Data Losses May Spur Lawsuits

Corporations may be sued over data breaches if security measures don't improve.

From the nations largest financial services institutions to the local YMCA, legal and privacy experts maintain that organizations that inadvertently or secretly expose their customers data will increasingly face legal action.

On June 6, the Department of Veterans Affairs was hit with two class action lawsuits related to the theft of an employees laptop computer. The theft, reported in late May, held the information of 26.5 million current and former servicemen. The veterans behind the suit are seeking $1,000 for each person whose information was stolen.

/zimages/1/28571.gifLarry Dignan claims the VA case could provide a "eureka moment." Read why here.

According to legal experts, most companies are not yet operating under the same type of rigorous data protection statutes that the federal government requires of its branches. That means individuals affected by such data losses at corporate enterprises lack the options available to those who seek legal recourse against a federal government branch.

But the legal tide may turn, and technology managers will be on the front lines securing information to keep their companies out of the courtroom.

"Its very important to enforce our existing privacy laws and bring these types of cases because the government and the private sector seem to be doing such a poor job of safeguarding peoples information," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, in Washington. "Enforcement of the Federal Privacy Act is critical to protecting individuals, and we will see more lawsuits."

In some cases, including the Ohio attorney generals pending suit against retailer Designer Shoe Warehouse, plaintiffs will push companies to spell out all the gory details of their customer data mishandlings. In other cases, such as a recently filed class action suit brought by California consumers against a Los Angeles used-car company, Drive Time, plaintiffs will seek financial remuneration against companies that deal customer data to others without first getting permission to do so.

In cases such as these, and in many other scenarios, companies will be held more accountable under the law, experts said.

Rotenberg, a lawyer and law professor at Georgetown University, said that although the Federal Privacy Act—passed by Congress in 1974—may need to be updated to address new technologies and electronic data uses, the legislation should serve as a sufficient basis for legal claims as more consumers look for payback.

Other lawyers agree. Ray Everett-Church, an attorney and chief privacy officer at Philadelphia-based consultancy ePrivacy Group, said the Federal Trade Commissions fining of ChoicePoint, a consumer data aggregator found guilty of selling the information of 163,000 Americans to fraudsters, paves the way for future legal action. The FTC fined ChoicePoint $15 million in January for failing to better protect consumer data.

/zimages/1/28571.gifChoicePoints data breach fine sets a record. Click here to read more.

"Its completely appropriate for those who are harmed by this sort of activity to hold someone accountable, and, in our system, sometimes the only way to get to the bottom of an issue this big is via lawsuit," said Everett-Church in Oakland, Calif. "Consumers want answers, and counsels will see this as a business opportunity; Id expect to see more of these types of suits against private companies soon—brought by private citizens, law enforcement and the government."

Most experts agree that one of the linchpins enabling future litigation will be the passage of stronger data privacy laws by both state and federal governments. While the Federal Privacy Act is sufficient for launching cases, the current attention being given to the missteps of high-profile companies including Bank of America, Fidelity Investments and LexisNexis will drive even more stringent data protection requirements, they said.

For example, many states have moved to pass laws requiring that companies contact any consumers directly when they have done something to put those peoples data at risk. One such law already enacted in California led to the original reports of ChoicePoints information breach, an event seen as a catalyst behind much of the attention being given to consumer privacy.

Next Page: Regulations drive better data handling.