According to New Jersey Law Journal, a court just threw out a lawsuit against a health insurer that was sued after suffering a data breach that involved more than 800,000 records. Here's what happened:
- Two laptops were stolen from Horizon Blue Cross Blue Shield's office in New Jersey.
- 839,000 records were exposed, making affected customers vulnerable to identity theft.
- A few customers filed lawsuits and sought class action status so the lawsuit can represent the entire group of 839,000 members.
Why did the court throw out the suit? In this case, it found no evidence that the stolen laptops had led to or were likely to lead to identity theft or other breach-related damages. Let's examine why this could be good news for IT consultants.
What Does This Data Breach Lawsuit Mean for Your Tech Business?
Each state has different laws and precedents for data breaches (see our state data breach law resource), meaning these decisions are usually case-by-case and state-by-state. It would be mistaken to apply the ruling for the New Jersey lawsuit to a data breach in a California court. It's not that simple.
In "$3 Million Settlement Paves the Way for Non-Identity-Theft Data Breach Awards," we reported on a Florida data breach where another health insurer was forced to pay damages even though there wasn't evidence that its customers would be the victim of identity theft. That ruling is pretty much the opposite of what happened in New Jersey.
Why do these rulings vary so much? Circumstances may mean that a judge or jury is more likely to rule in a particular way. For instance, the NJ case may have been thrown out because…
- The security breach involved stolen laptops, not a cyber attack or failure of IT.
- The thieves who stole these laptops may have had no intention of using the stolen data maliciously.
- Despite the high number of affected parties – 839,000 – none had been victims of identity theft.
Whatever the reason, this ruling may not apply to businesses that have had their data stolen electronically or when there's a greater risk of identity theft.
Shocking No One, Data Breaches Are Still Expensive
Now that we've had the good news, let's look at the bad news. The highlighted data breach occurred in November 2013, and the subsequent lawsuit dismissal was in March 2015. Why is that significant?
The entire ordeal has been dragged out over 17 months. All the while, the health insurer has been accumulating legal bills and headaches as it struggles to repair its reputation and resolve the issue.
That's the unfortunate reality of data breaches: the issues and costs can linger for years. Even though the health insurer won this case, they've still paid deeply for the breach.
Data Breach Prevention and Preparation with E&O Insurance
If you learn anything from this lawsuit, it should be that data breach liability is still far from clear. You can be sued over a data breach, fight the lawsuit for a year, and win the case. But for a different breach, you could end up paying millions in damages. So much depends on the circumstances of the breach and state laws.
The unpredictable nature of these liabilities is one of the reasons that IT professionals sign up for Errors and Omissions Insurance (aka Professional Liability Insurance), which may help cover the particular liability that IT professionals have with a data breach.
Because clients can sue you if the IT you provide is involved in a breach or fails to prevent one, E&O's third-party Cyber Liability coverage may pay for your legal costs and expenses when a client is hacked.
Even as states pass new laws and court rulings continually change, E&O may offer some financial protection against data breach lawsuits.