By Robert Wenzel
The recent security breach at Sony exposed an important issue-what happens when an outside party gets hold of vital business security data. When an unintended source gets the information, it can have disastrous consequences for both the company and the affected individuals. A number of lawsuits in the last several years have attempted to rectify situations where customers have had their personal information stolen.
1) A Florida insurance company had two unencrypted laptops stolen out of their corporate office. The computers contained the personal information of approximately 1.2 million customers. The trial court initially ruled in favor of the business because the plaintiffs did not show that they were substantially harmed. However, the appellate court reversed the decision of the lower court and stated that the customers did in fact suffer injuries when their personal information was stolen. Every insured who had their identification stolen received a $10 a year credit for any paid premiums prior to the incident up to a maximum of $30 and reimbursement for any monetary losses due to the security breach.
Additionally, the company installed several features to prevent a future incident. Some of the implementations include mandatory security training programs for all organizational employees; mandatory laptop use for all workers; and the installation of additional security software on all company computers.
2) A security breach took place in 2007 when TD Ameritrade Inc. was sued, alleging that outside third parties were improperly allowed to access customer email addresses. As a result, the company clients received unwanted spam emails.
TD Ameritrade settled their lawsuit for between $2.5 million and $6.5 million based on the total number of claims that were filed. The agreement provides each member of the class-action lawsuit $50 for identity theft on an existing credit or debit card; $250 for identity theft on another account; and up to an extra $750 for a non-reimbursed losses on the additional account.
3) Another illustration of a data breach involved RSA Security, which had the records of approximately 40 million employees stolen. The incident took place when two separate hacker groups, who were posing as trusted individuals, were able to enter the company’s network and access the personal information of the workers. According to the company, no sensitive customer information was taken by the perpetrators.
However, RSA was forced to spend about $66 million to repair the damage done to their workers. In addition, the organization implemented new software to prevent another similar situation down the road.
4) More recently, a class action lawsuit was filed against Kaiser Permanente when the company lost a flash drive which contained the medical records of approximately 49,000 patients. This data breach is in direct violation of the Confidentiality of Medical Information Act. The plaintiff, Ginger Buck, states that private, confidential medical information was compromised by the company and that Kaiser violated their legal duty to protect confidential client data on the flash drive.
The breach of Kaiser Permanente violates California privacy laws, which state that medical companies need to keep patient medical information private and cannot release personal information without the written permission of the patient. Each affected individual is entitled to monetary damages of $1,000. What this means is that if Kaiser is held liable for the data breach, they would have to pay out money to each affected patient even before any additional penalties are assessed.
5) Finally, a high profile example of a data breach occurred at Target when approximately 40 million debit and credit cards were stolen. In addition, 70 million Target shoppers had their name, address, email address and/or phone numbers taken by hackers. Credit unions and banks had to spend an estimated $200 million dollars to issue 21.8 million replacement debit and credit cards.
As for Target itself, the company had to spend $100 million dollars upgrading their payment terminals to accept cards that are chip and PIN enabled. Furthermore, the organization saw a 46% drop in their profits in the fourth quarter of 2013 compared to the fourth quarter of 2012.
There are a wide range of liabilities that can happen when a business has a data breach. First, vital customer data can be compromised and/or stolen. This can create a difficult situation for the person who has their identity stolen as they may have to spend countless hours to solve the problem.
For the business, data breaches can be more complicated. In most cases, the company will be required to pay a fee to each individual who had their identity compromised. This is very expensive for the company. In addition, the business will have negative publicity due to the breach. The exposure that the company will receive could result in the loss of current or potential new business. At the same time, the company may be forced to spend additional funds to implement computer software or equipment to prevent any further data breaches.
There are several ways that a business can be proactive to avoid a possible breach of data. Some examples include but are not limited to establishing a breach preparedness plan that allows for proactive action if and when a data breach takes place; looking at all forms of security (not just technology) when assessing potential breach risks; educating employees on how to protect and handle sensitive client information; providing training and support to workers; and keeping current with security software updates.
As always, it is a good idea for a business owner or company to discuss any potential data breach issues with a business attorney. Doing so can provide more ideas on how to prevent or limit liability if the company has their security compromised.