E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: The Philadelphia Inquirer

Posted on September 24, 2008

      Lawyer Scott Vernick wants his clients to know the risks of data breaches are not limited to the credit card scams that get plenty of media play.

      In fact, Vernick says that as companies store ever greater amounts of employee records - from Social Security numbers to bank account information to health data - there's a risk that information can leak, too, exposing both employees and the company to harm.

      "Concerns over data breaches are not just for companies that deal in consumer information," said Vernick, of Center City's Fox Rothschild L.L.P. "You never know what the litigation risk is going to be."

      The issue was brought into sharp relief for Vernick not long ago when a client learned that a computer tape containing health records of 20,000 employees had been lost by a broker shopping for health insurance quotes.

      It turned out that the loss was inadvertent, but before all was said and done, the company had spent at least $50,000 investigating the breach, notifying employees, and seeking legal advice. And that did not even include the cost in lost productivity as employees obsessed over the missing health records.

      The incident underscored what Vernick says is an essential task of employers: have a detailed plan for handling the aftermath of a data breach to avoid the chaos that can sometimes ensue.

      "You don't want to be scrambling at 5 o'clock on Friday afternoon to find your privacy policy," he said.

      Much of his advice appears to be aimed at reducing the risk of litigation.

      Should a breach take place, Vernick advises clients to place their lawyers in charge of internal investigations. The attorney-client privilege, he said, should shield investigative results from the reach of plaintiffs' lawyers.

      At the same time, companies must scrupulously follow and often exceed legal requirements for notifying persons whose data have been released.

      "Companies are accused sometimes of playing it too technically on whether or not they should notify," said Vernick, the managing partner of Fox Rothschild's Philadelphia office. "My own standard is, What do you want to wake up and read in the newspaper the next day?"

      A graduate of the Georgetown University Law Center, Vernick is a career litigator whose client list has included Aramark Corp., Schering-Plough Corp., GE Industrial Systems, Cartier S.A. and Chase Paymentech Solutions L.L.C., among others.

      Fox Rothschild is not the only law firm in town that focuses on the legal fallout from data breaches. Others include Morgan, Lewis & Bockius L.L.P., which offers data-security services within its retail practice group.

      As stories of data breaches proliferated, clients more and more began to ask about data-security issues, along with the more traditional practice areas, Vernick said.

      It is, of course, the biggest breaches that get the most attention, such as the case at TD Ameritrade Holding Corp. in September 2007, in which a hacker broke into a company data base and stole personally identifying information on 6.5 million customers. Or the case of the TJX Cos. Inc., disclosed the same year, in which tens of millions of credit card records were stolen over a period of a year and a half.

      But more mundane breaches and leaks occur with ever greater frequency, according to the Identity Theft Resource Center in California. The center says that this year's recorded 477 breaches so far exceeds data breaches for all of last year.

      Dozens of states have enacted laws that establish varying degrees of responsibility for companies to notify affected customers, employees or others when a data base has been improperly accessed - or there is at least that possibility.

      Many of the breaches reported by the ITRC, for example, involve thefts of equipment with sensitive data, where the intent seems to be sale of the laptops, not the data that are on them.

      In other cases, data are inadvertently exposed through computer operator error.

      In August, the Louisiana real estate commission said records of about 13,000 licensed real estate agents briefly were exposed on the Internet, including names, addresses and Social Security numbers, the result of a computer malfunction.

      Whether inadvertent or not does not lessen a company's responsibility to plug the breach and notify affected consumers or employees.

      "In both cases, you have to take appropriate steps to investigate the nature of the breach, understand the scope of the potential damage arising from the data loss and whether the statute requires it or not engage in some form of appropriate notification," Vernick said.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.