A Data Breach Liability Flood Is Coming: How to Protect Your Business
As a business owner, you understand the importance of protecting your organization from unexpected accidents and disasters. Unfortunately, a solid disaster recovery and business continuity plan won’t do any good against the new, emerging threat we’re sharing in this blog article. A recent circuit court ruling increases the chance that your business may be sued over a data breach. In this blog we discuss the specifics of the case and how to protect your business from its implications.
In 2014, healthcare provider CareFirst fell victim to a cyberattack that resulted in the breach of 1.1 million of its customers. CareFirst didn’t learn of the breach and notify affected individuals until April 2015, at which time it offered them two years of free credit monitoring and identity theft protection. Shortly thereafter, a class action lawsuit on behalf of the victims was filed, contending CareFirst’s negligence had substantially heightened their risk of identity theft.
A U.S. District Court judge dismissed the case against CareFirst, contending the plaintiffs failed to prove how they had suffered harm from the breach. However, in August 2017, a U.S. Court of Appeals overturned the District Court’s dismissal of the case. The Court of Appeals judges ruled that CareFirst members’ risk of future identity theft was enough to proceed with the class-action lawsuit.
Fast forward to January 2018 when CareFirst asked the U.S. Supreme Court to review the case, contending that if the decision moves forward, companies can be sued for breaches of customer information “even if the plaintiff suffered no harm whatsoever.” Several weeks ago, the Supreme Court refused to hear CareFirst’s case. By doing this, the U.S. Court of Appeals’ ruling stands, allowing data owners to sue for a data breach at any business or institution without the burden of proving an actual loss or damage.
Implications and Actions
Put plainly, the upholding of this decision means businesses may face a flood of data breach lawsuits. So, what can you do to protect your business?
- Identify and remediate gaps in the data life cycle management (DLCM).
- Have a plan for preventing accidental and malicious losses of personally identifiable information (PII).
- Make sure your company adheres to breach reporting and consumer notification rules and regulations. A breach reporting service helps your company fulfill its mandated requirement to comply with federal, state and other laws to report the loss of personally-identifiable information (PII) to authorities and notify affected individuals.
Although the data breach liability waters are rising, there’s still time to protect your business from the flood.
Richards & Richards offers data protection and data breach reporting services for businesses throughout Nashville. For more information, please contact us at 615-242-9600 or complete the form on this page.