This class action case involves customers of a telecommunications company that had their payment card data and other personally identifiable information stolen by computer hackers. It was alleged that the company failed to upgrade their payment systems to use EMV technology and failed to comply with Federal Trade Commission requirements. It was also alleged that the company failed to provide timely or adequate notice to their customers that their information was compromised. An expert in payment security was sought to opine on the Federal Trade Commission requirements applicable to such companies and how these companies can prevent theft of their customer’s payment data.
Question(s) For Expert Witness
- 1. What regulatory requirements exist pertaining to the types of payment technology consumer companies should be using?
- 2. When customer payment data is hacked, what duty does the company have, if any, to inform them of the data breach?
Expert Witness Response E-199662
I have years of experience in cybersecurity for retail and financial services companies and am very familiar with PCI-DSS, which is the most relevant regulatory requirement pertaining to consumer payment technology. If the company is breached, meaning the exposure of the customers’ identifiable information, then the company is required to notify those customers that were impacted. Another common response that companies offer in these instances is to provide identity theft services to those customers for free in an attempt to minimize the potential for class action lawsuits from those impacted. I work in the cybersecurity field day-to-day and have reviewed numerous cases of this nature.