California-based Electronic Recyclers International (ERI) says a recent federal appeals court ruling “dramatically changes the landscape of corporate responsibility when it comes to the digital and physical security of personal data.”
A news release issued jointly by John Shegerian of ERI and Dr. Ross Federgreen of Florida-based CSR Professional Services says the early August federal appeals court ruling in Washington (Attias v. CareFirst) means that “consumers may sue companies that fail to safeguard their personal data.”
The duo says the Electronic Privacy Information Center (EPIC) filed an amicus brief in the case in support of the consumers, arguing that if “companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” The appeals court agreed with EPIC that the lower court was wrong to dismiss the case, essentially setting a new precedent for future data breach litigation, say Shegerian and Federgreen.
The defendant CareFirst disclosed in May 2015 that an “unauthorized intrusion” into a database dating back to June 2014 resulted in a breach affecting 1.1 million people. A class action lawsuit was filed on behalf of individuals whose data was impacted by the breach, and initially a federal court judge that the plaintiffs had not actual harm resulting from the security breach.
The more recent appellate court ruled, however, that the theft of personal information, health care records or other confidential information created a risk of identity theft. This risk of identity theft by itself established harm and thus standing for the case to proceed.
“Every business in the United States – large or small – is going to need to pay very close attention to the new playing field that has been created by this landmark ruling,” says Shegerian ERI founder and executive chairman. “We’re about to witness a paradigm shift in data privacy in both the digital and physical realm, and to what lengths businesses are responsible for it. To avoid being sued in what is sure to be a feeding frenzy of litigation over compromised data, the best thing businesses can do now is to make sure they perform their due diligence protecting the data of their constituent customers, vendors, and employees. Properly destroying hardware using a certified organization that permanently eliminates all digital data is crucial.”
“With the CareFirst ruling, 250 million Americans were just given permission to sue your business over a data breach, even if no harm such as identity theft or fraud has yet occurred,” says Federgreen, CEO of CSR Professional Services. “The risk to any business from losing data, whether accidental or malicious, just went from bad to catastrophic. Organizations large and small are going to be in court more often. It’s going to be financially painful. More companies are going to fail because of data breaches.”