A game changer that has been years in the making

March 18, 2014

By Bob Johnson, NAID CEO

My first reaction was, “WOW!” My second reaction was, “It’s about time.” My third reaction was, “This is going to change everything.”

I am talking about the news that a judge in Florida just awarded $3 million to plaintiffs in a class action suit stemming from a data breach after a laptop containing confidential patient information was stolen. Keep in mind, lawsuits stemming from data breaches are not new. I remember hearing about them as far back as the mid-1990s. Those lawsuits were universally dismissed because plaintiffs failed to show damages until now.

Of course, those of us calling for justice and stronger penalties for privacy violations decried these dismissals. We pointed to the fact that the “damage” was caused when the individual was put at risk, not, as the courts had ruled, when they could prove financial loss. We argued that a requirement to prove financial loss tied directly to a specific data breach was a threshold that could never be met. In fact, the Florida case had been dismissed twice on those grounds prior to this ruling in the appeals court.

That is why today’s announcement is so earthshattering. It is the first time an award was made in the absence of direct damages. The court ruled that the breach itself constituted the necessary damages to be worthy of a $3 million award. Curiously, the settlement was approved by the district courts on Feb. 28, but was only recently made public.

Of course, we, students of secure data destruction, are not the only ones taking note. There is an army of class-action litigators paying close attention. To date, there was little motivation for them to pursue data breach cases. That changed with this announcement. Although we now only pay attention to the mega-breaches like Target’s, such breaches constantly happen across the country. There are thousands per year. With the Florida precedent established, each one of those thousands of cases will be attracting lawyers to represent victims. I suspect there are scores such law firms planning to specialize in this type of suit.

Ultimately, this means that the cost of a data breach just got exponentially more expensive. It means the cost is so high that data controllers will have to find a way to avoid them or be sued out of business. It also means that service provider liability will increase. Sorry, but we have to take the good with the bad. The importance of service provider qualifications, regulatory compliance, written policies, employee training, contract language and indemnification just ratcheted up another notch or two. Personally, I think this is great news for reputable service providers who are ready for the intensity this adds to the issue of data destruction and risky times for those who are not ready.