The After-bite of Data Breaches
The event: cyberattacks against Wendy's point of sale systems. The allegation: Wendy’s failed to safeguard customer payment card information and failed to provide notice that payment card information had been compromised. The outcome: a Settlement Agreement that will cost Wendy’s $50 million, $22.5 million more than their insurance will cover. Your take-away: use this to lobby for more cyber-security resources.
Bad News

It used to be that a successful cyber-attack was shocking news. When you read about it, it was almost an intellectual exercise and it was fascinating to figure out how the bad guys had gotten past a company’s defenses. Things are changing.
Stakes Rise
In the Wendy’s press release this month, it became clear that the stakes have risen. Rather than just the usual press releases acknowledging the breaches in some Wendy’s franchisees’ POS systems and telling people to monitor their credit card charges, a group of banks started a class action suit. Now Wendy’s has exhausted their insurance and has had to find an extra $22.5 million – and this on top of their own legal costs. It doesn’t take much to forecast that similar events will bankrupt some companies.
Blame the Victim
Cyberheist News reported that a UK company, Peebles Media Group is suing an employee for over $100,000 pounds after she fell for a CEO fraud scam. She transferred money to fraudsters in response to an email that she understood to have been from her vacationing boss. Her defense has been that she had received no training on how to identify the risks of online fraud. If she loses the lawsuit, it’s easy to predict that she’ll sue for wrongful dismissal and damage to her reputation.
Priority 1
All of this suggests that cyber-security should no longer be just one of a list of many priorities for an IT department. It should not be one of the budget requests that gets balanced off against every other important IT resource request. Rather, it needs to rise to the very top of the list.
Your Cyber-Security Strategy and Policies need to be a topic of discussion at every level of management. To protect yourself, to protect your company’s reputation and, their financial well-being, you need to now look at things from a defense against lawsuits perspective.
Roadmap
Generally speaking, after a data breach, the best defense against any lawsuit from a bank, a customer, or an employee is to ‘prove’ that you have not been negligent.
This means that you must show how you are following best practices in every area of cyber-protection including systems, monitoring, policies and training. This is not easy as it requires resources that you need elsewhere. It’s doubly difficult as the definition of ‘Best Practices’ keeps changing, becoming more stringent.
This article was published in the
February 2019
edition of The TMC Advisor
- ISSN 2369-663X Volume:6 Issue:1
©2019 TMC Consulting