Recent lawsuits determine who is responsible for protecting private data during the IT disposition process. And it is not who you think.
Case Study One
A class action lawsuit was settled for $3 million against AvMed, a health plan company, stemming from a 2009 data breach. The settlement is significant because it awards payments to customers whose information was compromised, but were not identity theft victims.
According to preliminary settlement documents, AvMed will offer payments to 460,000 premium-paying individuals whose personal information was contained on two unencrypted laptops stolen from their corporate office in Gainesville, Florida. The laptops held information on paying members and their dependents, as well as those who did not pay premiums during the timeframe specified in the settlement.
These individuals will receive $10 for each year they paid premiums prior to the theft with a $30 cap. According to the settlement, this amount represents the percentage of the premiums AvMed should have spent on implementing data security measures.
The ruling indicates customers have a legal right to expect companies to allocate a reasonable percentage of funds toward data security as a cost of doing business. This settlement involved a healthcare company, but it sets a precedent for companies across ALL industries that collect regulation protected data.
Case Study Two
Another health-related company, Affinity Health Plan, returned copy machines with hard drives containing confidential data to the leasing company, assuming that the leaser was responsible for destroying the data. A CBS-contracted firm determined that the copier hard drives contained private medical information. CBS News, not the leasing company, informed Affinity of the breach.
Affinity, not the leasing company, was held accountable for the breach and agreed to pay $1.2 million to settle a data security breach in 2010 after nearly 350,000 people had their private information compromised.
HIPAA mandates that specific policies and procedures be followed by certain parties. Although Affinity did not own the copiers, the company still had responsibility to guard electronic protected health information it placed on the copiers’ hard drives.
The Role of Regulations
All companies, in healthcare and beyond, are responsible for following regulations that dictate what data must be removed or destroyed from their IT assets, even if a lessor or other third party handles disposal. The IT asset may be the lessor’s property, but the data contained is the lessee’s responsibility to protect.
Despite media reports and settlements regarding breaches and data security regulations (both enacted and soon to be enacted), many companies remain largely unaware of their culpability to protect data when disposing of IT assets. Also, many companies dispose of IT assets as cheaply as possible. Unaware or cost-driven, either one is a data breach waiting to happen like it did for AvMed and Affinity.
Depending on the type of data collected and maintained, businesses face becoming compliant with regulations that govern how they protect information, such as HIPAA, HITECH, PCI, PII, PHI, FACTA, GLBA, NERC, FISMA and Sarbanes-Oxley.
Companies may or may not be aware of these regulations, especially given their complexity and continuous evolution. Rather than risk their data and paying exorbitant settlements, they’ll turn to outside ITAD/ITAM companies for solutions. However, outside business associates, like Affinity’s leasing firm, are responsible for a majority of data breaches.
Costs of a Data Breach
There are direct, indirect and opportunity costs associated with a data breach. Direct costs involve the money spent to perform breach-related activities such as:
- Investigating the breach’s scope
- Identifying those whose confidential information was compromised
- Organizing a response team and public relations plan
- Creating and delivering breach notifications
- Implementing a customer service team with specialized training
- Retaining legal counsel
Indirect costs account for the internal time, effort and other resources spent handling aspects of the breach. Opportunity costs, which are difficult to determine, account for lost customers and revenue as a result of a data breach and the after effects on the organization’s reputation once the breach is publicly announced.
Avoiding Data Breaches
Avoiding costly breaches requires partnering with a highly certified, reputable IT asset disposal and management firm that will customize its processes to your business and industry. The value of having a trusted partner cannot be overestimated, especially for companies in heavily regulated areas like:
These heavily regulated areas typically have higher breach-associated costs.
IT asset disposition should not trusted to the lowest cost provider who does not strictly adhere to certified practices in data security and responsible recycling, namely NAID, R2/RIOS™ and ISO® 14001:2004 and members of the IAITAM and NAID organizations. Verified certifications, key industry memberships and tailored solutions help ensure your IT assets and data are managed in a way that protects your customers’ confidential and regulatory protected data as well as the environment.
A Wise Investment
Depending on conditions of the breach, penalties and fines are assessed for not following regulation-specific protocol. Any resulting legal settlements are in addition to fines. Like in the AvMed and Affinity cases, the cost of a data breach can easily reach the multi-million dollar level. The cost of safely, ethically, securely and legally disposing of IT assets is pennies on the dollar in comparison.
Given the threat and cost of data breaches today, data breach prevention must become a priority for organizations from top management down. Choosing an ITAD partner should be done early (from the very beginning of IT assets’ lifecycle) rather than left to chance at disposition. Otherwise, the consequences of poorly executed procedures can run into the millions in terms of cost and reputation.