informa
2 min read
Quick Hits

Davidson Cos. Sued for Negligence in Data Breach

Lawsuit confirms that companies can be held liable for failing to provide adequate security

Security pros, take heed: If you don't do your job, you may not only be fired -- you may end up in court.

A Billings, Mont., law firm has filed a class-action lawsuit in federal court against Davidson Companies, claiming the company was negligent when it allowed a hacker to penetrate its systems, resulting in a data security breach and the exposure of some 226,000 customer records, according to a report.

The breach, which was revealed in January, occurred when a hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Montana-based financial services company's clients. Details on how the hacker accessed the database weren't published.

In the past, companies have been held liable for more overt data losses, such as the loss of a laptop or backup tape. Recently, however, companies have been sued for things their IT departments didn't do, alleging that the IT security department's negligence led to a hack. (See FTC Deal Suggests Enterprises Could Be Liable for Poor Security.)

This latest class-action lawsuit alleges "the Davidson Companies failed to comply with the industry standards designed to protect such confidential personal and financial information from theft" and that the company did not provide "adequate safeguards in its storage and handling of its clients’ confidential personal and financial information."

The lawsuit, which doesn't specify a monetary demand, was filed even though the plaintiffs aren't aware of any identity theft resulting from the breach. Attorneys for Davidson Companies said they haven't seen the paperwork and declined comment.

— Tim Wilson, Site Editor, Dark Reading