Do you often feel that despite best efforts to circle the wagons your information security team is fighting a losing battle with broken down tools? Even though information security budgets have increased in the last couple of years—likely in response to the very visible increase in high-profile data breaches—discretionary budget dollars are scarce. I recently heard the poker term “dead money”  used to describe that large portion of every IT budget that has been committed long before it is received, much like the money we all must dedicate to mortgages, utilities, food, and transportation. Thus, for every $100 of total IT spend, we may be left with just $0.60 for new baubles and geegaws, as my grandmother used to say.

It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”

The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.

Last Friday, when Amazon’s market cap pushed past Walmart’s, the headlines almost wrote themselves – “Internet Retailer Amazon Topples Traditional Retailer Walmart,” or the like. The lead angle? Amazon’s information-based business model had surpassed Walmart’s old-school, bricks and mortar business concept. Just one problem – totally wrong lead, with the totally wrong point.

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.

When a judge hears that documents no longer exist due to a company’s retention schedule, it feels like we’re transported back to grade school, with a sheepish pupil making lame excuses about “disappearing” homework. Courts can seem skeptical, even disdainful, about retention schedules. As the U.S. Supreme Court characterized them in Arthur Andersen LLP v. United States, “’Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business.” The tone is noblesse oblige, as if businesses follow an odd, quaint practice of having retention schedules, which should be grudgingly acknowledged before moving on to the court’s more important consideration of the preservation duty and discovery sanctions.

Ironically, the courts have retention schedules too. Yep, this notion of destroying records pursuant to a retention schedule is not unique to “business” – the trial judge at a spoliation hearing is governed by the court’s own records retention schedule, which classifies records by content type and prescribes records disposition, including destruction.  And the court also has a records management program, with one of its purposes being the appropriate disposition of records when they have served their purposes.

A busy examiner, working on 15-20 other cases, sets a file aside in the “delayed/pending” queue while awaiting information, and a gun is sold and nine people died. A utility transferred responsibility for recordkeeping functions to its distribution business unit, files containing information about pressure and strength tests were not kept current, and an explosion kills eight. Computer files are accidentally deleted from an Airbus plane and three of its four engines shut down, causing a crash that kills four.

What do these seemingly disparate events have in common?

Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.

Ah, Federalism. In countless ways we benefit from a system in which individual states can express their respective policy interests in differing state laws, with the resulting quilt bound together by the Constitution, federal law, and judicial interpretation. But on some topics we end up with a “crazy quilt” … and PII breach notification is trending crazy.

Since 2002, when California enacted the seminal state law mandating notification of individuals whose personally identifiable information (PII) is breached, virtually every state has followed suit. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands now have such statutes.  Only Alabama, New Mexico, and South Dakota are without one, and under Texas’ statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three states.

These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of differing and potentially conflicting state breach notification laws. And differ and conflict they do, as the following three examples illustrate.

Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.

Some weeks ago I experienced that sinking feeling that comes with locking your keys in the car. Fortunately, I was only a phone call and a 20-minute wait away from rescue. But how can that happen, you ask, given all the modern safeguards built into automotive key technology? Don’t cars these days alert you or automatically unlock the doors when you leave the key inside?