By STEVE TUCKEY, who has written on insurance issues for a decade for several national media outlets
The most recent case involved the security breach announced by Heartland Payment Systems Inc. in January. The breach, considered to be one of the largest ever disclosed, has already impacted an estimated 500 financial institutions.
Five financial institutions filed a lawsuit in federal district court in New Jersey in February, seeking to recover damages from the security breach. It remains way too early to tell just how any software manufacturer connected to the breach will fare in any verdict or possible settlement. But it remains one example of the privacy breach liability threats faced today.
Class-action suits in similar cases have not fared too well over the years. The massive breach disclosed by TJX companies in 2007 also lead to many such suits. But attempts at getting a federal district judge in Boston to grant class-action status to such plaintiffs failed.
Such class suits on behalf of consumers have not fared too much better, if the dismissal of one such suit in a federal court in Minnesota against a company that had a laptop stolen is any example. The individual plaintiff, acting on behalf 550,000 consumers, claimed that the Brazos Education Service Corp. was negligent when it failed to encrypt the data.
Jim Cochran, president of Dallas-based TechInsurance brokers, said that, while such breaches may make a great splash in the headlines, oftentimes no real financial damage ends up inflicted on the thousands of consumers purportedly put at risk.
"For example, there is not a high volume of people stealing this information and making airline ticket purchases. Sometimes it can just be a guy who left his laptop in the backseat of his car and someone just stole it and sold it for $25 and had no idea what was in it," he said.
While the courts may not have offered much solace, the Federal Trade Commission has stepped into the breach with enforcement actions against companies that fail to implement reasonable security measures. Such actions have led to settlement agreements and concessions, according to attorney Joel Hanson writing in the University of Washington law school journal.
"It should be noted that while businesses that fail to implement appropriate security precautions have generally not been held liable in private lawsuits, the law is developing and there has been some success in private lawsuits," Hanson wrote.
April 15, 2009
Copyright 2009© LRP Publications