Turner Padget Insights

Avoid Data Security Class Actions: Know Your Legal Obligations

Posted On Sep 18, 2014

Data privacy and data security class actions are on the rise. Some have called privacy claims the “next frontier in consumer class actions.” Legal issues are still being hammered out as to who can successfully file claims and what kind of injury they have to assert to make it past class action legal hurdles. But enough data-related class actions are being filed nationwide (roughly 145 were filed in the fourth quarter of 2013 alone) that the attorneys bringing these lawsuits are refining their legal strategy and building stronger cases against businesses large and small.

If your business collects, stores or disseminates customers’ personal information, you need to be aware of your legal obligations over the security and use of that information. Otherwise, you could risk being subject of a consumer class action (or federal or state enforcement action).

Whose data triggers a legal duty?

South Carolina’s Financial Identity Fraud and Identity Theft Protection Act (FIFITPA) defines “personal information.” The definition includes an individual’s (1) Social Security Number, (2) driver’s license number, (3) credit card and other financial account numbers, (4) date of birth, and (5) current and former addresses. (If you are a financial institution, you should also consult the definitions of relevant data under the Gramm-Leach-Bliley Act, which also triggers additional legal obligations.)

How can, and should, you protect customer data?

It is important that you institute measures to secure your customers’ personal information. You should establish protocols for what information can be collected and how that information may be used. South Carolina’s FIFITPA is relatively comprehensive, outlining your rights and obligations. You need to educate your employees on these protocols, too, as agency laws state that you are responsible for your employees’ misuse of consumer data.

When a data breach occurs, what should you do? 

South Carolina is among the majority of states that require businesses to notify affected individuals of any security breach involving their data. You should you have a corrective action plan in place for when you contact customers. Target immediately offered credit-monitoring services to customers who were affected by its notorious data breach.  We will see if Target’s response assists with the defense of any class actions hoisted against it, as Target’s corrective actions likely will limit any customer’s ability to allege injury.

If you are a responsible steward of your customers’ data and if you ensure that you are using this data in a way that comports with federal and state law, you greatly reduce the risk of finding yourself caught in the ugly and costly legal battle of consumer class actions. You are also investing in important legal defenses should your company be the victim of a data security breach.