Recent breaches raise specter of liability risks

Computerworld - Organizations that fail to show due diligence in protecting their data assets face a real risk of legal problems in the not-too-distant future, analysts said.
The renewed caution comes in the wake of reports this week that hackers broke into a California state personnel database and gained access to financial and confidential information on all 265,000 state government employees, including that of Gov. Gray Davis.
Incidents like this one and the recent theft of more than 13,000 confidential records from Costa Mesa, Calif.-based Experian, a major credit reporting agency (see story), are shining the spotlight more brightly than ever on liability issues for companies doing business over the Internet, warned Michael Rasmussen, an analyst at Giga Information Group Inc. in Cambridge, Mass.
"The whole issue has gotten to a scale where companies face a real risk of legal liability," he said. "There are going to be landmark cases where people are going to be suing other people. That is what is finally going to get the attention of companies."
In the California incident, a hacker broke into a database housed at the state's Stephen P. Teale Data Center in Rancho Cordova and accessed names, Social Security numbers and payroll information of state employees ranging from office workers to judges.
The break-in occurred April 5 and was discovered by the state controller's office May 7. But it wasn't disclosed to the public until May 24. The handling of the incident has provoked criticism from the California Union of Safety Employees (CAUSE), which criticized state controller Kathleen Connell for the delay in informing victims that their personal information had been compromised.
"It is an outrage that the controller herself has been negligent in recognizing the peril posed by this high-tech invasion of privacy," CAUSE President Alan Barcelona said in a statement.
Legal ramifications
Connell's office refuted the criticism and said it had acted swiftly in asking the Sacramento Valley Hi-Tech Crime Task Force to conduct a criminal investigation.
"It is the Teale Data Center and not the state controller's office that is solely responsible for the security breach, and that agency has accepted full responsibility," Connell's office said in a statement.
Incidents such as these show why companies need to ensure they are following best practices around security, said Rick Fleming, a vice president at Digital Defense Inc., a San Antonio-based security consultancy. "It won't take too many more cases of folks enduring identity theft or financial hardship for somebody to start suing," he warned.