As a business owner, you’re obligated to protect your employees’ and customers’ personal information. That responsibility just got bigger. A recent circuit court ruling makes it more likely for your business to be sued if personal information is lost, stolen or compromised. In this blog, we discuss the specifics of the ruling and its impact on your business.

CareFirst Data Breach

CareFirst, a healthcare insurance provider based in Maryland, experienced a cyberattack in 2014 which resulted in the breach of 1.1 million customer records. Like many breached organizations, CareFirst offered the affected individuals free credit monitoring and identity theft protection for a period of two years. A class action lawsuit was later filed on behalf of the victims. The lawsuit contended that CareFirst’s negligence substantially heightened the affected victims risk to identity theft.

In 2017, after a U.S. District Court judge decided that the plaintiffs failed to prove how they had suffered harm from the breach and dismissed the claim, a U.S. Court of Appeals overturned the District Court’s ruling. The Court of Appeals judges ruled that the CareFirst members’ risk of future injury was sufficient to allow the class action lawsuit to proceed.

As a result, in January 2018, CareFirst asked the U.S. Supreme Court to review the case, arguing that if the decision made by the Court of Appeals was allowed to stand, companies can be sued for breaches of customer information “even if the plaintiff suffered no harm whatsoever.” However, the Supreme Court refused to hear CareFirst’s case, allowing the U.S. Court of Appeals ruling to stand.

Implications for Your Business

The implications of the CareFirst ruling have a broad impact on businesses across the United States. Data owners who have their information breached can now sue businesses or institutions without having to prove actual loss or damage.

What does this mean for your business? It means that it’s never been more important to protect the information you collect from your clients and employees. Create a strategy that ensures secure storage and final disposition of hard copy paper documents and electronic media. Partner with a records and information management provider who can provide a turnkey solution for protecting your data throughout state-and federally-mandated retention periods. Make a plan for adhering to breach reporting and consumer notification rules and regulations. Use a breach reporting service that offers the following benefits:

• Incident response planning
• Customer breach notification per legal mandates
• Ongoing monitoring

The CareFirst court ruling is a wake-up call for big and small businesses, and you can use it as an opportunity to refine your data protection strategy.

DeVries Business Services proudly serves businesses in Spokane, Eastern Washington and Northern Idaho. To learn more about our records and data services, please contact us by phone or complete the form on this page.