Tag ArchiveTag Archives for " breach "
Information relevant to breaches.
Information relevant to breaches.
By Michael Starks Why do companies keep losing our personal information? That, of course, is the billion dollar question. Theories abound, and while we all theorize about the causes, data is still being compromised at an alarming rate. Allow me to add to the theorizing, fully aware that this is going to sound a bit […]Continue reading
By Adam Dodge Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who […]Continue reading
A New York State Appellate Court has recently upheld a $365,000 jury award against a health care center that mistakenly disclosed information regarding a patientâ€™s medical information…. She gave instructions to Surgi-Center never to call her at home despite providing them with her home telephone number on questionnaire forms. A day after the procedure, a nurse called the number provided to inquire about her condition and to confirm that she had no subsequent medical complications…. In a 3-2 decision, the Court held that the plaintiff be awarded punitive damages for an unintentional breach of confidential medical information even if there was no malice or malicious behavior by the defendant. As a result, the 2nd Department of New York has expanded the scope of punitive damages to include unintentional medical disclosure regardless of whether the act was done in good-faith…. Even though the medical centerâ€™s actions were not malicious, intentional or done in bad faith, disclosing the plaintiffâ€™s medical information was grossly negligent and wanton behavior…. The Court here is clearly concerned with instances of wrongful medical disclosure and shows itself to be in sync with state and federal legislative efforts to protect confidential information. The opinion does not discuss violations of federal privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA)…. Court cases like this highlight the need for companies to enact strong compliance rules that clearly describe the conditions in which data can be disclosed.Continue reading
Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect…. In the meantime, weâ€™re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.Minnesota PCI LegislationEffective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, weâ€™ll explore and debate the value of tying the PCI standard to the legislation – Michael).The stateâ€™s new Plastic Card Security Act would prohibit a company from retaining a credit cardâ€™s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data…. In Pisciotta v. Old Natâ€™l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because â€œhad the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.â€ So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.Consequences for the Courts As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information…. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners. While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches…. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).Preparing for the changeAs a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion…. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information.Continue reading