The Ramifications of Data Breaches: What’s Your Liability?
It’s a common misconception that when it comes to IT equipment the liability associated with its embedded media and data is transferred with the title of the equipment. However, in reality, liability remains with the original owner of the data (for the life of the data) even if that data is no longer in your control. Liability is integrated with the data! So, if a customer, vendor, or patient is harmed through the misuse of their data, your company remains liable.
When you sell equipment or transfer it to an asset disposition provider they have possession, not liability, even after transfer of title has occurred. Your specific liability depends on your role in the company or whether you are in a regulated industry (i.e., healthcare, financial institutions, companies that handles credit card information, etc.), as well as how you handle the management, storage, and disposal of the media.
The liability that can arise from breaches of data security is a growing legal trend where lawsuits are filed against companies when data that is considered proprietary or is classified as personal identifiable information is made public.
The liability is generally dictated by a legal theory of damages known as the “Learned Hand Formula for Damages.”
This legal liability model dictates that:
- If protecting the data from damages was less costly than the potential damage that could be done from the loss of the data multiplied by the probability of the data loss occurring.
- Then the party that was negligent in its duties to protect that data is liable for damages.
Here are some basic figures* for data breach:
- $1,000 per record: The average cost in a medical data breach.
- 25,000 records per incident: The average number of records stolen.
- $1.5 million per breach event: Damages Assuming Liability to the company.
*These figures only account for money paid in damages and does not include legal fees, time lost, reputation damage and other factors.
Depending on your industry, the laws that govern how off-network devices are managed could include:
- HIPAA – Healthcare
- Sarbanes-Oxley – Financial services
- EPA regulations – Environmental regulations
- Federal Communications Commission regulations – Broadcast providers, phone service providers
- PCI regulations – Credit card data
- FDA (21 CFR Part 11) – Pharmaceuticals
- Gramm Leach Bliley – Banking
- PII – Personally identifiable information
No matter what industry you’re in, you need to understand which laws govern how off-network devices are managed and your potential risk for liability. To learn more, download our white paper: Legal & Security Risks in Management and Disposal of Off-Network Technology.
About Brass Valley
Brass Valley is an IT Asset Lifecycle Service provider and industry leader in client protection practices. We work with clients and industries such as financial services, healthcare, and the Fortune 1000 where protection of sensitive information is a high priority.