Wednesday, June 10, 2009

A Failure to Adequately Protect......

Now that we have returned from a well earned albeit too short vacation it's time to get back to business.

Class actions are beginning to crank up in the area of data breach. Not being able to show penury damages from specific cases of identity theft, the victims of data breaches are increasingly turning to class actions based at least in part on the failure of a data aggregator to protect the information they keep.

A class-action suit has been filed against health insurer Aetna for alleged data protection and privacy failures, reports Hartford Business. The company announced last month that hackers had gained access to its job application site, potentially exposing the Social Security numbers of 65,000 current and former employees. Plaintiffs are seeking credit monitoring, punitive damages, costs and other relief, according to the report. The complaint filed last week in a Pennsylvania District Court states: "Aetna unlawfully failed to maintain reasonable systems and procedures to protect [plaintiffs'] information."Full Story

What are the reasonable actions a company could take that might prevent these kinds of court actions? That varies from case to case and company to company, but will likely include the preventive steps required under FACTA, GLB, and states laws that specifically address identity theft. Whether it is 5 records that have been compromized or the 65,000 mentioned above, the liability is the same. A "Failure to adequately protect records" lawsuit should not be considered the cost of doing business like the petty theft of office supplies. The cost to the business cannot be calculated in terms of simple legal fees.
A business that takes the preventive steps on its' own before any data loss incidents can greatly reduce the liklihood of a class action from being initiated.

No comments: