Scott & Scott | Software Compliance Counsel
Scott & Scott Scott & Scott

« Google Runs Afoul of Authorities Down-Under Over Pay-Per-Click Ads | Main | The Privacy Act »

There’s a Data Breach in the Wonderful World of Disney? Say it Ain’t so Mickey! Say it Ain’t so!

“You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you.” – Walt Disney

Disney recently reported that an employee of one of its independent contractors, Alta Resources, Inc., was caught trying to sell customer credit card information. Alta Resources processes transactions for the Disney Movie Club. Now Disney and Alta Resources are being investigated by the Secret Service. Furthermore, The Disney Club had to notify in writing its 1 million members. The customer data stolen included credit card numbers, names, addresses, telephone numbers and even e-mail addresses.

More and more data breach laws and the proposed Leahy-Spector Personal Data Privacy and Security Act seek to hold companies responsible for data breaches of their independent contractors and affiliated companies. So Disney may be on the proverbial “Captain’s” hook. Now Disney may spend hundreds of thousands of dollars investigating, managing and litigating this data breach. Disney will likely spend additional resources re-evaluating its third party contracts and investigate what steps its contractors are taking to ensure the security of nonpublic personally identifiable information. Disney has already amended and republished its data privacy and security policy.

The lesson to be learned from Disney and the recent Fidelity National Information Services breach is that insider fraud and negligence should be considered a more probable threat and potentially more dangerous than an outside hacker. Your company should have written security policies in place to reduce the risks associated with insider fraud and negligence. In an investigation, a company that experienced a data breach will have to explain whether that company implemented the security policies and whether its data privacy and security program was “appropriate” to the company’s size and complexity and is appropriate to the sensitivity of the customer information at issue. The business technology lawyers at Scott & Scott are recognized leaders in regulatory compliance, enterprise network risk, data risk and security, and related litigation. For more information contact Adam W. Vanek at avanek@scottandscottllp.com.

Tags:

Posted on July 24, 2007 9:20 AM |

Comments (1)

ed dickson:

I suspect there are more inside connections to a lot of data breaches. Often, the cause is unknown and someone had to know what was on the device that was stolen.

Posted by ed dickson | July 25, 2007 8:04 AM

Posted on July 25, 2007 08:04

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on July 24, 2007 9:20 AM.

The previous post in this blog was Google Runs Afoul of Authorities Down-Under Over Pay-Per-Click Ads.

The next post in this blog is The Privacy Act.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.32