Last week’s groundbreaking federal appeals court ruling (Attias v. CareFirst) dramatically changes the environment of corporate responsibility when it comes to the digital and physical security of personal data. The ruling establishes that identity theft by itself establishes harm and thus standing for the case to proceed or, consumers may file a lawsuit.
What does that mean for IT Asset Disposal projects? Wiping hard drive may no longer be an acceptable form of data destruction. Make sure you can prove your data destruction process is secure, verifiable and performed by a certified data destruction company. A key component of physical security is shredding hard drives. Read NIST 800-88.
A federal appeals court in Washington, D.C. last week ruled in Attias v. CareFirst that consumers may sue companies that fail to safeguard their personal data. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if “companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.”
CareFirst disclosed in May 2015 that an “unauthorized intrusion” into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals. As is often the case in the wake of large data breaches, a class action lawsuit was filed on behalf of individuals whose data was impacted by the breach. However, a federal court judge ruled in 2016 that the plaintiffs had not shown incidents of harm or data misuse resulting from the security breach.
“Every business in the US – large or small – is going to need to pay very close attention to the new playing field that has been created by this landmark ruling,” said John Shegerian, Founder and Executive Chairman of ERI, the nation’s leading recycler of electronic waste and the world’s largest IT asset disposition (ITAD) and cybersecurity-focused hardware destruction company. “We’re about to witness a paradigm shift in data privacy in both the digital and physical realm, and to what lengths businesses are responsible for it. To avoid being sued in what is sure to be a feeding frenzy of litigation over compromised data, the best thing businesses can do now is to make sure they perform their due diligence protecting the data of their constituent customers, vendors, and employees. Properly destroying hardware using a certified organization that permanently eliminates all digital data is crucial.”
“With the CareFirst ruling, 250 million Americans were just given permission to sue your business over a data breach, even if no harm such as identity theft or fraud has yet occurred,” said Dr. Ross Federgreen, CEO of CSR Professional Services, Inc. and a leading expert on data privacy. “The risk to any business from losing data, whether accidental or malicious, just went from bad to catastrophic. This court decision is a major step in establishing the right of consumers to bring actions for a data breach at any business or institution. Organizations large and small are going to be in court more often. It’s going to be financially painful. More companies are going to fail because of data breaches.”