New Supreme Court Ruling Has Major Implications on Corporate Data Breaches
Data breaches suffered by major companies have typically been an issue of public embarrassment, damage to the brand, and—if pertinent—regulatory fines. However, these breaches now also bear major legal ramifications due to a spring Supreme Court ruling in a Zappos class action lawsuit.
The Zappos Breach
Back in 2012, the Amazon-owned shoe retailer fell victim to a cyberattack that exposed the personal information of its 24 million customers. The hackers gained access to customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords.
A San Francisco-based federal appeals court allowed a class action suit to move forward on the grounds that suing customers face “a substantial risk that the Zappos hackers will commit identity fraud or identity theft.”
Zappos appealed the ruling to the Supreme Court, arguing that the “factual scenario this case presents—a database holding customers’ personal information is accessed, but virtually no identity theft or fraud results—is an increasingly common one.” The company said only about two dozen consumers reported their data was misused following the breach. Zappos also argued that data breach litigation is “sprawling and costly.”
In March, the Supreme Court rejected Zappos’ appeal.
Data Breach Lawsuits Level up
Data breach lawsuits are not new but are generally dealt with in lower-level courts. In fact, around the same time as the Zappos case was heard, a class action against Google was kicked down to a lower level court, limiting the reach and scope of class actions.
The Zappos Supreme Court ruling is the first of its kind on a federal level concerning privacy laws, which spells out major implications for companies who store personal customer information.
The Impact of the Supreme Court Ruling on Businesses
The burden of proof has transitioned. It now belongs to the company that suffered a data breach, as customers no longer have to demonstrate actual injury and can sue based on the potential harm. Identity theft does not have to occur, only the possibility, which means cybersecurity has to be a top priority for businesses dealing with sensitive customer information.
This is another big reason why data security must become a main priority for companies, not only to protect their customers from the threat of compromised personal data, but also to protect the company from any potential fallout due to a data breach.
SOC-as-a-Service as a Solution
The ruling makes it explicitly clear that companies are now held to a higher security standard and strengthens the case for companies of all sizes to leverage the comprehensive benefits of a security operations center (SOC).
A SOC provides companies the full protection needed to proactively manage and safeguard sensitive customer information before breaches even occur, and mitigate any damages once they arise. However, most organizations are not able to afford the resources and cybersecurity personnel to operate their own SOC and are better served through a SOC-as-a-service model.