While much of the industry anxiously anticipates the impact of legislation such as HIPAA, GLBA, the Patriot Act and the upcoming Homeland Defense initiatives, some of the legal cases that caught our eye in 2002--cases that weren't based on these much anticipated regulations--will set the stage for upcoming litigation in 2003:
• Ziff Davis Media and the New York State Attorney General: Late in 2001 subscriber information (including credit card numbers) was lifted from one of Ziff Davis' magazine promotion sites. NYS AG Eliot Spitzer's office took notice of the data theft and found ZD's privacy policy and ZD's interpretation of "reasonable security controls" inadequate. ZD and Spitzer came to an agreement in August 2002 that resulted in $100,000 in state fines, $500 per credit card lost (payable to the victims), and a detailed agreement outlining security control requirements (see www.oag.state.ny.us/press/2002/aug/aug28a_02.html).
• Eli Lilly and the infamous Prozac e-mail: On July 25, 2002, NYS AG Spitzer announced a multistate agreement with Eli Lilly for an incident in 2001 wherein the pharmaceutical manufacturer inadvertently revealed approximately 670 Prozac subscribers' e-mail addresses. The agreement outlined security measures that Eli Lilly must take, along with $160,000 in fines. The mistake was reportedly caused by an e-mail program that failed to place e-mail recipient names in the bcc: field, as opposed to the cc: field (see www.oag.state.ny.us/press/2002/jul/jul25c_02.html).
• The SEC and e-mail preservation: On December 3, 2002, the SEC fined five firms--Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, Salomon Smith Barney and U.S. Bancorp Piper Jaffray--$8.25 million ($1.65 million each, not counting legal fees and bad PR) for violating record-keeping requirements in regard to preserving e-mail communications (see www.sec.gov/news/press/2002-173.htm).
• Identity theft goes prime-cyber-time: On May 12, 2002, news broke that 15,000 consumer credit records that had been lifted from Experian's systems, ostensibly by Ford Motor Credit Co., and sold for $60 each. The records were used for identify-theft purposes. It was later reported that, of those 15,000 accounts, only 400 were Ford customers, making a further case for tighter controls in regard to third-party access restrictions to confidential data. This is just one of hundreds of such cases the FBI is still investigating (see CNN.com for more).
Bottom line: The legal momentum is clearly building, and regulatory actions will only turn up the heat. If organizations continue to operate with negligent controls and damages occur, lawsuits, tangible dollar losses, negative publicity and reduced customer confidence will certainly result. The stakes will rise this year.
RSS
