As incidents of data breach have become more prevalent, it is important to note what this could actually mean for a company who stores and maintains (or shares) the personally identifiable information (“PII”) of its consumers. Generally speaking, the sources of these legal risks could be broken down into three general categories: federal, state, and common law.
Depending on the industry, many organizations in the United States are regulated by various agencies. The Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm Leach Bliley Act (“GLBA”) are two notable regulations involving the health and financial industries, respectively. While not providing for a private cause of action for individuals who have had their PII accessed by an unauthorized party, these two agencies may impose significant civil fines on regulated entities for failure to failure to follow rules concerning the protection of PII as well as criminal penalties for individuals who have wrongfully obtained information. Although criminal penalties are rare, civil fines have been as high as millions of dollars.
In addition, most states have their own separate data breach notification statutes. Most states impose fines for failure to provide the required notice of a breach incident as required by the statute. While many of them track the federal language, some states impose more stringent notice requirements and safeguards rules and may assess a fine for each incident of non-compliance. Finally, consumers have traditional causes of action under theories of negligence or breach of contract. Given the bargaining position between the parties, the governing contracts likely limit the damages arising out of the breach; however after a showing of negligence on the part of the organization for failure to protect the consumer’s PII, the complaining consumer may be entitled to present evidence of actual damages as well as seek punitive damages.
With such significant risks at stake as well as the potential negative impact to corporate branding and consumer confidence, organizations should take necessary and required measures to safeguard consumers’ PII.