In the wake of a computer worm attack on Home Depot in which 56 million customers’ credit card information was stolen, class action lawsuits have been filed in several provinces and states. In Ontario, IT consultant Steven Lozanski is leading a lawsuit against Home Depot for failing to adequately secure plaintiffs’ financial information. The lawsuit alleges that Home Depot’s methods of protecting confidential information did not adhere to acceptable industry standards. The class action is seeking $500 million in general damages.
If this lawsuit is successful, it could have significant implications for corporations. Fines for privacy law violations are usually tens of thousands of dollars, at most. The fines in themselves are far less of a deterrent than the prospect of damage to reputation. If Lozanski is successful in obtaining millions of dollars in damages, the stakes for corporations will be raised substantially.
To my knowledge, this is the first lawsuit in Ontario that raises the question of corporations’ obligation to implement adequate computer security to protect customer information. The case rests on an allegation of negligence, asserting that Home Depot ought to have known that the encryption of their computer systems was inadequate, that their computer personnel lacked necessary skills, education and training in computer and data security, and that Home Depot “could and should have” employed an outside, secure computer payment service. If Lozanski’s allegation of negligence is upheld, corporate executives should take note – the consequences of privacy breaches could be getting a lot more serious for them.