Data Breaches and Legal Risks

Posted in Business, Law

You’ve probably heard in the news more and more stories all the time about information security breaches.  The latest high-profile breach of the retailer Target may have compromised information of 110 million consumers.  Neiman Marcus also reported a recent security breach.  With all of these breaches of major retailers in the news, you might wonder as a consumer whether your own accounts were affected.  Certainly, it is wise to watch your own credit card statements for signs of unauthorized transactions and to report any fraudulent purchases.

In addition, however, small and medium-sized businesses face their own data breach risk.  Hackers are not just targeting large businesses.  They also target small businesses, such as restaurants and other merchants.  Why?  Hackers see small businesses as easy targets.  Larger businesses are more sophisticated about their security practices and harder to attack.  Smaller businesses don’t have the security resources of larger businesses.

If a small business has a data breach, the breach may ruin the reputation of the business and scare away customers.  People are less likely to shop at a merchant that can’t protect customer information.  Ultimately, small businesses face many risks from data breaches.

One of those risks is legal liability.  Companies in California by law must notify consumers if they fall victim to a data breach affecting personal information of customers such as Social Security numbers, driver’s license numbers, and payment card information.  Failing to make the notification or delaying the notification may cause governmental investigations or customer lawsuits.  State and some federal laws also require companies to protect sensitive information in the first place.  Based on past history, I have to imaging that Target will spend over $100 million in responding to its recent breach, defending itself and paying settlements in the class action lawsuits filed against it.  Data breaches cost big dollars.

Securing your business’s sensitive information will reduce your legal and business risks.  How can you do that?  You should assess your information security risks, develop policies and procedures to secure sensitive information, and train your workers on data security.  Part of your preparation will include investigating on which information security laws will apply to your business and what kinds of security safeguards are required.  The time to look into upgrading your information security practices is now.  Preparing today can help prevent data breaches and liabilities tomorrow.


Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in
downtown Los Altos.  He can be reached at (650) 917-8045 or at