Companies have developed new ways to create, store, access, use and LOSE data. Indeed, since January 2005, the Privacy Rights Clearinghouse has reported that more than 1,000 data breaches have occurred, involving more than 220 million records. In reality, the number of actual data breaches is much higher, given that not all incidents are reported. Notably, however, in just the fi rst quarter of 2008, 167 data breaches have been reported, involving 8.3 MM fi nancial and consumer records. A data breach or loss can occur in a variety of ways:
- An executive loses a laptop;
- A hacker accesses a computer storage system; and
- A third party responsible for maintaining, transporting, or processing data is negligent in its handling.
As illustrated below, these breaches have left no industry untouched.
Best Buy’s $54 Million Lost Laptop
Articles and reports of privacy litigation have discussed the problems and damages awards that companies face when they are the victim of security breaches involving the disclosure of customer or employee personally identifying information (“PII”). Typically, these issues arise in the context of large-scale security breaches, such as the theft of the PII of 1.3 million Monster.com users in August 2007, or the loss of computer data tapes holding the PII of credit card users. However, a recent event involving Best Buy serves as a reminder such security breach issues are not limited to large-scale breaches.
In May 2007 Raelyn Campbell left her malfunctioning one-year-old laptop at a Washington, D.C., metro area Best Buy for routine repairs under a service contract, but Best Buy never returned the laptop. For months, Ms. Campbell sought information regarding the whereabouts of her computer, and for months, Best Buy equivocated. Eventually, Best Buy confi rmed what Ms. Campbell already suspected: That it had lost her computer.
With a corporation as big as Best Buy, which has over 1,150 stores in the United States, Puerto Rico, Canada and China, thefts are inevitable and equipment will occasionally be lost. Thus, at fi rst blush, the loss of a single laptop may not seem like a big deal. However, when companies do not have a predetermined policy in place for responding to such incidents, they can unwittingly subject themselves to far more civil liability and negative publicity than one might expect.
On November 16, 2007, Ms. Campbell fi led a lawsuit against Best Buy in Washington, D.C., Superior Court seeking $54 million in damages. In her complaint, Ms. Campbell alleges that Geeksquad (Best Buy’s computer service subsidiary) and Best Buy customer service employees created a false record of her computer within their system, and they lied about its repair status and location.
Ms. Campbell also alleges that, in losing her computer, Best Buy put her personal identifi cation information at risk, as the computer contained information such as her social security number, driver’s license number and credit card information. Ms. Campbell additionally alleges that Best Buy compounded the problem by waiting months before advising her that the computer was missing, and that her personal information might be in the hands of others. More specifi cally, Ms. Campbell is alleging that Best Buy violated the Washington, D.C., Consumer Protection Procedures Act, D.C. Code § 28-3901 et seq., and the Washington, D.C., Consumer Personal Information Security Breach Notifi cation Act, D.C. Code § 28-3801 et seq.
Best Buy’s actions as characterized by Ms. Campbell could constitute unlawful trade practices under the Consumer Protection Procedures Act if a court were to fi nd that Best Buy
- made misrepresentations as to a material fact that had tendencies to mislead;
- failed to state material facts if such failure tended to mislead;
- falsely stated or represented that repairs, alterations, modifi cations, or servicing had been made and payment received for such, when they had not been made; or,
- represented that the subject of the transaction had been supplied in accordance with a previous representation, when it had not.
D.C. Code § 28-3904 (e), (f), (p), and (u).
Perhaps even more problematic for Best Buy are its alleged violations of the Consumer Personal Information Security Breach Notifi cation Act, the stated purpose of which is to “ensure that consumers are notifi ed when electronically-stored personal information is compromised in a way that increases the risk of identity theft, to create a private right of action for consumers harmed by a violation of the notifi cation requirement, and to provide for enforcement by the Attorney General.” Because it is perfectly reasonable to assume that the type of personal information identifi ed under the Act, such as social security numbers, driver’s license numbers or credit card information would be stored on a customer’s personal computer, there is a strong likelihood that the Act imposed upon Best Buy a duty to notify Ms. Campbell immediately upon discovering that her computer was missing.
Specifi cally, § 28-3852(b) requires that “[a]ny person or entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the person or entity does not own shall notify the owner or licensee of the information of any breach of the security of the system in the most expedient time possible following discovery.” D.C. Code § 28-3852(a).
Beyond the cost of defending such a suit and any adverse judgment for actual damages, the Act also authorizes a plaintiff to recover “the costs of the action and reasonable attorney’s fees.” D.C. Code § 28-3853(a).
While personal information security breach–related issues generally arise when large databases that are maintained by companies, containing the personal information of thousands of people, are compromised, this case demonstrates the need to be prepared even for a breach involving a single consumer. Had Best Buy had a predetermined policy in place in advance of this incident (or followed any pre-existing policy it may have had in place) it might have forestalled any potential liability. In fact, the Consumer Personal Information Security Breach Notifi cation Act specifi cally protects a business that has such a policy in place:
a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this subchapter shall be deemed to be in compliance with the notifi cation requirements of this section if the person or business provides notice, in accordance with its policies, reasonably calculated to give actual notice to persons to whom notice is otherwise required to be given under this subchapter.
D.C. Code § 28-3852(e).
In addition to protecting themselves by enacting a company policy on security breach notifi cation procedures, retailers can also protect themselves by taking steps to lessen the likelihood of a security breach in the fi rst instance.
Although it is unlikely Ms. Campbell will ever receive the $54 million she seeks, Best Buy has opened itself up to the possibility of a judgment that would be signifi cant to most companies, not to mention damage to its reputation. Ms. Campbell has already appeared on the Today Show, and her story has been reported by numerous media outlets. This case thus highlights the need for companies handling sensitive personal information to maintain predetermined and up-to-date plans in the event of a security breach, and to remember that such plans should be followed even where only a single person’s personal identifi cation information is at issue.
As illustrated above, all companies must take proactive steps to mitigate the likelihood of a privacy incident. Indeed, 42 States (and counting) have enacted data security breach notifi cation laws, so if one occurs, your company must understand what constitutes a violation, at what point a notice of data security breach is required, and whether it must alert Federal, State or local authorities. Additionally, your company should strive to:
- Develop data security policies and response protocols in the event of a data security breach;
- Involve your company’s compliance, human resources, information security and legal teams in the development of your company’s data security policies and response protocols;
- Understand how data security notifi cation laws will impact your response and guide your company’s policies;
- Develop a policy on employee blogging, which should minimize the risk of employees’ defaming fellow employees, divulging proprietary and confi dential information, and violating other company policies;
- Identify patterns and activities that present “red flags” indicating possible identity theft;
- Respond appropriately and swiftly, should a “red fl ag” arise;
- Review agreements with vendors and third parties who maintain PII regarding your employees and customers; and
- Document steps taken to respond to a data security event, in order to demonstrate compliance with applicable laws and regulations.