NEW YORK, Aug 09, 2017 (BUSINESS WIRE) — Last week’s groundbreaking federal appeals court ruling dramatically changes the landscape of corporate responsibility when it comes to the digital and physical security of personal data, according to experts such as John Shegerian of ERI and Dr. Ross Federgreen of CSR .
A federal appeals court in Washington, D.C. last week ruled in Attias v. CareFirst that consumers may sue companies that fail to safeguard their personal data. EPIC filed an amicus brief in the case, in support of the consumers, arguing that if “companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches.” The appeals court agreed with EPIC that the lower court was wrong to dismiss the case, essentially setting a new precedent for future data breach litigation.
CareFirst disclosed in May 2015 that an “unauthorized intrusion” into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals. As is often the case in the wake of large data breaches, a class action lawsuit was filed on behalf of individuals whose data was impacted by the breach. However, a federal court judge ruled in 2016 that the plaintiffs had not shown incidents of harm or data misuse resulting from the security breach.
In simple terms, the appellate court ruled that the theft of PII, PHI or other confidential information created a risk of identity theft. This risk of identity theft by itself established harm and thus standing for the case to proceed.
“Every business in the US – large or small – is going to need to pay very close attention to the new playing field that has been created by this landmark ruling,” said John Shegerian, Founder and Executive Chairman of ERI, the nation’s leading recycler of electronic waste and the world’s largest IT asset disposition (ITAD) and cybersecurity-focused hardware destruction company. “We’re about to witness a paradigm shift in data privacy in both the digital and physical realm, and to what lengths businesses are responsible for it. To avoid being sued in what is sure to be a feeding frenzy of litigation over compromised data, the best thing businesses can do now is to make sure they perform their due diligence protecting the data of their constituent customers, vendors, and employees. Properly destroying hardware using a certified organization that permanently eliminates all digital data is crucial.”
Shegerian noted that ERI currently provides the only dually certified nationwide solution offering 100 percent guaranteed data destruction for consumer electronics devices, e-waste, and hardware.
“With the CareFirst ruling, 250 million Americans were just given permission to sue your business over a data breach, even if no harm such as identity theft or fraud has yet occurred,” said Dr. Ross Federgreen, CEO of CSR Professional Services, Inc. and a leading expert on data privacy. “The risk to any business from losing data, whether accidental or malicious, just went from bad to catastrophic. This court decision is a major step in establishing the right of consumers to bring actions for a data breach at any business or institution. Organizations large and small are going to be in court more often. It’s going to be financially painful. More companies are going to fail because of data breaches.”
Dr. Federgreen’s company, CSR, works with companies to facilitate best practices that reduce the business risk and financial liability associated with the acquisition, handling, storage, sharing and disposal of data.
Learn more about the CareFirst ruling here: