Data Breach Litigation – What we can learn from Toys “R” Us
This blog has published numerous articles on data breach litigation and makes solid efforts to keeps its readers abreast of all the latest data breach litigation news. You can read a couple of these articles here and here.
I recently received an email from Toys “R” Us, Inc. alerting me that it had identified an attempt to gain unauthorized access to a small number of reward accounts. It was suspected that the activity was due to large breaches at other companies where usernames and passwords were stolen. Toy “R” Us’s strong security measures tipped them off to the login attempts. Although no breach occurred, Toys “R” Us took the preventative step of sending a password reset email. This email recommended that all of its reward customers reset their passwords and gave step-by-step instructions on how it could be done. This type of proactive move will likely help Toys “R” Us avoid a successful hack attempt in the future. It certainly also gained customer trust.
It is not uncommon for people to use the same username and password for all of their online accounts. If that information is compromised just once, then hackers can use it to access any other account where that same username and password is used. It is also not uncommon for hackers to attempt to use stolen usernames and passwords on several websites. So while a data breach of your Toys “R” Us rewards account may not cause you too much heartburn. Your blood pressure likely increases the moment you realize that you use that same username and password to conduct online banking and manage investments. This is just one example of how a single security breach at a company can have widespread consequences.
What does this mean in the litigation world? Could the company responsible for the original information breach also be responsible for damages that its security failures caused another company’s customers? If the attack on Toys “R” Us had been successful, would Toys “R” Us have a cause of action against the corporation that originally allowed the information to be stolen? To date, no lawsuits have been filed to help us answer these questions. That does not mean, however, that we will not see an attempt to bring one soon.
Therefore, this attempted breach, and Toys “R” Us’s actions, should serve as a reminder for data breach best practices. All companies, regardless of size, should implement security features to guard customer’s information. Let customers know that you are watching out for them by alerting them when calculated attempts have been made to gain access to their information. Be proactive and advise customers to use a unique username and password. Also require customers to update and change log-in information whenever suspicious activity is detected.