GameStop - Latest Data Breach

GameStop and its web customers are the latest victims of customer data theft, as reported today by Brian Krebs (Krebs on Security).  Here are the details reported so far:

[T]he compromised data is thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards.

Online merchants are not supposed to store CVV2 codes, but hackers can steal the codes by placing malicious software on a company’s e-commerce site, so that the data is copied and recorded by the intruders before the data is encrypted and transmitted to be processed.

(Quote from Krebs.)

It's fair to assume that GameStop management and counsel are having a no good, very bad day.  (Not to mention investor relations, IT, and on down the line.)

What happens now?  A rush by private plaintiffs' counsel to sign up affected consumers as clients and to lodge putative class actions against GameStop on those clients' behalf.  (As details emerge, any other well-capitalized actors who appear to be liable or partially liable for the incident will be hit as well.)  If prior breach-related class actions are a guide -- and all signs suggest that as breach litigation becomes more widespread, the playbook is streamlining -- we will see aggregation or consolidation of suits into one or two state and federal forums.   GameStop is headquartered in TX; the smart money is probably there.

State AGs and other state-level enforcement agencies charged with consumer protection will probably jump in to join the investigatory fun.  They may lodge their own civil enforcement actions.  The FTC may too, though we are still learning about agency priorities under this new administration.

This is notable because of the size of the suspected breach (millions of records) and the size of the entity (Gamestop revenue ~8 bn annually.)  Most companies dealing with a breach of sensitive information will have fewer persons affected, and a lower quantum of legal risk.  Nevertheless, they face risk of a similar character.  Advance planning and a response playbook for incident management are the tools to have in place.  Who're you going to call?