By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
Voices are getting louder and its coming from privacy advocacy groups, state legislators and the courts. Turning down the volume and not listening is no longer a financially feasible option. The risk of doing business versus complying with increased compliance regulations results in financial loss, material loss, fines, voided contracts, loss of future business opportunities, loss of a good business reputation and involvement in lawsuits that can last for years.
How much of your budget is allotted for legal fees?
Imagine your company’s computer database was accessed by an unauthorized party who had an undetermined amount of time to snoop through your database and steal all your customers’ sensitive and confidential personal information. The malicious actor then demands a hefty ransom from you to get your data back; you refuse to pay. You are notified from a non-affiliated, third party that your customers’ information is for sale on the “dark web”! You do the right thing and report the incident to the appropriate authorities and notify all your affected customers of the incident – warning them to be vigilant and monitor their credit reports and bank accounts for any suspicious activities. But, in the end, you get served with a class action lawsuit! With all that is a risk, in a state where the courts favour Article III Standing (Fed. R. Civ. P. 12(b)(1)) and you have notified individuals of the breach – you make the decision to defend your case in court (or courts).
This scenario may sound far-fetched, but it is a true story (minus some juicy and intriguing plots). A Georgia-based business suffered a data breach. Victims of the data breach filed a class action lawsuit which was dismissed by the Trial Court and the Georgia Court of Appeals. Hold off on the congratulatory handshaking; maybe even start with the hand-wringing. Georgia’s Supreme Court ruled in favour of the data breach victims by reversing the decisions of the Georgia Court of Appeals and the trial court to grant the defendants’ motion to dismiss the plaintiffs’ negligence claims. “Judgment reversed in part, vacated in part, and case remanded. All the Justices concur.”
The Georgia Supreme Court concluded that the victims’ Article III legal standing (the ability of a party to demonstrate to the court sufficient connection to and harm from the law or action challenged) was not at issue. Instead, “the injury the plaintiffs’ allege that they have suffered is legally cognizable.” In other words, the plaintiffs’ damages are clearly identifiable. The Georgia Supreme Court found that the facts in this case support the allegations of a large-scale criminal activity and the plaintiffs’ personal information was not just exposed, it was actively stolen by a hacker.
Not only is your company’s business reputation at stake – you now must worry about legal expenses. Litigating a case in state courts can be costly – litigating appeals and eventually ending up in the state’s Supreme Court is even costlier. Litigating a case in multiple courts translates into retaining multiple lawyers who are licensed and experienced to litigate in the higher courts. More than just your business reputation is at stake – for small businesses it means financial ruin – bankruptcy. More legal fees!
What if the organization (that is the subject of this nightmarish story) practiced risk awareness? What if they utilized risk evaluation tools? The moral of the story could be “risk avoidance”.
CSR Privacy Solutions, Inc. offers a bundle of data privacy compliance tools such as:
CSR-V3 an automated vendor privacy risk reduction tool which documents vendor management, verification and validation due diligence.
CSR Readiness® Pro is an award-winning bundle of privacy solutions used by businesses to mitigate the risk of data breach and consequences related to non-compliance associated with the handling of legally protected personal information.
CSR Readiness delivers a PROACTIVE solution, enabling small to medium size businesses (SMB) to assess their data protections and system safeguards; presenting them with suggested improvements for areas the program identifies as deficient. Companies may still suffer a data breach – when this happens, CSR’s Breach Reporting ServiceTM is the REACTIVE solution that provides privacy reporting for the SMB community.
CSR Privacy Solutions, Inc. is literally privacy made simple, is cost sensitive and focused on risk awareness, evaluation and avoidance.
 Collins et al. v. Athens Orthopedic Clinic, P.A., S19G0007, December 23, 2019.