IT consultants are subject to a variety of state laws. Your legal responsibilities change from state to state, and each new court ruling – such as the one that just occurred in California – can instantly alter your cyber liabilities.
JDSupra reports that a California court recently ruled that the California Medical Information Act, a data breach law, can't penalize healthcare businesses after a data breach if the data has not been viewed.
This ruling has obvious implications for CA-based IT professionals, but let's look at it from the larger, national perspective to understand how IT liabilities change with each new law.
Stolen Computers Can Lead Data Breach Liabilities
Sutter Health was targeted in a $4 billion lawsuit after a desktop computer was stolen from its facilities. State laws typically define a data breach as the loss of confidential information. This includes the physical theft of…
- Flash drives.
- Other devices that house sensitive data.
Because private medical data was stored on the desktop computer, the plaintiffs sought billions of dollars in damages. The data was password protected, but not encrypted. This lax security violates CA law. However, the court ruled that because there was no evidence that the data had actually been accessed, the plaintiffs couldn't seek damages.
In some ways, this ruling is good news for IT consultants. For once, the court ruled to protect you from lawsuits. However, it points to a pattern of courts making confusing or contradictory IT rulings, which can leave tech contractors unsure of their risks.
What Are IT Professionals Liable For? It Changes Case by Case.
If you think that the courts are moving to protect IT professionals, you'll be disappointed. As we covered in our article, "How Florida's New Data Breach Law Could Cost Tech Businesses," FL courts recently ruled that consumers whose data was stolen can sue even if they were not the victim of identity theft.
In other words, Florida courts have moved aggressively to protect consumers, while California has opted to protect medical IT professionals. These seemingly opposing laws highlight three problems that every IT professional faces:
- IT professionals have clients in multiple states. If you're coding for a client in Florida, you're under one set of rules. If you work on a medical billing system in California, a completely different law protects you.
- Data breach laws are ambiguous. After reading about the California ruling, you were probably wondering, How does the court know if the data had been accessed? Apparently, there was no evidence that criminals were able to access the data. However, many data breaches aren't clear-cut. In fact, simply moving data from a secure location behind a firewall to a non-secure location can expose it.
- There are no federal data breach laws. In the midst of the fallout from the Target data breach, Congress was considering three federal data breach laws. But that was back in February, and little to no progress has been made since. In all likelihood, IT professionals will have to continue to deal with a patchwork of conflicting state laws that determine their liability. (For more on federal data breach laws, check out, "Why IT Contractors Shouldn't Hold Their Breath for Universal Data Breach Legislation.")
The Challenge for IT Consultants: Protect Your Business from Myriad Liabilities
The biggest takeaway from this new ruling should be that IT laws change every day. Your cyber liability varies drastically depending on where you work, the kind of data breach, and your client's industry.
Fortunately, IT consultants only need one type of insurance to shield them from the cost of a data breach lawsuit. Errors and Omissions Insurance pays for your legal expenses and damages you owe a client after a data breach occurs on their network.
To protect your business from data breach lawsuits in every state, submit an online insurance application, and our IT insurance agents can send free insurance quotes to your inbox.