in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Breach Lawsuit: AvMed Laptop Breach Lawsuit To Proceed

AvMed, the health insurer who saw two laptops stolen from its offices in 2009, and subsequently revised the number of affected people from 210,000 to 1.2 million, has received some bad news from the 11th Court of Appeals: it has overturned a lower court's decision and allowed a lawsuit against the firm to proceed.  It's the ongoing saga of a company that didn't quite live up to standards when it comes to protecting sensitive data on mobile devices.

Ruling: Cognizable Harm Present

With 1.2 million people affected, it shouldn't come as a surprise that someone "out there" decided to sue AvMed.  Of course, AvMed argued that the lawsuit didn't have any merit.  The courts originally agreed, noting the lack of a "cognizable injury": Essentially, the accusers couldn't prove that they were directly harmed by the AvMed data breach incident, as is usually the case when one's going after a firm that's suffered a data breach.

Indeed, I had pointed out (as a non-lawyer) that one of the lawsuits had a novel approach to the situation.  Instead of going through the usual exercise of suing the company for losing clients' information -- and getting the suit tossed for a lack of cognizable injury -- plaintiffs accused the insurer of "misleading them":

....plaintiffs are saying that AvMed engaged in "misleading advertising" because the insurer claimed that they followed HIPAA when in fact it didn't: the evidences lies in the fact that (a) encryption was not used and (b) the laptops were stolen from a conference room accessible by anyone--including people who shouldn't have access to unencrypted PHI.

This is an interesting approach.  Prior to reading the suit's details, I was going to remark that there haven't been any successful lawsuits mounted against companies since you have to prove harm, that your data stolen from company A was used to perpetrate a crime.

This particular approach appears to have failed, seeing how, according to businessinsurance.com, the "court [of Appeals] upheld dismissal of charges of entitlement to relief under Florida law for the claims of negligence per se and breach of the implied covenant of good faith and fair dealing."

The same court, however, noted that:

"Plaintiffs allege that they have become victims of identity theft and have suffered monetary damages as a result. This constitutes an injury in fact under the law."

The ruling also said that despite the length of time between the laptops' theft and the identity thefts, it is plausible the two events were connected. Plaintiffs "have sufficiently alleged a nexus between the data theft and the identity theft and therefore meet the federal pleading standards," said the ruling.

More specifically, two of the plaintiffs have alleged harm due to AvMed's carelessness when it comes to mobile data protection:

  • Ms. Jauna Curry, whose information was used 10 months after the incident to open a Bank of American account and credit cards (that were used).
  • Mr. William Moore, whose information was used 14 months after the incident to open an E-Trade account that was overdrawn.

The plaintiffs will still have to show that their financial injuries can be tied back to the AvMed data breach, of course.  And while I personally wonder whether this will be possible -- there are numerous data breaches in any given year, made public and not -- that is something to be established in the courts.  The fact that it appears nearly impossible to prove certainly isn't a valid reason for tossing out a case without its due day in court.

Proper Data Security at Root of Problem

The situation has been unfolding for the past three years or so.  While it does take time for cases to wend its way through the judicial system, three years seems like a long time (which, as an aside, is why you want to prevent something like this happening in the first place).

And, as we can see from the case being taken to a higher court, the plaintiffs are dead set on seeing things until the end.  Why so serious?

The answer may lie in what AvMed did.  Or, rather, what it didn't do.

  • It left the laptop in a conference room which was easily accessible by anyone.
  • The laptop in question was not properly encrypted despite the sensitive data it stored.

If you store and use sensitive data, encryption software is a must.  And if you as a company are embracing the BYOD trend, then the use of tablet encryption and smartphone encryption is a must, as well as the use of other data security tools like mobile device management (MDM) solutions.


Related Articles and Sites:
http://www.businessinsurance.com/article/20120906/NEWS07/120909936#full_story (free but registration needed)
http://www.phiprivacy.net/?p=10150

 
<Previous Next>

Data Breach Costs: Scottish Borders Council Fined £250K

Laptop Encryption Software: Irish Telecom Company "Fined" €30,000 For Laptop Theft

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.