Cyber security breaches are very common and are increasing world over these days. Cyber criminals are targeting companies possessing and storing sensitive information about people. These include banks, law firms, e-commerce companies and many more such institutions that are retaining other’s sensitive information.
However, these institutions are also required to ensure robust cyber security and effective data protection of the information and data submitted to them. We at Perry4Law believe that these institutions hold the information about their customers/clients in a fiduciary capacity and they are under legal obligation to protect this information as far as and as much as possible.
We also believe that not only the obligation is regarding protecting the information but there is also an obligation to report any potential and actual cyber security breach that has taken place and that has endangered or had the potential to endanger the information of the customers/clients.
World over companies are not complying with the cyber security breach notification requirements. For instance, Target Corporation was attacked by cyber criminals and as a result of that Target Corporation faced litigation threats around the world. Similarly, EBay was also attacked recently and it has asked its customers to change their passwords.
Now it has been reported that three U.S. states has initiated investigation about EBay’s cyber security practices. Connecticut, Florida and Illinois said they are conducting a joint investigation of the matter. New York Attorney General Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter.
Details about what happened are still unclear because eBay has provided few details about the attack, which is under investigation by the FBI and a cyber forensics firm. It is also unclear what legal oversight the states had to respond to eBay`s handling of matter.
The states` quick move to investigate the attack shows that authorities are serious about holding companies accountable for securing consumer data following high-profile breaches at other companies, including retailers Target Corp, Neiman Marcus and Michaels Stores and the credit monitoring bureau Experian Plc. Congress and the Federal Trade Commission are already investigating the Target breach, which resulted in the firing of the company’s chief executive and chief information officer.
The investigation by the three states will focus on eBay`s measures for securing personal data, the circumstances that led to the breach, how many users were affected and the company’s response to the breach, said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen. His office, which is also investigating breaches at Target Corp, Neiman Marcus and Experian, has already contacted eBay.
Several security experts said the best practices in responding to a breach of this type would be for eBay to have a message pop up when victims log in, telling them about it and forcing them to change their passwords.
EBay spokeswoman Amanda Miller declined to comment on the investigation by the three states or Schneiderman’s request for credit monitoring, but said the company was working with governments around the globe in the wake of the attack. “We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies”, she said. “We are fully cooperating with them on all aspects of this incident”.
Indian customers of EBay can also take appropriate action against EBay under Indian laws especially under the Information Technology Act, 2000. Indian regulatory authorities and law enforcement agencies must also initiate their own investigations in this regard to safeguard Indian customer’s interests.