Data Losses May Spark Lawsuits

Corporations could be sued over data breaches if security measures don't improve.

From the nations largest financial services in-stitutions to the local YMCA, legal and privacy experts maintain that organizations that inadvertently or secretly expose their customers data will increasingly face legal action.

On June 6, the Department of Veterans Affairs was hit with two class action lawsuits related to the theft of an employees laptop computer. The theft, reported in late May, held the information of 26.5 million current and former servicemen.

According to legal experts, most companies are not yet operating under the same type of rigorous data protection statutes that the federal government requires of its branches. That means individuals affected by such data losses at corporate enterprises lack the options available to those who seek legal recourse against a federal government branch.

But the legal tide may turn, and technology managers will be on the front lines securing information to keep their companies out of the courtroom.

"Its very important to en-force our existing privacy laws and bring these types of cases because the government and the private sector seem to be doing such a poor job of safeguarding peoples information," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, in Washington.

In some cases, including the Ohio attorney generals pending suit against retailer DSW, plaintiffs will push companies to spell out all the gory details of their customer data mishandlings. In other cases, such as a recently filed class action suit brought by California consumers against a Los Angeles used-car company, Drive Time, plaintiffs will seek financial remuneration against companies that deal customer data to others without first getting permission to do so.

In cases such as these, and in many other scenarios, companies will be held more accountable under the law, experts said.

Rotenberg, a lawyer and law professor at Georgetown University, said that although the Federal Privacy Act—passed by Congress in 1974—may need to be updated to address new technologies and electronic data uses, the legislation should serve as a sufficient basis for legal claims as more consumers look for payback.

Other lawyers agree. Ray Everett-Church, an attorney and chief privacy officer at Philadelphia-based consultancy ePrivacy Group, said the Federal Trade Commissions fining of ChoicePoint, a consumer data aggregator found guilty of selling the information of 163,000 Americans to fraudsters, paves the way for future legal action. The FTC fined ChoicePoint $15 million in January for failing to better protect consumer data.

Most experts agree that one of the linchpins enabling future litigation will be the passage of stronger data privacy laws by both state and federal governments. Missteps of high-profile companies including Bank of America, Fidelity Investments and LexisNexis will drive even more stringent data protection requirements than the Federal Privacy Act, they said.

For example, many states have moved to pass laws requiring that companies contact consumers directly when they have done something to put those peoples data at risk. One such law already enacted in California led to the original reports of ChoicePoints information breach, an event seen as a catalyst behind much of the attention being given to consumer privacy.

Such regulations will also drive companies to do a better job handling customer data, said David McGuire, director of communications for the Center for Democracy and Technology, also in Washington.

"We need a national privacy regulation put in place that lays out the groundwork for companies when they collect this sort of data, and were currently seeing efforts in Congress to that end," McGuire said. "In addition to setting a base line for how people will be able to protect themselves, this legislation will force companies to work to better understand their role in protecting data upfront, rather than after they make a mistake."

Despite those efforts, however, tougher laws may not inspire every organization to get its act together, said Douglas Rosinski, plaintiffs attorney in one of the two cases being brought against the VA. The group represented by Rosinski, who works for the law firm of Ogletree, Deakins, Nash, Smoak & Stewart, of Columbia, S.C., is demanding financial damages for individuals affected by the data loss, along with enforcement of stricter guidelines.

Senior Writer Wayne Rash contributed to this story.