Be Aware: Court Ruling Allows Circumstantial Evidence In Court Case Against Company That Experienced Privacy Breach

So many times…actually almost every time…a privacy breach occurs the company that experienced the breach makes a public statement similar to, “We have no evidence that the personal information has been used fraudulently” or “We do not believe the information stolen will be used for identity theft.”
Why do companies so often make this statement? Because their lawyers know that it will be hard, if fraud and crime occurs using the compromised personally identifiable information (PII), to directly tie the breach to such fraud crimes.

Corporate lawyers have told me that they consider this lack of direct evidence to be their “get out of jail free” card with regard to accountability for bad things happening as a result of the breach.
Well, that card may be losing just a bit of its power.
The U.S. Court of Appeals for the Ninth Circuit ruled November 20 that a plaintiff whose PII was stolen from Tri-West Health Care Alliance Corporation, and later became an identity theft victim, may proceed with a lawsuit against the company, because it is reasonable considering the facts of the case that the burglary may have resulted in his identity theft incidents.
This week’s BNA Privacy and Security Report (a subscription site) provided a copy of a judgment from the U.S. Ninth Circuit Court ruling that circumstantial evidence was enough to prove harm from a data breach and that a lawsuit against Tri-West Health Care Alliance Corp, where the breach occurred, can continue.
Here are the highlights:
* On December 14, 2002, computer servers containing hard drives with un-encrypted personal information, including names, addresses, and social security numbers on over half a million military retirees, were stolen from Tri-West Health Care Alliance Corporation headquarters in Arizona.
* In 2003, three plaintiffs filed a complaint on behalf of themselves and other unnamed “John Doe” plaintiffs against Tri-West.
* The plaintiffs alleged negligence, a violation of Arizona Consumer Fraud Act, and the U.S. federal Privacy Act.
* In 2003, the U.S. District Court for the District of Arizona removed the class action “John Doe” plaintiffs from the case and dismissed all but the negligence, state consumer fraud act, and Privacy Act claims.
* In 2004 the U.S. District Court for the District of Arizona dismissed all but the plaintiff’s negligence claim against Tri-West.
* In September 2005, the U.S. District Court for the District of Arizona granted summary judgment to the defendant on the remaining negligence claim.
– The trial court ruled two of the plaintiffs who had not experienced known identity theft activities could not demonstrate damages to support a claim, and that “enhanced future risk of injury cannot form the basis for a negligence action.”
– The remaining plaintiff, who had experienced at least six known and documented identity theft attempts using his PII within 6 weeks after the data breach, was allowed to take his case further.
* The U.S. District Court for the District of Arizona then ruled the remaining plaintiff’s “evidence that the burglary [at Tri-West] preceded the incidents of identity fraud does not allow a reasonable jury to infer that the burglary caused the incidents of identity fraud.”
* However, the three plaintiffs appealed to the Ninth Circuit in 2005.
* On November 20, 2007 the Ninth Circuit agreed that an increased risk of ID theft could not support a negligence claim for two of the plaintiffs who did not experience known identity thefts, however, the court ruled there *COULD* be a logical inference made that the PII stolen from Tri-West likely led to the subsequent identity theft incidents. The Ninth Circuit court ruled there did not need to be direct, hard evidence because it “is a matter of common knowledge from which a jury could reasonably draw inferences regarding its probative value in establishing causation.”
* What was considered in this case was that the plaintiff experiencing the identity theft incidents after the Tri-West attempts presented evidence to the court showing that he did not use the Internet to transmit PII and that he shredded all mail containing PII, which eliminated other possible ways the criminals could have obtained the PII used to open the new credit accounts in the plaintiff’s name.
* Based upon these facts, the Ninth Circuit appeals court ruled that the plaintiff should be allowed to present evidence to a jury to attempt to prove that harm was proximately caused by the breach of his PII.
Why should organizations take note of this?
This shows a change in the trends related to privacy breach aftermath.
* The courts are starting to accept circumstantial evidence, based upon chronology of events following a privacy breach, to hold organizations accountable for bad things happening following a privacy breach.
* The public is being more proactive to maintain documentation and provide evidence to demonstrate the likelihood that bad things that happen to them, such as criminal activities, identity theft, and so on, was a result of a privacy breach.
* Organizations can no longer state “lack of evidence for a direct link” to bad things happening as an air-tight defense.
* The punitive damages that could be awarded for such negligence rulings could be very substantial; much larger than the actual costs of just paying for a year or two of credit monitoring.
As the public becomes more and more savvy to collecting and maintaining documentation related to their PII, maintaining chronology and activities records and logs, organizations will become more susceptible to lawsuits and resulting fines and penalties that go beyond the de rigueur credit watch report costs.
Information security, privacy and IT professionals, this is all the more reason for your business leaders to support you to have strong security programs in place, as well as effective and tested privacy breach response plans.

Tags: , , , , , , , , , , , , , , , ,

Leave a Reply