Folks of a certain age, and fans of “Guardians of the Galaxy’s” Awesome Mix vol. 1, have a hard time forgetting that late ‘70s song by Rupert Holmes, “Escape” (“If you like piña coladas, getting caught in the rain….”). But for millions of subscribers to infidelity website AshleyMadison, there’s no easy escape from hackers’ public disclosure of subscribers’ personal information. In the ensuing schadenfreude-field-day, and amidst early reports of extortion attempts and even suicides, there’s an important lesson to remember. Whether or not a company’s business model is broken vows, broken promises in a privacy policy can have severe repercussions.

Months. Actually, years. That’s how long the notion has been brewing that the Federal Trade Commission has no authority to enforce reasonable data security under the unfairness prong of FTC Act Section 5. The stakes are high – the FTC can pursue essentially any commercial company under the FTC Act for unfair or deceptive trade practices in interstate commerce. And if the FTC indeed has the authority to take any such company to court for “unfair” data security practices under Section 5, without any FTC regulations under Section 5 setting standards for exactly what constitutes adequate data security… well, one can appreciate why many in the general business community are uneasy.

When the FTC sued Wyndham in federal court for inadequate data security, Wyndham raised every argument its lawyers could think of to dismiss the FTC’s unfairness claims.  After failing to convince the trial court, Wyndham next took an interlocutory appeal to the Third Circuit Court of Appeals, the first appellate court to ever consider this issue, and asked that the FTC be stopped. But instead of a red light (a ruling of no FTC authority) or a yellow light (a ruling on other grounds), the Third Circuit Court of Appeal’s decision, handed down this week, gives the FTC a clear green light to pursue its claims against Wyndham for alleged unreasonable data security as an unfair business practice.

Costs continue to mount for Target as the company works to put its massive 2013 data breach behind it. Target and Visa recently announced an agreement for Target to reimburse Visa card issuers as much as $67 million for costs associated with the historic breach. The settlement is considerably larger, and more likely to succeed, than the proposed $19 million deal between Target and MasterCard that issuers previously rejected as too low.

With a click of a button, a former employee can communicate to a large audience of connections made during his career. Such communications often involve the former employee enticing co-workers or customers to follow them to the new employer. If left unrestricted, a former employee’s social media use can damage the former employer’s customer and employee relationships. To protect relationships with employees and customers, employers should include a social media provision in their non-solicitation agreements.

Do you often feel that despite best efforts to circle the wagons your information security team is fighting a losing battle with broken down tools? Even though information security budgets have increased in the last couple of years—likely in response to the very visible increase in high-profile data breaches—discretionary budget dollars are scarce. I recently heard the poker term “dead money”  used to describe that large portion of every IT budget that has been committed long before it is received, much like the money we all must dedicate to mortgages, utilities, food, and transportation. Thus, for every $100 of total IT spend, we may be left with just $0.60 for new baubles and geegaws, as my grandmother used to say.

It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”

The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.

Last Friday, when Amazon’s market cap pushed past Walmart’s, the headlines almost wrote themselves – “Internet Retailer Amazon Topples Traditional Retailer Walmart,” or the like. The lead angle? Amazon’s information-based business model had surpassed Walmart’s old-school, bricks and mortar business concept. Just one problem – totally wrong lead, with the totally wrong point.

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.

When a judge hears that documents no longer exist due to a company’s retention schedule, it feels like we’re transported back to grade school, with a sheepish pupil making lame excuses about “disappearing” homework. Courts can seem skeptical, even disdainful, about retention schedules. As the U.S. Supreme Court characterized them in Arthur Andersen LLP v. United States, “’Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business.” The tone is noblesse oblige, as if businesses follow an odd, quaint practice of having retention schedules, which should be grudgingly acknowledged before moving on to the court’s more important consideration of the preservation duty and discovery sanctions.

Ironically, the courts have retention schedules too. Yep, this notion of destroying records pursuant to a retention schedule is not unique to “business” – the trial judge at a spoliation hearing is governed by the court’s own records retention schedule, which classifies records by content type and prescribes records disposition, including destruction.  And the court also has a records management program, with one of its purposes being the appropriate disposition of records when they have served their purposes.

A busy examiner, working on 15-20 other cases, sets a file aside in the “delayed/pending” queue while awaiting information, and a gun is sold and nine people died. A utility transferred responsibility for recordkeeping functions to its distribution business unit, files containing information about pressure and strength tests were not kept current, and an explosion kills eight. Computer files are accidentally deleted from an Airbus plane and three of its four engines shut down, causing a crash that kills four.

What do these seemingly disparate events have in common?