August 5, 2014
Data Breaches: Who Has Legal Liability?
As more consumer information is being compromised by hackers, consumers – not just companies – must take more care.
Untold millions of people provide personal and private information on the Internet every day to pay their bills, to purchase a product, to post a picture and so on, even though data breaches have become practically a daily occurrence. The problem has focused attention on the lack of security by the companies that use the data, but consumers also need to take some responsibility.
The hacking of Target at the end of 2013 is the best-known of recent data breaches, but hackers know no bounds. Virtually every individual who uses the Internet—no matter who he is or what she does professionally—is at risk for a data breach.
For instance: In May 2014, three desktop computers were stolen from the California office of Bay Area Pain Medical Associates. About 2,780 patients were notified that their personal information was in a spreadsheet that could have been accessed by the thieves.
In March 2014, about 1,700 people in the employee wellness program for Virginia-based Dominion Resources had their personal records accessed by a hacker who gained entry to the systems of a subcontractor, Onsite Health Diagnostics. The personal information of their spouses and domestic partners was also hacked, if they had scheduled a health-screening appointment online.
In Encinitas, a California Public Employees’ Retirement System (CalPERS) payment document containing 615 current and former employees’ personal information—including Social Security numbers—was inadvertently made public on the city’s website from May 18, 2014, to July 3, 2014, and was accessed by 16 unauthorized individuals before the data breach was discovered.
In July 2014, Orangeburg-Calhoun Technical College in South Carolina had to notify 20,000 current and former students and faculty that their personal information—including Social Security numbers—was on a laptop that was stolen on July 7, 2014, from a staffer’s office.
In Texas, from Dec. 28, 2013, until June 20, 2014, the Houstonian Hotel Club & Spa’s payment processing systems were compromised when they were infected with malware. More than 10,000 customers had their payment card data exposed.
In April 2014, Park Hill School District in Missouri learned that before leaving the district an employee downloaded 10,210 current and former staffers’ and students’ personnel and student files that contained their personal information. The former employee made the files accessible to untold numbers on the Internet.
The Department of Managed Health Care (DMHC) discovered on May 16, 2014, that Blue Shield of California inadvertently made public the names, business addresses, business telephone numbers, medical groups, practice areas and Social Security numbers of about 18,000 doctors.
The list could go on and on, but you get the message. Data breaches can occur on any computer system, anywhere and any time.
So, who is ultimately responsible for data breaches? The company holding the data, because of its system’s vulnerability? Or the user/consumer, because we are responsible, through our passwords and PINs, for the security of all data we post? (If you read the privacy policies of the sites you use, the user is responsible.)
The answer is not an easy one.
If your information was hacked through an entity’s online systems, your answer most likely would be the entity, and you might participate in a class action. at least two dozen federal class actions have been filed against Target, alleging it did not adequately protect customer privacy. A class action has been filed against P.F. Chang’s China Bistro for a security breach that involved, according to the complaint, 7 million customers’ credit and debit card payment data stolen from its restaurants’ systems between March and May 2014. (It has been reported that the breach came to light only when a batch of card data was alleged to be up for sale at Rescator, an underground store best-known for selling customer data stolen in the Target breach.)
But is it that simple, that the sole responsibility lies with the entity that was hacked?
What about us, the consumers? Do we need to be part of the answer by accepting that we willingly create those passwords and PIN numbers and that we provide our personal and private information so we can shop on eBay (which just notified 145 million of us that a cyber attack may have compromised customers’ login information and other personal and private information) or pay bills online?
Should it be our responsibility to understand that online systems, or the strips on the back of our credit and debit cards, that store the data we provide are moving targets (no pun intended) for theft?
Saying “yes” would be the first step in the right direction. Everyone, user and organizations alike, is vulnerable, so the responsibility to protect our information lies with us all.
The second step is for each of us to do whatever we can to manage our vulnerability. Such as:
- Making sure our anti-virus software is current, to prevent scammers from installing viruses on our computers that allow hackers to steal our personal and financial information. When the popular online ticket marketplace Stub Hub suffered a data breach, the hackers did not break directly into Stub Hub’s system; instead, they stole account information directly from the customer by downloading viruses onto each customer’s personal computer, or by collecting the information from data breaches of other websites.
- Monitoring our bank and credit card accounts every day. If you see charges or withdrawals you did not authorize, contact the bank or credit card company immediately. (The liability is still yours until you report that your information has been compromised.)
- Make sure your homeowner’s or renter’s insurance policy covers losses because of fraud, because, even if a class action is settled, there may be strings attached to how you can collect your share. For example: Vendini, another company that offers ticketing services to theaters and event venues, settled a class action in 2014 about compromised data. The settlement requires Vendini to pay as much as $3,000 a customer for identify theft losses. But here is the catch—you have to prove that the information used to make you a victim of identity theft actually came from Vendini’s systems.
Here is the bottom line:
The landscape on cybersecurity is shifting rapidly as data breaches are spiking. Congress, regulators and state attorneys general are taking a hard look at how companies, universities and governmental agencies are protecting consumer information from unauthorized access. Hearings have been held and new laws pushed. As a result, organizations are facing critical questions about what their responsibilities are to ensure consumers’ private and personal information is secure and in compliance with old as well as new laws.
But it is also imperative that you, the consumer, understand that you cannot depend on organizations to protect the information you provide to them. Rather, you need to take matters into your own hands and pose critical questions to yourself about how you use your own information online. You need to decide what information you are willing to turn over to be able to pay bills, make purchases or register for social media online.
It is after all, your information and your life. Think about it.
The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete and is not intended to create or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.