Data Breach Suit Verdicts Impact Third-Party

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.claimsjournal.com/magazines/idea-exchange/2014/06/30/250781.htm

Liability Coverage

Two recent class action lawsuits herald a shift in how courts view data
breach events and the harm they cause. The rulings make it easier for
plaintiffs to pursue data breach or class action lawsuits and to recover
damages for identity theft and fraud – even when they’ve experienced no
actual monetary harm.

The AvMed Settlement

AvMed Inc., a Florida health insurance company, was the target of a class
action lawsuit as a result of a data breach in 2009. In this case, two
laptops were stolen that held unencrypted personal and health data of more
than 1 million AvMed members and their dependents.

The recent settlement, to the tune of $3 million, is noteworthy because it
provides financial redress for people who didn’t actually experience
identity theft. The ruling cited negligence, breach of contract and “breach
of fiduciary duty” as just some of the reasons the court felt AvMed failed
to properly secure data that had been entrusted to them. In addition, those
people who did, in fact, become identity theft victims as a result of the
AvMed breach may submit claims for reimbursement for any monetary losses
they incurred.

This ruling breaks new ground. Decisions handed down in previous cases
largely have centered on demonstrable harm or damages breach victims have
experienced. The AvMed settlement diverges from that pattern.

Moreover, the ruling highlights the variances between state and federal law
(and even state-by-state law) regarding the exposure of personal health
information. Federal Health Insurance Portability and Accountability Act
(HIPAA) legislation doesn’t include a mechanism for individuals to pursue
lawsuits as a result of a data breach, but a state’s law might.

Spokeo’s FCRA suit

A final ruling hasn’t been handed down yet, but a federal appellate court
recently allowed another data privacy case to move forward. An individual
is suing Spokeo Inc. for violations of the Fair Credit Reporting Act
(FCRA). The lawsuit contends Spokeo published inaccurate information about
the plaintiff, and the Ninth U.S. Circuit Court of Appeals found that
Spokeo’s potential violations of the FCRA were enough to allow the case to
continue.

Although he suffered no actual harm, the plaintiff says the incorrect
information published by Spokeo hurt his employment prospects and caused
anxiety. As with the AvMed case, the Spokeo lawsuit ushers in the prospect
of plaintiffs who have no demonstrable financial damages to support their
case.

Businesses Must Keep Pace

Companies that collect and store personal information – whether financial
data, health records, names and email addresses – should take notice. The
information privacy environment is changing, and privacy policies and
actions need to keep pace. There is an increasing expectation from
consumers and courts that personal data be appropriately protected.
Lackluster safeguards or doing the bare minimum simply to meet compliance
mandates probably isn’t enough anymore.

In addition to the enormous reputational damage that may follow a data
breach event (think of Target’s ongoing woes), the costs to respond to an
exposure can add up quickly. From providing credit or fraud monitoring
services to dealing with regulatory fines and penalties, companies that
experience a breach often find themselves facing stiff financial burdens.
Add in the potential for individuals who haven’t suffered monetary damages
to successfully litigate for financial redress, and the costs can be
devastating.

Small and midsized businesses (SMBs) – those that are typically more likely
to rely on outside vendors for much of their technology and data storage
needs – aren’t off the hook. The expectation that firms do the right thing
when it comes to information security applies no matter how the services
are provided. Vendor due diligence is more crucial than ever.

Takeaways for Insurers

Carriers must evaluate their practices. The AvMed and Spokeo cases signal a
change toward a legal landscape that’s more permissive when it comes to
plaintiffs seeking damages where no financial harm has occurred.

The prevalence of breaches making headlines hasn’t diminished, and it is
likely cases similar to these will be filed in the future. With the
precedents set, will future suits be dismissed under the 12(b)(6) motion –
the failure to state a claim upon which relief can be granted – as many
were in the past? Perhaps not.

The Spokeo case carries significant implications. Violations of statutory
rights may now contribute to the grant of standing in lawsuits where the
plaintiff didn’t sustain actual damages.

Other attorneys may look to this case in situations where a state’s breach
notification laws have been violated.

How these recent examples will impact third-party liability coverage
remains to be seen, but insurance carriers, agents and brokers must keep
them in mind.

Making Data Privacy a Priority

The time to institute comprehensive information security is now. Proactive
protection is a far better solution than responding to litigation or paying
out settlements after a breach.

Unencrypted data is ripe for exposure. Encryption tools are often
inexpensive and sometimes free, making the barrier to entry extremely low.

Knowing what data is being collected, stored and shared – and with whom –
is paramount. Which compliance mandates might cover that data? What are the
requirements to properly safeguard it from exposure? Claiming ignorance is
not a defense, nor are terms of service that don’t address the real issues.

Language in third-party liability policies may need to be broadened to
provide better protection to policyholders and carriers. Stipulations about
the strength and effectiveness of data protection methods are a good place
to start.

Best practices need to be followed, documentation maintained on the
measures used, employee training conducted to provide better compliance
with company protocols and audits done to ensure conformity with the
insurer’s expectations.

These are not fail-safe practices, but they may go far in protecting
vulnerable data and avoiding exposures. They might also be effective in
shutting down potentially costly litigation from parties who aren’t able to
demonstrate actual harm.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!