23% of data breach victims surveyed considering legal action

Nearly one in four data breach victims surveyed are contemplating legal action while roughly the same percentage think companies take protection of consumer data seriously, Gemalto NV suggested in a recent report.

In a study commissioned to Vanson Bourne by Gemalto, 5,750 consumers were interviewed. [click image below to enlarge]

Nearly one in three (31%) reported they had been victims of a breach, Gemalto stated in the study, titled Data Breaches and Customer Loyalty Report, announced Dec. 10.

Gemalto stated in the report that “23% of consumers who have been a victim of a breach are considering taking legal action against the company that was breached.”

Amsterdam-based Gemalto is an information technology security vendor whose offerings include authentication services for electronic banking.

In its survey one in four respondents “feel that companies take the protection and security of customer data very seriously,” Gemalto stated. “More than twice as many respondents feel that the responsibility of protecting and securing customer data falls on the company (69%) versus the customer (31%). Of the employed respondents, only around two fifths (38%) feel that their employer takes the protection and security of employee data very seriously.”

The interviews were conducted in October and November. The consumers interviewed were from the United States, Brazil, Britain, Australia, Japan, France and Germany.

“To qualify for the study, consumers had to actively use online/mobile banking, social media accounts or online retail accounts,” Gemalto stated.

More than half “who actively use online/mobile banking state that all of their banks use two-factor authentication to secure their internet banking, with a further 25% saying that some of their banks do,” Gemalto reported. “It is possible that mass market websites, such as social media and retail sites, could benefit from following the example set by the banks to avoid risking punishment from consumers in the future.”

In Canada, privacy breach notification will be mandatory once Bill S-4, the Digital Privacy Act, comes into force.

Bill S-4, which received royal assent this past June, would require firms to notify people if their personal information has been lost “and there is a potential to expose us to harm,” said Joan Crockatt – at the time the Conservative MP for Calgary Centre – during a debate in October, 2014 in the House of Commons.

Tabled in April, 2014 by British Columbia Conservative Senator Yonah Martin, Bill S-4 will create new offences for deliberately failing to report data breaches to individuals and the federal privacy commissioner, with fines of up to $100,000 per every individual an organization failed to notify.

“If an organization has a data breach and its customers’ personal information is stolen or lost, it’s not currently mandatory for the company to disclose to the customers that their information has been compromised,” said James Moore, then Canada’s industry minister, in May, 2014, before the Standing Senate Committee on Transport and Communication.

“The Digital Privacy Act will require organizations to tell individuals if their personal information has been lost or stolen,” Moore told the senate committee, which was holding hearings on Bill S-4. “As part of this notification, organizations will also have to tell individuals what steps they can take to protect themselves, such as changing their credit card PIN, their email password, setting up a secondary layer of security, and so on.”

When it takes effect, Bill S-4 will “require organizations to keep records of data breaches of any kind,” Privacy Commissioner Daniel Therrien said earlier this year before the House of Commons Standing Committee on Industry, Science and Technology. “We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.”

If the Office of the Privacy Commissioner determines that an organization has not complied with the breach notification requirement, “in the worst-case scenarios, we could advise police authorities and the Attorney General so that prosecutions could be made against these organizations,” Therrien added at the time.