Last May, I wrote a post about a class action lawsuit against Sony in the wake of its April 2011 security breach. I noted the timing of the suit. Lawyers filed the suit only nine or ten days after the breach.
Recently, I read about a security breach lawsuit involving a break-in at Sutter Health. Someone broke into administrative offices and stole a computer containing sensitive medical records with unencrypted personally identifiable information. Sutter Health apparently announced the breach on November 16, 2011 and sent out breach notification letters that day. ABC News reported the breach on November 16 as well.
That same day, lawyers filed the first of at least a dozen class actions against Sutter Health. The first case was Javier R. Garcia v. Sutter Medical Foundation, No. RG 11604927, filed November 16, 2011 in the Alameda County Superior Court in Oakland, California. Since the suit was filed the same day, it appears to be a “zero day” security breach lawsuit.[1]
According to a Sutter Health court filing, the lawsuits largely allege the same types of claims. I was able to find a copy of one of the complaints, Karen Pardieck v. Sutter Health, No. 34-2011-00114396, filed November 21, 2011 in the Sacramento County Superior Court. Click here for a copy of the Pardieck complaint.
The Pardieck complaint alleges two causes of action. First, it seeks statutory damages for violations of California’s Confidentiality of Medical Records Act. The complaint seeks $1000 in statutory damages per class member. The second cause of action alleges a violation of California’s breach notification law, Civil Code Section 1798.82, and seeks an order requiring Sutter Health to make a more detailed disclosure of the types of information stolen and more detail in breach notifications arising from any future breaches.
Here is what I found interesting about the Pardieck complaint. First, the complaint did not allege causes of action seen in other security breach cases, such as negligence and a claim for unfair trade practices. In that sense, the lawyers may have failed to allege viable claims that could have helped them. Second, the lawyers did not seek any damages from the second claim under California’s breach notification law. They merely sought injunctive relief. Perhaps they thought that damages would be too hard to prove, and the statutory damages sought in the first cause of action would make it unnecessary to prove actual damages. Nonetheless, they could have included a claim for damages with the hope of showing actual damages through investigation and discovery.
Finally, it is worth noting that in seeking $1000 in statutory damages per affected patient, the lawyers are seeking a huge sum. The complaint alleges 944,000 affected patients. 944,000 patients times $1000 per patient totals $944 million—almost a billion dollars. The upshot here is that the statutory damages make the potential value of the case huge, even though any likely settlement is going to be some fraction of that number.
What are the lessons learned from the Sutter Health cases? First, it serves as a reminder that physical security is as important as network security. The Sutter Health breach occurred because of a physical break-in to its administrative offices. Companies need to pay as much attention to physical security as they do to logical security.
Second, the breach should make companies rethink the idea that they have no need to encrypt sensitive information if it resides on computers that remain in the office. Apparently, the information stolen was on a desktop computer. Sutter Health may have thought that it had no need to encrypt the information on it, because unlike laptops and other mobile devices, employees never left the office with it. Since offices are potentially vulnerable to physical break-ins, however, information on desktops are not immune to outsider threats even if they are not connected to a network. Moreover, there are always insiders that could gain unauthorized access to information on desktops.
Finally, if Sutter Health had encrypted the information (with a standard algorithm and sufficiently long keys), it would have had no obligation or need to make any breach notifications or announcements. Since the suits were apparently triggered by the company's announcements or breach notifications, encryption would have prevented the suits. Moreover, the final price tag for the failure to encrypt will be high indeed. Even if Sutter Health prevails in these suits, the defense costs alone will be very large. Since almost a billion dollars are at issue, Sutter Health may have to spend in the millions to defend all of these suits.Compared to the cost of full disk encryption, the cost of this security breach will be high indeed.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP
[1] It is true, however, that the breach occurred in October 2011, so the lawyers did not file suit on the day of the breach or even within nine days of the breach. The lawyers suing Sony were faster in that sense. Following the Sutter Health breach, the lawyers may have received news about the incident before Sutter Health’s announcement. Nonetheless, it is very fast to go from a public announcement to a class action complaint filing in a single day.