Nissan Canada Finance (NCF), the automobile company’s buy and lease financing division, disclosed on December 21, 2017 that it was the victim of a data breach. NCF said that unauthorized person(s) gained access to the personal information of 1.13 million Nissan and Infiniti Financial Services Canada customers who financed their vehicles through NCF. There is no indication that customers who did not obtain financing through NCF are affected.
Customer information exposed includes:
- Vehicle make and model
- Vehicle identification number
- Credit score
- Loan amount
- Monthly payment amount
The breach appears to apply only to Canadian customers and Nissan does not believe payment card details were involved. Customers are being notified by mail and email.
Nissan’s quick response
Nissan disclosed the data breach in just ten days. bankinfosecurity.com said that, notwithstanding regulation requirements, an entity should aim to notify victims of a data breach within 30 to 60 days. However, many experts recommend that notifications should also include actionable information for victims, e.g. how the organization is protecting those affected.
Nissan is providing all of its customers – even those not believed to be affected – with 12 months of TransUnion free credit monitoring services. NCF is erring on the side of caution because the exact number of affected consumers is not yet known.
Nissan has declined to say who the perpetrators were. It is working with Canadian privacy regulators, law enforcement, and data security experts to conduct a forensic investigation.
Class-action lawsuit against Nissan already underway
Customers who may have had their personal data exposed are rallying to enter a class-action lawsuit against Nissan. According to experts, most class-action lawsuits filed in the US and Canada fail to reach trial. Plaintiffs generally can’t come up with enough compelling evidence to convince courts that an “injury” has occurred.
Historically, courts have defined injury in very narrow terms regarding unreimbursed financial losses. According to Mathew J. Schwartz, executive editor of DataBreach Today, “Almost all breaches that have resulted in the theft of credit card and debit card data have had any consumer losses reimbursed by card issuers.”
If a class-action data breach lawsuit proceeds, the breached organization will often opt to settle rather than risk the courts ruling in favor of the plaintiffs. A plaintiff win would result in reputational and monetary damage to the company, and it might set a precedent for future class-action data breach lawsuits.
Protect your organization to avoid the damaging consequences of a data breach
Within the US, there is currently no federal data breach regulation in place. With no national standard enforcing sound cybersecurity practices, a patchwork of state laws requires organizations to protect the personal data they process. States have taken the initiative and passed their own laws, which require businesses to notify cyber attack victims within a given timeframe.
State officials have also begun investigating the information security practices of organizations, imposing penalties on those that do not have proper cybersecurity policies, procedures, and practices in place. Cybersecurity-minded organizations should implement an information security management system (ISMS) to mitigate data breach risk. Gaining ISMS certification that is accredited by the International Organization for Standardization, i.e. ISO 27001, demonstrates to customers and other businesses that an organization has the correct data security controls in place.
IT Governance is a global leader in cybersecurity compliance training, advisory, and information. It has created an accredited, practitioner-led course to help you lead an ISO 27001 ISMS implementation project. Learn how to comply with data security regulations, mitigate information security risks, and take action to manage data breach events. Register for the ISO27001 Certified ISMS Lead Implementer Training Course.