Inside TDV - The Data Vault Blog
It Just Got Easier to Sue Your Business
When you’re busy running a business, it’s impossible to keep up with every news headline. That’s why we help you stay informed about the latest legal developments. A recent, groundbreaking court ruling is one development you need to know about because it significantly increases your organization’s liability exposure. In this blog, we discuss the specifics of the ruling and how to protect your business from a lawsuit.
Attias v. CareFirst
In 2014, Maryland-based healthcare provider CareFirst fell victim to a cyber attack which resulted in the breach of 1.1 million customer records. CareFirst learned of the breach in April 2015 and offered the affected individuals free credit monitoring and identity theft protection for two years. Shortly thereafter, a class action lawsuit was filed on behalf of the victims, contending that CareFirst’s negligence substantially heightened the victims’ risk of identity theft. The case was dismissed by a U.S. District Court Judge who argued that the plaintiffs failed to prove they had suffered harm from the breach.
In August 2017, a U.S. Court of Appeals overturned the District Court’s dismissal of the case. The Court of Appeals judges ruled that CareFirst members’ risk of future identity theft was enough to proceed with the class-action lawsuit.
This January, CareFirst asked the U.S. Supreme Court to review the case, arguing that if the decision made by the U.S. Court of Appeals is allowed to stand, companies can be sued for breaches of customer information “even if the plaintiff suffered no harm whatsoever.” The Supreme Court refused to hear CareFirst’s arguments, thus allowing the lower court’s ruling to stand.
The Attias v. CareFirst ruling means if a company fails to protect personal information, the affected individuals can sue without having to prove actual loss or damage. Legal experts predict a surge of privacy breach lawsuits against organizations big and small. So, what can you do to protect your business?
Privacy Breach Liability and Your Business
First, review your record retention requirements. Second, make a plan for protecting hard copy records and electronic data throughout their retention lifecycle. You should have secure and reliable solution for storing, distributing and disposing of personally identifiable information (PII). Third, invest in a privacy compliance and breach reporting service. CSR Readiness® offers a suite of tools and strategies that reduce your organization’s privacy breach liability exposure through:
- Privacy breach assessment
- Incident response planning
- Customer breach notification per legal mandates
- Ongoing monitoring
In this risky, post-Attias v. CareFirst world, you simply can’t let your guard down. Make privacy protection a top priority in your organization.
The Data Vault provides data protection and data privacy solutions to businesses in and around Kentucky and southern Indiana. For more information about our cloud backup services, please call us at 502-443-1752 or complete the form on this page.