E-Business Counsel, PLC

Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83

Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

A doctor’s office in West Bloomfield Michigan recently experienced a data security breach involving patient health records. According to the West Bloomfield Beacon that originally reported on this incident, the data breach occurred on January 7, 2011 when a laptop containing medical records was stolen out of the office. No information was provided as to how many patients may be affected,  how many health records were stored on the laptop, or whether the records were protected in any manner, i.e., encrypted or password protected.

This incident is certainly not an isolated instance as data security breaches repeatedly litter the headlines. And while there a number of criminal statutes available to organizations who are victims of a data breach (click here for a summary of Michigan’s Amended Data Breach Law), this type of data breach highlights three important issues facing businesses and consumers.

The Costs of Data Breaches to Businesses

First, a data breach is a risk that every business – regardless of size – must prepare for. But companies – regardless of size – do not always have the resources to adequately prevent or prepare for such a contingency. Failing to properly prepare against a data breach, however, is increasingly no longer an option. Consider that the cost of a data breach increased in 2009 to $204 per compromised customer record, with the average total cost of a data breach rising from $6.65 million in 2008 to $6.75 million in 2009 according to the Ponemon Institute’s annual study. This costs includes the cost of lost business because of security breach incident, legal fees, disclosure expenses related to customer contact and public response, consulting help, and remediation expenses such as technology and training. Ponemon Institute’s Study.

Business Best Practices and Data Breaches

So for any business, but especially small and medium businesses (SMBs), a data breach can be analogized to a nuclear event: You can get things right 98% of the time, but failure in the remaining two percent can have catastrophic consequences. But rather than raise the white flag and surrender to the fringe future possibilities, there are  meaningful best practices to apply to present certainties, even for business organizations with limited resources. Take for example that it was reported that the January 7, West Bloomfield breach is believed to have occurred because a laptop was left unattended in an area where there was an issue with the entry way not locking. Further, there was no surveillance in this area. This data breach appears to be consistent with a common theme in most data breaches in that the root cause can be traced back to human error – not technology.  Further, there are many low costs or even free, open source software security solutions to protect data, which is another important brick businesses should add to their wall of data protection.

Data Breaches and Individuals

Second, consumers whose personal information may have been stolen are often disappointed and frustrated to learn there may be little recourse or otherwise unsatisfying remedies available to them. A recent court opinion out of the Ninth Circuit Court of Appeals (this circuit includes California, Washington, Oregon, and other Western states) highlights this point. In that case, the Court concluded that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court.

But this victory was essentially rendered meaningless because the Court went on to conclude that — consistent with many other courts deciding security breach notification cases — the plaintiffs had not pleaded and could not prove that Starbucks’ actions caused them any cognizable harm under state tort or contract law. Specifically, even if the plaintiffs’ allegations were true, they would not support a claim under state tort or contract law because “[t]he mere danger of future harm, unaccompanied by present damage,” is insufficient to support a negligence claim.

Turning back to the January 7, West Bloomfield breach, potential victims would likely have an even more challenging legal standard to meet. This is because the Sixth Circuit (the circuit that includes Michigan) has concluded an even higher burden than that applied in the Starbucks decision must be met to state a claim arising out of a data breach of personally identifiable information.

The Take-away

Business organizations must consider the costs associated with a data breach, which certainly includes attorneys’ fees, litigation, and credit monitoring costs. And these costs are likely to continue to rise. Additionally, these costs do not factor in the damage to your businesses’ reputation, loss of customer confidence, lost of productivity due to allocating staff and resources to responding and potentially defending against litigation. For these reasons, the potential for incurring such costs should create a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. In this regard, we would welcome the opportunity to listen to your current situation and discuss whether our insight and experience with data security laws would prove to be beneficial to your organization.

This entry was posted on Saturday, January 29th, 2011 at 3:33 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.