A mail-order pharma company faces a class action in Massachusetts for damages allegedly suffered by consumer customers stemming from a data breach the company suffered in January 2021. The company allegedly did not discover the breach for four months, and then took nine months to investigate the incident and disclose it to patients. The plaintiffs allege that the delays themselves, not just the mere fact of the breach, caused customers to be hit with identity fraud.
Why It Matters
All companies that suffer a data breach have to balance the PR implications of talking about it against the legal exposure they may incur when someone gains unauthorized access to personal data they hold. In this case, the plaintiffs claim the company conducted a seven-month investigation and then waited two more months to disclose the incident; to make matters worse, the incident was initially undetected by the company for several months. Many states have laws that require companies to give notice of a data breach within a certain amount of time, or "promptly," or on some similar time scale. All companies that have to manage a data breach would do well to consider such standards -- even if the applicable state law does not prescribe a time -- when investigating and updating consumers about the incident. Even if an investigation is not complete, it may be prudent to disclose it and start helping customers address it. The decision may depend on the nature of the information involved and the number of people affected, among other factors; but a delay of many months is likely to bring more trouble than resolution.