The Challenge and Responsibility of Protecting Client DataJanuary 1, 2015 | Download PDF
According to an October 2014 Gallup Poll, 69 percent of Americans frequently or occasionally worry about theft of their credit card information. Other than having a computer or smartphone hacked, the majority of Americans worry about this crime more than any other crime they were asked about. These worries are driven by the growing wave of hackers that hit major retailers throughout 2014, including Neiman Marcus, Sony, Morgan Stanley, eBay, AOL and others. As businesses collect more and more information about their customers, and in spite of the concern over theft of this data, few Americans are taking actions to protect themselves. And businesses, which seem to have ample incentives to protect themselves and have repeatedly been warned about data breaches, routinely ignore such threats for a variety of reasons.
This article, “The Challenge and Responsibility of Protecting Client Data”, was originally published in The Metropolitan Corporate Counsel, January 2015.
According to an October 2014 Gallup Poll, 69 percent of Americans frequently or occasionally worry about theft of their credit card information. Other than having a computer or smartphone hacked, the majority of Americans worry about this crime more than any other crime they were asked about.
These worries are driven by the growing wave of hackers that hit major retailers throughout 2014. Target revealed that credit and debit card information for 40 million of its customers was compromised. Neiman Marcus reported the theft of 1.1 million credit and debit cards by hackers who invaded its system. Sony, Morgan Stanley, eBay, AOL and others similarly reported that client or customer information was compromised.
The April 2014 discovery of the Heartbleed security flaw further demonstrated the vulnerabilities of digital data. The bug affected a widely-used encryption technology intended to protect online transactions and accounts and went undetected for more than two years. It is unclear whether or not hackers have been exploiting the problem, but the malware is estimated to have affected up to 66 percent of active sites on the Internet.
The onslaught comes as businesses are moving to collect more and more information about their customers. The theory is that using data on a person’s interactions with a business, along with other commercially available information, helps companies better understand consumers and better target their marketing. This means corporations keep increasingly sophisticated and detailed stores of data that provides a growing target for hackers. Yet, in spite of the concern over the theft of this data, few Americans are taking actions to protect themselves.
For example, few people pay with cash for purchases rather than pay with plastic in response to data thefts. Consumers fail to check credit reports, change online passwords at retailers’ websites, request new credit or debit card numbers from their bank or sign up for a credit-monitoring service. This apparent failure to act reflects, in part, an acceptance of a new reality by consumers in the current economy. According to an Associated Press survey, it also reflects, a belief by 88 percent of consumers that the burden of protecting data falls to the retailers who are collecting it. In addition, nearly two-thirds of consumers say the banks that provide credit or debit cards or the credit bureaus should bear most of the responsibility for protecting their data.
The expectations of consumers may be misplaced. A 2014 US State of Cybercrime Survey reveals that most companies don’t fully understand or address their security risks. Furthermore, only 38 percent of US businesses prioritize security spending based on risk and the impact on their businesses. Even as the number of cyber-attacks increases, most US organizations’ cybersecurity capabilities do not rival the persistence and technological skills of their cyber adversaries.
Reports claim that Target did not react after two warnings from its own computer security system before cyber thieves stole the information. Sony has been the victim of multiple hack attempts over the past two years. The list of repeat victims is long even though security software is plentiful. Businesses seem to have ample incentives to protect themselves, but they routinely ignore such threats for a variety of reasons.
Among those reasons is that corporate executives often won’t spend sufficient money on security because they see it as a pure cost that doesn’t offer a financial benefit. This thinking ignores the very real cost of litigation and the loss of business from those affected by the theft of personal data.
Executives and managers often dismiss possible problems until one happens to them, and high corporate turnover means corporate leaders tend to forget the lessons they just learned. Keeping systems safe is an arduous task, requiring some companies to tend to thousands of computer servers and the ever-changing software they run. A constant stream of new vulnerabilities and attacks makes it difficult to keep abreast of everything. Changes in systems and software mean ever newer security flaws that hackers can exploit.
One of the fastest-growing sources of litigation in the US is in the area of “privacy” litigation. This can be a drain on company resources and carries with it the possibility of significant financial loss. Privacy litigation arises in two primary ways: (1) as the result of a data breach arising from the unauthorized disclosure of personal information found in an organization’s records, or (2) from the alleged invasion of an individual’s privacy as the result of the collection, use and disclosure of personal information by companies with whom the affected individual has had contact.
Whether plaintiffs can establish injury to themselves and, if so, whether they can also establish damages has been a challenge. The cost of implementing greater levels of security, however, may be less costly than defending and losing a “privacy” lawsuit. This article, “The Challenge and Responsibility of Protecting Client Data”, was originally published in The Metropolitan Corporate Counsel, January 2015.
Marks Paneth LLP is an accounting firm with over 500 people, of whom 65 are partners and principals. The firm provides public and private businesses with a full range of auditing, accounting, tax, consulting, bankruptcy and restructuring services as well as financial advisory services to domestic and international clients. The firm also specializes in providing tax advisory and consulting for high-net-worth individuals and their families, as well as a wide range of services for international, real estate, media, entertainment, nonprofit, professional and financial services, and energy clients. The firm has a strong track record supporting emerging growth companies, entrepreneurs, business owners and investors as they navigate the business life cycle.
The firm’s subsidiary, Tailored Technologies, LLC, provides information technology consulting services. In addition, its membership in Morison International, a leading international association for independent business advisers, financial consulting and accounting firms, facilitates service delivery to clients throughout the United States and around the world. Marks Paneth, whose origins date back to 1907, is the 33rd largest accounting firm in the nation and the 10th largest in the mid-Atlantic region.
In addition, readers of the New York Law Journal rank Marks Paneth as one of the area’s top three forensic accounting firms for the fifth year in a row. Its headquarters are in Manhattan. Additional offices are in Washington, DC, Westchester, Long Island and the Cayman Islands. For more information, please visit www.markspaneth.com.