Feb 23, 201502:58 PMLegal Login
with Mindi Giftos
Data security: Congress and courts step into the breach
(page 1 of 2)
In early February 2015, Anthem Blue Cross and Blue Shield (f/n/a WellPoint Inc.), one of the nation’s largest health insurance companies, announced that a cyber-attack, possibly originating from China, exposed substantial personal data of 80 million customers, including Social Security numbers, home and email addresses, telephone numbers, medical identification numbers and income data.
Within a week, reports surfaced that cyber criminals were exploiting the breach to try to trick Anthem’s customers into disclosing even more personal information, including credit card information. A consumer in California has already sued Anthem in a class action (Morris v. Anthem Inc. 15-cv-00196 U.S. D Ct. CD. CA). This is only the latest in a series of data breaches that led Sen. Richard Blumenthal (D-Conn.) to label 2014 the “Year of the Data Breach.”
President Obama’s first legislative proposal for 2015 is a bill entitled Getting It Right on Data Breach and Notification Legislation in the 114th Congress (Data Breach Bill), which received a hearing on Feb. 5. Currently, data breaches are largely governed by a patchwork of state laws that create compliance complexities for businesses.
Wisconsin, for example, has a data breach notification law, Wis. Stat. Ann § 134.98. Most state laws require consumer notification, but three states actually have laws holding business and governmental entities responsible to financial institutions for certain costs from credit card information breaches that those financial institutions incur. Groups like the National Retail Federation, the Direct Marketing Association, and the Information Technologies Industry & Council support national legislation that would preempt the state law. A key provision of the Data Breach Bill is a requirement that businesses notify customers within 30 days of discovering the breach.
Even before these latest massive breaches, several state attorneys general and the Federal Trade Commission, under their consumer protection authority, prosecuted businesses for lax data-security practices. Private plaintiffs in the form of consumers and financial institutions that issue credit cards have sued retailers like Target under a variety of theories, including negligence for failing to properly secure customer data.
The Bureau of Justice Statistics recently found that direct and indirect financial losses from identity theft totaled $24.7 billion. Currently, the cost of credit card fraud from such data breaches is borne disproportionally by the financial institutions issuing the credit cards, because they have to cover the cost of any fraud on customer accounts resulting from the data breach and must absorb new card-issuance fees. Target tried to have a lawsuit brought by financial institutions trying to recover their costs dismissed, but in December 2014, a federal district court in Minnesota permitted the case to proceed.