Who’s liable for a data breach? Court has some answers
March 23, 2010 by Steve HannafordPosted in: In this week's e-newsletter, Security
In what is likely to be a milestone in the issues of corporate liability for data breaches, a federal district court judge recently dismissed a class action suit against insurance giant Aetna.
The suit concerned a breach of Aetna’s job application database, which contained “the e-mail addresses of 450,000 job applicants, along with the social security numbers of current and former employees.”
Applicants’ social security numbers, telephone numbers for addresses, and employment histories were also in the system.
Aetna sent out warning letters to 65,000 current and former employees after it discovered the breach had occurred, and offered them a year’s worth of free credit monitoring.
A number of applicants subsequently were sent so-called “phishing” e-mails from a source pretending to be Aetna, asking them for even more personal information, supposedly to add to their job application.
The judge in the case threw out the class action, stating in a 14-page opinion that the alleged damage to the plaintiffs was speculative only, with no concrete proof. “At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft.”
Lesson: This case seems to set a condition that real, provable harm to the plaintiff is a necessary condition for a data breach-related lawsuit. Also, taking prompt action by notifying those affected by the breach can help prevent ID theft, and therefore shield the company from liability.
However, this case is surely just an opening skirmish in what promises to be a long legal war.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Tags: Aetna, court, data breach, liability
Loading ...
March 24th, 2010 at 11:16 am
This is a bad ruling by a judge without full understanding of the implications. As usual, the courts are well behind the technology.
The argument is akin to theft of a credit card not being a crime unless the card itself is used in a illegal transaction. The card itself has little to no real value. There would be no *real* loss until the stolen card is used. That would make theft of a credit card or similar item unprosecutable until they were actual used by the thief – an absurd concept.
March 31st, 2010 at 12:55 pm
I think Mike may be a bit off the mark. Using his example, I think what the ruling says is that the person who’s card was stolen did not commit a crime by failing to lock it away in a safer place.
The issue of whether or not any laws were broken and by who is not addressed.
March 31st, 2010 at 2:16 pm
My point was that the court ruled that loss of personal information did not constitute harm unless one could proove that information had been misused.
The credit card anology was related to how such principals are inconsistent within the law.
The information was stolen from a second party. To your point, does a second party who is entrusted with property (real or otherwise) have a duty to reasonable ensure the security of said property? If not, we are ALL in serious jeopardy considering how much of our personal information we entrust to second parties (who often tranfer to third parties) on a daily basis.
The court totally sidestepped the question by denying provable harm.
September 2nd, 2010 at 11:27 am
This was a civil case. Both of you and you’re comments about ‘unprosecutable’ and ‘not commit a crime’ are off the mark.
Cheers.