From the nations largest financial services institutions to the local YMCA, legal and privacy experts maintain that organizations that inadvertently or secretly expose their customers data will increasingly face legal action.
On June 6, the Department of Veterans Affairs was hit with two class action lawsuits related to the theft of an employees laptop computer. The theft, reported in late May, held the information of 26.5 million current and former servicemen. The veterans behind the suit are seeking $1,000 for each person whose information was stolen.
According to legal experts, most companies are not yet operating under the same type of rigorous data protection statutes that the federal government requires of its branches. That means individuals affected by such data losses at corporate enterprises lack the options available to those who seek legal recourse against a federal government branch.
But the legal tide may turn, and technology managers will be on the front lines securing information to keep their companies out of the courtroom.
“Its very important to enforce our existing privacy laws and bring these types of cases because the government and the private sector seem to be doing such a poor job of safeguarding peoples information,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, in Washington. “Enforcement of the Federal Privacy Act is critical to protecting individuals, and we will see more lawsuits.”
In some cases, including the Ohio attorney generals pending suit against retailer Designer Shoe Warehouse, plaintiffs will push companies to spell out all the gory details of their customer data mishandlings. In other cases, such as a recently filed class action suit brought by California consumers against a Los Angeles used-car company, Drive Time, plaintiffs will seek financial remuneration against companies that deal customer data to others without first getting permission to do so.
In cases such as these, and in many other scenarios, companies will be held more accountable under the law, experts said.
Rotenberg, a lawyer and law professor at Georgetown University, said that although the Federal Privacy Act—passed by Congress in 1974—may need to be updated to address new technologies and electronic data uses, the legislation should serve as a sufficient basis for legal claims as more consumers look for payback.
Other lawyers agree. Ray Everett-Church, an attorney and chief privacy officer at Philadelphia-based consultancy ePrivacy Group, said the Federal Trade Commissions fining of ChoicePoint, a consumer data aggregator found guilty of selling the information of 163,000 Americans to fraudsters, paves the way for future legal action. The FTC fined ChoicePoint $15 million in January for failing to better protect consumer data.
“Its completely appropriate for those who are harmed by this sort of activity to hold someone accountable, and, in our system, sometimes the only way to get to the bottom of an issue this big is via lawsuit,” said Everett-Church in Oakland, Calif. “Consumers want answers, and counsels will see this as a business opportunity; Id expect to see more of these types of suits against private companies soon—brought by private citizens, law enforcement and the government.”
Most experts agree that one of the linchpins enabling future litigation will be the passage of stronger data privacy laws by both state and federal governments. While the Federal Privacy Act is sufficient for launching cases, the current attention being given to the missteps of high-profile companies including Bank of America, Fidelity Investments and LexisNexis will drive even more stringent data protection requirements, they said.
For example, many states have moved to pass laws requiring that companies contact any consumers directly when they have done something to put those peoples data at risk. One such law already enacted in California led to the original reports of ChoicePoints information breach, an event seen as a catalyst behind much of the attention being given to consumer privacy.
Such regulations will also drive companies to do a better job handling customer data, said David McGuire, director of communications for the Center for Democracy and Technology, also in Washington.
“We need a national privacy regulation put in place that lays out the groundwork for companies when they collect this sort of data, and were currently seeing efforts in Congress to that end,” McGuire said. “In addition to setting a base line for how people will be able to protect themselves, this legislation will force companies to work to better understand their role in protecting data upfront, rather than after they make a mistake.”
Despite those efforts, however, tougher laws may not inspire every organization to get its act together, said Douglas Rosinski, plaintiffs attorney in one of the two cases being brought against the VA. The group represented by Rosinski, who works for the law firm of Ogletree, Deakins, Nash, Smoak & Stewart, of Columbia, S.C., is demanding financial damages for individuals affected by the data loss, along with enforcement of stricter guidelines.
According to information in the complaint, the VA employee whose laptop was stolen had been taking the personal information home routinely for at least three years despite organizational policies that forbid it.
“Even though the federal government has been after the VA to do something about this for years, its clear they felt they could thumb their noses at the existing regulations,” said Rosinski. “This wasnt an issue of ignorance; it was an issue of people who refused to improve data security policies even when told to do so.”
eWeek Senior Writer Wayne Rash contributed to this story.