From Lost to Liable
When we think about data breaches, what comes to mind first are the big-box retailers, online stores, and chain restaurants that perform thousands of point-of-sales transactions daily and weekly. We then might think of the three large credit bureaus or multi-national banking institutions that have gripped the headlines in recent news. When it comes to trends in data breaches, size matters - but it’s not the biggest that are to blame. An alarming number of data breaches are now caused by small, lost electronic devices. And bad actors are developing new and improved ways to access your information in the palms of their hands.
Embedded data. Retail, hospitality, and amusement industries earn their profits by welcoming their guests and invitees. If you manage this type of establishment, it is likely that a lost device or two have caused – or at very least, could have caused – a data breach in passing through your company’s property. While it is true that most mobile devices lock out after a number of unsuccessful attempts at logging in, today’s hackers no longer need to know your mother’s maiden name or your cats birthday to do serious damage. It is a common misconception that simply deleting data means that it’s gone. It is also a common misconception that taking a sledgehammer to a laptop destroys the hard drive.
What business owners need to know is that embedded data or meta data is more hidden and is often overlooked when assessing a security risk posed by a particular device. In other words, every device – servers, computers, smartphones, tablets, etc. – may have sensitive, hidden company or customer information stored on them in places not easily accessible to the user. The information that creates the most liability includes employee/customer addresses, Social Security Numbers, driver’s license numbers, receipts, W-9 forms, and health plan or access records. And today’s devices are extremely resilient from physical destruction. Data can often be retrieved from smart phones and tablets that have been burned, crushed, or submerged in water.
Deep pockets. A data breach can often have devastating consequences, including millions of dollars in financial penalties, as well as damage to reputation with customers, clients, and the public. A savvy corporate plaintiff’s attorney will look to impute liability upon all possible wrongdoers, especially ones with the deepest pockets if a lawsuit gets filed.
This could be you: companies can be held liable for the total cost of a breach if their customers identity was stolen because their lost electronic device was not disposed of properly. Imagine this example. A company executive spends the night at a large hotel chain and leaves his smart phone in his room. The hotel cleaning staff returns the phone to the front desk manager who negligently keeps the phone at his desk. An unsavory local walks through the lobby, eyes the phone, and deftly places it in his pocket. He then spends the evening downloading customer data, trade secrets, and financial reports. The phone belonged to a Fortune 500 executive. Months later, as the data breach becomes public knowledge, computer specialists trace the source to the lost iPhone. Corporate counsel considers its options. Attempts to locate the hacker and his cyber gang have gone cold. The large hotel chain is served with a lawsuit alleging negligence and demanding money and punitive damages in the millions.
Preventative planning. This story may sound dire, and the risk is real. But it is nearly 100% preventable. Organizations must take pro-active steps toward preparing for data breaches in today’s fast-paced-tech-everything society. Solutions are available.
911 Cell Phone Bank has developed a disposal and data removal process that sets the industry standard. We use a combination of manufacturers and industry software tools to ensure that each device, whether cell phone, smartphone, tablet or laptop, memory card, or camera has been completely data-sanitized and data has been deleted. In addition, we check for data erasure at least three times during processing.
Your security is our primary goal. Please contact us and let’s develop a program along with your legal counsel to ensure your liability is minimized when it comes handling lost handheld and mobile devices.
Kristina Kiik is a Commercial Litigation attorney in Richardson Texas. Before opening her own practice, Kristina was a senior judicial law clerk to the Honorable W. Royal Ferguson, Jr., in the U.S. District Court for the Northern District of Texas. Her unique experience as a lawyer, judicial law clerk, and the youngest presidential elector in U.S. history, enables her to provide outstanding research, writing, briefs, articles, and opinion pieces. www.kiik-law.com - firstname.lastname@example.org