When it comes to data breaches and lawsuits, plaintiffs have been at a disadvantage. The main issue is proving in court that plaintiffs suffered harm when their personal data was stolen. Of course, the use of data encryption software, like AlertBoot and other information security measures, nearly eliminates the risk of such harm. Not all companies have deployed information security tools in the workplace, however, resulting in class action suits against them when they suffer a data breach.
An Amended Definition of Right to Privacy
Companies have been lucky so far. The courts have repeatedly held that in order to make plaintiffs whole, they must prove that there was a measurable harm. The courts’ position has led to creative lawsuits, such as accusing companies of breach of contract or false advertising, since most companies declare, in writing, that they’re serious about customer data protection: all you have to do is visit their webpage and dig a bit.
The loss of personal data in of itself, it turns out, is not considered to be harmful in the eyes of the court. Well, that’s about to change…possibly. According to mondaq.com, California is “one step closer towards amending its Constitution to create a presumption of whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.”
The summary to the initiative reads thusly (oag.ca.gov):
Defining the right of privacy to include the protection of “personally identifying information”, including heath (sic) and financial information. Establishes new standards for the collection of personally identifying information by government and commercial entities, including: (1) the presumption that personally identifying information is confidential and (2) the presumption that the unauthorized disclosure of personally identifying information harms the consumer.
Mondaq.com also notes that “as a potential ballot initiative, this issue is not subject to review by lawmakers nor to the standard lobbying efforts of industry stakeholders. Instead, this aspect of the future of California privacy law rests firmly in the hands of her voters”.
In other words, companies must lobby voters directly if they do not want this initiative to become law. I foresee an uphill battle for them and their lobbyists. Although I won’t deny that they can create very persuasive and imaginative campaigns, could they create a cogent argument against stronger privacy rights? Especially when everyone is familiar with horror stories revolving around stolen IDs? And the Snowden revelations? And the general perception that businesses and corporations have been trying to screw over the everyday Joe?
If the initiative becomes law, companies still have some breathing room. The law won’t be taking effect until January 2016 at the earliest.
HIPAA Covered Entities Beware
If the above becomes law, I can see a number of industries that will have to double their data protection efforts in California. Chief among them is the medical industry.
While medical organizations have begun to clean up their act, the truth is that they were forced to do so, a result of the updated HIPAA rules and the HHS/OCR’s recent use of financial penalties for HIPAA breaches. If these constitute a push towards better data security, the amendment to the Privacy Law would essentially represent a shove, as it would add a significant force in encouraging covered entities to step up their data security game.
Currently, HIPAA does not make a provision for individuals bringing a private cause of action against covered entities (that is, affected patients can’t file a civil suit directly founded on a medical data breach). And affected individuals have a hard time proving they were harmed by a data breach, as previously mentioned.
(This is not to say that they’re not harmed by a data breach; after all, medical identity fraud is one of the biggest and fastest-growing areas of crime. It’s just that, with entities in every sector breaching the same type of data, it’s hard to pinpoint where, how, and by whom a person was harmed. Factor in that sometimes crimes tied to a data breach reveal themselves after a significant delay, and that sometimes the affected individuals don’t even know they are victims because they’re looking in the wrong place (or not looking at all, possibly because they were not notified of the breach), and…well, the “actionable harm” requirement favored by the courts can fall short.)
By legally declaring that the breach of personal data is harmful, covered entities will face a significant problem. For example, consider Sutter Health. This California-based non-profit health system experienced a data breach in 2011. The maximum penalty that can be handed out by OCR is $1.5 million, which is significant but won’t sink them (the OCR has not made any announcements regarding the situation. It could very well be that the OCR will find Sutter Health of having complied with HIPAA).
Sutter Health is also currently facing lawsuits that range between $900 million and $4 billion. As the law is currently written, chances are that Sutter will come out on top.
But imagine what it would mean if the breach of personal information were legally classified as actionable harm today. It should be sending shivers down CEOs’ spines that do business in California.
Also imagine the good that would come out of this: for example, it would put to rest the silly arguments that desktop computer encryption software is not required. Please, someone enlighten me what’s so magical about desktop PCs that they cannot be at the center of a data breach.
I mean, Sutter Health is facing a $4 billion lawsuit because an unencrypted desktop computer was stolen from their offices. Plus, desktop computers are listed multiple times as the reason for a data breach in the HHS Wall of Shame, proving that Sutter’s breach is not a rarity.
And yet, we’ve seen pushback from covered entities making the argument that desktops are an exception to the use of cryptographic tools. I imagine that these arguments will fade away if the potential risk comes with eight zeroes or more.
Related Articles and Sites: