, and therefore, claims are misleading…?