I learned via databreaches.net that Coca-Cola has been sued over a data breach that occurred earlier this year: laptop computers, that were not protected with disk encryption software like AlertBoot, were stolen by a (former) employee. While certain details weren’t as forthcoming at the time, it was obvious that the employee’s misdeed was made easy by the fact that the computers were marked for disposal… and he was in charge of disposing of them.
Why the Lawsuit?
Perhaps the latest lawsuit is just more evidence that the US is an overly litigious country: all the computers that were stolen by the wayward employee were recovered, as I noted in a previous entry. Indeed, these had been recovered by the time the breach notification letter had been sent to affected employees.
On the other hand, the fact that they contained sensitive personal data and were easily accessible (remember, the laptops don’t appear to have been protected with encryption software) does mean there is room for concern, however slight it may be. What guarantees do affected employees have that their information was not stolen and sold prior to the laptops being recovered?
Had encryption been in place – quite unlikely, as I explained in my previous entry on the Coca-Cola breach – the company would probably see the case thrown out of court. Among other things, Georgia is one of the many states that provides safe harbor from data breaches if sensitive information is encrypted. But, as the company admitted, the laptops were not encrypted, apparently due to an oversight.
Something else that may have impacted the decision to go to court: 55 laptops were involved, according to the short blurb I can read at law360.com. Losing a couple of laptops is one thing; losing 55 is something else. My initial surprise wore off pretty quickly, but I can see how an individual who was directly affected by the breach might still be seething.
Related Articles and Sites: