You too Seattle?
April 9, 2012 2 Comments
I recently blogged about California introducing stricter consumer PII protection laws but found another interesting case from non-California as well.
In Krottner v. Starbucks Corporation, plaintiffs (ex-starbucks employees) claimed that their PII (names, addresses, SS#) were stored on a Laptop (unencrypted) that was stolen from Starbucks. They claim that Starbucks acted negligently and their stolen PII data, though it was not misused, caused them harm. What is interesting in this case is that the 9th US Circuit court of appeals agreed with plaintiffs that the plaintiffs do not need to show the actual harm that is caused or even imminent threat of harm. They agreed that potential risk due to stolen PII data can cause them harm in the future and allowed the case to go on. I was excited to see that as a consumer ofcourse, as I went through this multiple times in the past – credit card companies (multiple times), once my mortgage company lost my valuable personal data and in return all I got was a letter in the mail suggesting that I monitor my credit activity closely and see if there is misuse. Huh?. Since when your losing my personal data becomes my issue? Why do I have to go through freezing my credit information with all the bureaus which will cost me money (For those who don’t know what I am talking about, all 3 credit bureaus offer this service. You can freeze your credit history if you feel your sensitive information/ identity has been stolen and could be misused. If you file a police report and prove identity fraud then it is free, otherwise they charge you every time you freeze and lift the freeze. I know it is a pain, but it is better than dealing with Identity theft, trust me.
This is evidence that more and more emphasis is focusing on liability of PII data and not just by health care/ medical organizations. Everyone who is accessing sensitive data (such as PII and PCI) is liable for maintaining its secure access. Unless you take enough steps to safe guard your data, both at rest and in transit, you could be liable and/or non-compliant and get in State and/or Federal government cross hairs. I talked about how PII data is being classified as sensitive and how California is taking that to the next level by classifying (gulp…) zipcodes as PII data. Check out my blog on that here.
It is becoming more and more expensive to deal with such potential breaches. Not only the corporations need to notify all their consumers about the breach, but offer sufficient mechanisms to help them protect their data. Some states (such as Texas) are even suggesting (law expected to be introduced in later 2012) that every single customer to be notified, not just the ones affected, now this could cost companies lots of money plus they could be fined for violations as well.
It is not just about validated cases any more, it is going to cost lot more to defend, fix, and make it right to the consumers if you are careless about their information and/or lose it.
For more details on how your organizations can safeguard against this check out my blog about PII/ PCI, data protection and how Intel can help you here.